Forum Discussion

Dan_Bowman's avatar
Dan_Bowman
Icon for Cirrus rankCirrus
Mar 07, 2019

ASM stripping double quotes from cookie values post v14?

Noticed one of our apps stopped working after moving from v13.1 > v14.1.0.2 Investigation suggests ASM is stripping quotes from JSESSIONID cookies and preventing sessions from being initiated - has...
application delivery
ASM Advanced WAF
LTM
waf
  • Dan_Bowman's avatar
    Dan_Bowman
    Nov 13, 2019

    To close this off - the issue was corrected in v14.1.2.1

     

     

    769997-1 : ASM removes double quotation characters on cookies

    Component: Application Security Manager

    Symptoms:

    ASM removes the double quotation characters on the cookie.

    Conditions:

    Cookie sent that contains double quotation marks.

    Impact:

    The server returns error as the cookie is changed by ASM.

    Workaround:

    Set asm.strip_asm_cookies to false using the following command:

     

    tmsh modify sys db asm.strip_asm_cookies value false

    Fix:

    ASM no longer removes the double quotation characters on the cookie.

     

    https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-14-1-2-1.html#A769997-1

     

     

Dan_Bowman's avatar
Dan_Bowman
Icon for Cirrus rankCirrus
Mar 28, 2019

Raised a SR with F5 Support and they advised the following:

A feature to not pass ASM cookies was introduced in this version. Engineering Services team indicated to disable the feature: 

 tmsh modify sys db asm.strip_asm_cookies value false