ASM uses TS cookies as well against CSRF

Question

I understoof ASM injecting a token in fields on static HTML POST forms or cliende side scripts to protect against CSRF.&nbsp;
But i read somewhere that it uses as well the main TS cookie, how does it work exactly?
An attacker can just replay the TS cookie...&nbsp;

boneyard · Answer

sources?&nbsp;

samstep · Answer

Yes, the ASM is indeed using a TS cookie to store the random token. 
This is described in Solution SOL11903:&nbsp;
https://support.f5.com/kb/en-us/solutions/public/11000/900/sol11903.html&nbsp;
This is a so-called Double-Submit Cookie Protection.
It works because the attackers cannot read or modify the cookie value "cross-site" due to Same-Origin-Policy of browsers. Sure the attacker can replay cookies from the previous request, but it won't match the token in the next request.&nbsp;
OWASP CSRF Prevention Cheatsheet is a good resource for CSRF information, it describes Double-Submit Cookies among other protections, link here:&nbsp;
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet&nbsp;
Hope this helps,&nbsp;
Sam&nbsp;

Forum Discussion

ASM uses TS cookies as well against CSRF

2 Replies

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

HA Failover between two Datacenters

LTM issue Openning new web browser tab

F5 asm/awaf

Cannot ping external interface

AST Configuration Assistance

Related Content

Cookie Tampering Protection using F5 Distributed Cloud Platform

F5 XC Distributed Cloud HTTP Header/Cookie manipulations and using the client ip/user headers

Client Auth Using HTTP Cookie

Cookie-based DDoS protection

2. SYN Cookie: Operation

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS