Forum Discussion

Dan_Bowman's avatar
Dan_Bowman
Icon for Cirrus rankCirrus
Mar 07, 2019

ASM stripping double quotes from cookie values post v14?

Noticed one of our apps stopped working after moving from v13.1 > v14.1.0.2

Investigation suggests ASM is stripping quotes from JSESSIONID cookies and preventing sessions from being initiated - has anyone encountered this before?

For example:

Mar  7 15:00:58  : JSESSIONID="uniquevalue.servername:server-one"; 



Mar  7 15:00:58  : JSESSIONID=uniquevalue.servername:server-one;

Backend servers interpret this as two separate values and session can't be established.

Removing ASM policy from VS removes the issue, and quotes are maintained on http_request_release

application delivery
ASM Advanced WAF
LTM
waf
  • Dan_Bowman's avatar
    Dan_Bowman
    Nov 13, 2019

    To close this off - the issue was corrected in v14.1.2.1

     

     

    769997-1 : ASM removes double quotation characters on cookies

    Component: Application Security Manager

    Symptoms:

    ASM removes the double quotation characters on the cookie.

    Conditions:

    Cookie sent that contains double quotation marks.

    Impact:

    The server returns error as the cookie is changed by ASM.

    Workaround:

    Set asm.strip_asm_cookies to false using the following command:

     

    tmsh modify sys db asm.strip_asm_cookies value false

    Fix:

    ASM no longer removes the double quotation characters on the cookie.

     

    https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-14-1-2-1.html#A769997-1

     

     

  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Mar 18, 2019

    v14 is relatively new and this might be a genuine issue in ASM v 14.x - I suggest opening a Support Case with F5 to investigate

     

  • Francis_M__Mend's avatar
    Francis_M__Mend
    Icon for Nimbostratus rankNimbostratus
    Mar 27, 2019

    We are experiencing exactly the same: ASM seems to be stripping double quotes to cookies in our applications.

     

    The behaviour started after updating to v14.0.

     

    Edit: the problem is the same, not the opposite.

     

  • Dan_Bowman's avatar
    Dan_Bowman
    Icon for Cirrus rankCirrus
    Mar 28, 2019

    Raised a SR with F5 Support and they advised the following:

    A feature to not pass ASM cookies was introduced in this version. Engineering Services team indicated to disable the feature: 

     tmsh modify sys db asm.strip_asm_cookies value false

  • Dan_Bowman's avatar
    Dan_Bowman
    Icon for Cirrus rankCirrus
    Nov 13, 2019

    To close this off - the issue was corrected in v14.1.2.1

     

     

    769997-1 : ASM removes double quotation characters on cookies

    Component: Application Security Manager

    Symptoms:

    ASM removes the double quotation characters on the cookie.

    Conditions:

    Cookie sent that contains double quotation marks.

    Impact:

    The server returns error as the cookie is changed by ASM.

    Workaround:

    Set asm.strip_asm_cookies to false using the following command:

     

    tmsh modify sys db asm.strip_asm_cookies value false

    Fix:

    ASM no longer removes the double quotation characters on the cookie.

     

    https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-14-1-2-1.html#A769997-1