Forum Discussion
Cirrusasm application security policy cookie
i'm just getting started with asm and when creating an application security policy i've noticed that there's a new cookie injected into all http responses, for example:
Set-Cookie: TS01bf46b0=01e02e1a4b9a87f8a0befad67c4b362104780eaffa6c9a782f84ea35f7b17c134954a639857fd90575e95454f7baff327824d811d3; Path=/
this causes a complication with CDNs that sit in front of some of my applications as (by default) they do not cache responses containing cookies. while i can manually work around this i'd prefer to find out more about this cookie and remove if needed. could anyone help out?
6 Replies
natheCirrocumulus
Nick. You'll need an irule. http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13693.html
- Nik
i added that to the irule associated with the vip with no luck - the asm cookie doesn't show up in the response cookies.
- nathe
My understanding is the asm will re-add the token on the response from asm to client. Does it not? I'd have to check my lab to confirm tho. Does it successfully remove the Cookie from the asm to server?
- Nik
client --> asm --> server (not sure) server --> asm --> client (cookie exists)
i'll need to look at the backend server to see if it's receiving the cookie but i doubt it's the server sending the cookie.
- nathe
With that irule I would expect the flow to be:
client (TS cookie) --> asm --> server (no TS cookie), server (no TS cookie) --> asm --> client (new TS cookie)
- Nik
that seems right with the adjustment of the first step - the client doesn't necessarily have a cookie already - if i do a fresh curl i'll get a ts cookie back from asm.
