For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Pranav_73262's avatar
Pranav_73262
Icon for Nimbostratus rankNimbostratus
Oct 08, 2013

ASM adding unwanted cookie

Hi, we have a VS created in LTM with Default Persistence as universal & following iRule:

when HTTP_REQUEST {
        if { [string tolower [HTTP::path]] starts_with "/abcd" } {
                pool Pool1
        } else {
                  set jsess [URI::query [HTTP::uri] PARAM]
                  if { $jsess != "" } {
                       persist uie $jsess 600
                       pool Pool2
                    }
        }
}

However, we are getting one unwanted cookie in response, so is it possible that above combination will add some unwanted default cookie for response?

application delivery
deployment
devops
iRules
security

28 Replies

Show More
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Oct 08, 2013

    You will break ASM functionality if you remove TS cookie. Is the cookie that ASM sends affecting the client behavior? That should not be the case. If yes, is this a browser or a custom client?

     

    • Pranav_73262's avatar
      Pranav_73262
      Icon for Nimbostratus rankNimbostratus
      Oct 08, 2013
      Ok. Actually it is not affecting client behavior, however, customer has requirement that we should not send any cookies. It is HTTPS application.
    • Pranav_73262's avatar
      Pranav_73262
      Icon for Nimbostratus rankNimbostratus
      Oct 08, 2013
      yes, it is required. But should not add cookie :) only inspect and block in case of violations.
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Oct 08, 2013

    You will break ASM functionality if you remove TS cookie. Is the cookie that ASM sends affecting the client behavior? That should not be the case. If yes, is this a browser or a custom client?

     

    • Pranav_73262's avatar
      Pranav_73262
      Icon for Nimbostratus rankNimbostratus
      Oct 08, 2013
      Ok. Actually it is not affecting client behavior, however, customer has requirement that we should not send any cookies. It is HTTPS application.
    • Pranav_73262's avatar
      Pranav_73262
      Icon for Nimbostratus rankNimbostratus
      Oct 08, 2013
      yes, it is required. But should not add cookie :) only inspect and block in case of violations.
  • Pranav_73262's avatar
    Pranav_73262
    Icon for Nimbostratus rankNimbostratus
    Oct 08, 2013

    Modified question to reflect exact issue for the benefit of future references.

     

  • Romain_Dayan_83's avatar
    Romain_Dayan_83
    Icon for Nimbostratus rankNimbostratus
    Oct 08, 2013

    Hi,

     

    What is you ASM deployment mode ? If you can isolate this application on another security policy you can disable the ASM cookie feature only in this case.

     

    I can warn you that the "TS*" cookie can be in lower case sometime but I don't know what will be the behavior of the ASM if the cookie is not present and the feature enabled.

     

    • Pranav_73262's avatar
      Pranav_73262
      Icon for Nimbostratus rankNimbostratus
      Oct 09, 2013
      Hi Romain, how to disable ASM cookie? I checked all options available; but no luck. At max it allows us to play with expiration timer, MD5 hash etc.