Forum Discussion
NimbostratusASM Cookies - Secure and HTTPOnly flags
Our ASM is naturally setting ASM Cookies on traffic for one of our applications:
Set-Cookie: TS013756fc=0178e5fb33c4892a87524f70317d792a83da0c25210a526ac323111db7d157de1c49aad030; Path=/
However, the Secure and HTTPOnly attributes are not set. Of course, this raises all sorts of flags with pentesters and auditors.
- How can we add the Secure and HTTPOnly flags to the ASM Cookies?
- For a non-session-based application, is there any downside to stripping the ASM cookies out with an iRule?
- From everything I've read there's no way to turn ASM cookies off. How then is it possible that I have another application which doesn't appear to set them (which I in fact do)?
Any help appreciated!
2 Replies
amolariCirrostratus
about 1. > please check sol13787: Configuring the 'secure' and 'HttpOnly' attributes for BIG-IP ASM cookies
gsharriAltostratus
Re 2: The only downside I see is that which the solution article makes note of: increased processing/resource utilization. If the ASM cookie is causing no negative affects on the server-side then I would let them be.
Re 3: You are correct, ASM cookie cannot be disabled. It is integral to ASM security features. The TS cookie is inserted into every request which is handled by an ASM security policy (if the cookie is not already present). If you are seeing traffic that does not contain the TS cookie then my first guess would be the traffic is not flowing through an ASM security policy but is being sent directly to the pool.
