Forum Discussion

Cirrus

Jan 11, 2023

Facing problem with Modified domain cookies

Hello. I'm facing problem with Modified domain cookies. I have configured ASM policy in blocking mode with some enforced cookies. Also I have enabled blocking on Modified domain cookies on Learning ...

application delivery

security

Mohamed_Ahmed_Kansoh

MVP

Hi Aantat ,
Are there any device in your path makes any kind of Cookie persistence or not ?
I want to say if there are " any persistence Cookies " in Requests that pass via F5 ASM , it will make such these violations and in this case this is a false positve you should dis-check mark from "block" box in learning and blocking setting for the impacted service.

> another solution , take a har file or extract the payload itself from F5 Event logs and see which cookies are sent in requests , After That contact with server developer to discuss with him these cookies and expiration periods or validate if these cookies accept modification or not , the only one who should decide if these cookies accept modification or not is server developer/owner for better visability in your applications.
Note : you should find server cookies in http header called " set-cookie" header.

- To get the har Archive file , Follow this KB :
https://support.f5.com/csp/article/K10370211
- For more info about Modified domain cookies violations and its possibility to be false positive , read the following articls :

https://support.f5.com/csp/article/K89255958

https://support.f5.com/csp/article/K5907

I hope my reply helps you

Aantat

Cirrus

Jan 13, 2023

Hi, i dismarked block setting and find the reason of problem. So violation is triggered when user uses my app via example.com after www.example.com. Is there any suggestion on that? Should I do redirect from www to my example.com?

Mohamed_Ahmed_Kansoh
MVP
Jan 13, 2023
Hi Aantat ,

Can you clarify more ,

What is your APP , and www.examble.com / example.com.

Do you want to redirect all requests to example.come instead of www.example.com ,

I need some clarification.
- Aantat
  Cirrus
  Jan 14, 2023
  Hi,
  So my app is simple web application - example.com. So violation is triggered when user access to app via example.com after www.example.com. I mean the problem is triggered with "www". Is there any suggestion on that? IDK about redirect, it was just my suggestion.
  - Mohamed_Ahmed_Kansoh
    MVP
    Jan 14, 2023
    Hi Aantat ,
    The problem is triggered with issuing "www" but everything goes fine with using "example.com" directly.
    so I think if we redirect from "www.example.com" to "example.com" may this solve this issue.
    if you want to try the redirection , you can do it by LTM policy or irule , I can help you in this.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Facing problem with Modified domain cookies

Recent Discussions

Should config via cli rather than gui?

Management IP F5 cant be accessed

ASD

Big-IP VE edition for MacBook M4 Chip

301 redirect and waf policy log problem

Related Content

Re: SYN Cookie operation

Modifying multiple entries in a datagroup via api?

Re: LTM SYN Cookie Configuration

Source_Addr Persistence Problems

Modify vCMP-Guest with ansible not possible?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS