I agree 100% with the statements regarding ways to encrypting these cookies.
I've been putting this off hoping that F5 would eventually realize that it needed to be addressed. At this point, however, our auditors are hounding us to get this corrected.. The 'plain text' persistence cookies are providing too much 'private' information and they need to be encrypted.
The auditors aren't hitting us on the name of the cookie.. yet.. but, yeah, that might happen too.. I think that can be changed but might have some other side-effects, if i remember correctly.
So the option seems to be either a zippy Irule that will do a wild card, or lots and lots of custom profiles. The latter is error prone. The former creates tons of unnecessary overhead.
Suggested solution:
1. System setting to encrypt all persistence cookies.
2. VIP setting to encrypt all persistence cookies.
2.a. VIP setting to encrypt all cookies.
3. HTTP profile allow wildcard entries for the list of cookies to encrypt.
Do 3 if nothing else can be done. I don't see that there has been anything done in this area, but could be wrong.. the cookies in the HTTP profile must be explicitly named .. all of them. for a VIP that works with a dozen resource pools, this list becomes quite long, and gee, all of them begin with BIGipServer . Dah... Help!?