Forum Discussion
NimbostratusDifference between APM Cookie Options & ASM Cookie Properties
I noticed recently that in both APM and ASM, there is the ability to configure cookie options like Secure Flag and HTTP Only. Does anyone know the difference between how each module handles these cookie options and how they coexist? It appears that they both add the secure flag and http only attributes to cookies, but does one take precedent over the other? Should they be configured in both modules or just one?
4 Replies
The APM options are used to modify the APM cookies that are used for APM session management (MRHSession). The ASM options are used to modify other cookies traversing ASM.
I don't know if there is really a precedence issue here since the targets for the options are different. APM comes before ASM, so ASM settings shouldn't modify the APM cookies coming from the same BIG-IP.
carolyndiep_163Thanks for the reply Lucas. Anyway you can be more specific on your comment about "other cookies" that would traverse ASM? I didn't realize there was more than just a session cookie involved.- ASM has cookies that itself to identify flows vs users, so there are settings for that. They're covered here: https://support.f5.com/kb/en-us/solutions/public/13000/700/sol13787.html Separately, ASM has security options to modify *other* application cookies, like from an HTTP service being protected by ASM. So, those cookies are not set by ASM itself. Rather, ASM is modifying 3rd party cookies.
- carolyndiep_163The solution article you provided is to modify the ASM cookie and not the application cookie correct? The settings where ASM is modifying the cookie used by the web servers is located in the cookie properties in ASM under Security > Application Security > Headers > Cookie List > Edit Cookie, is that correct?
