How to remove the ASM TS* Cookie

Question

Hello 
We tried to remove the ASM TS* Cookie with this IRule :
   HTTP_REQUEST_RELEASE    {
  set cookies [HTTP::cookie names]
  foreach aCookie $cookies {
    if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
       Remove ASM Cookies
      log local0. $aCookie
      HTTP::cookie remove $aCookie
    }
  }
}

Like is describe in this KB 
 https://support.f5.com/csp/article/K13693
But there is nothing to do, we still have the cookie in the client side.
 We also tried : HTTP_RESPONSE
Can we have some help?
BIG-IP v11.6.1 (Build 2.0.338)

Best regards
David

stephane_viau · Answer

This code will not remove the cookie completely, it will only prevent the cookie from being passed on to the pool members. In other words the client will send the cookie to the Big IP and the Big IP will remove the cookie from the http header before the request is sent to the server.&nbsp;
If you wish to remove the cookie completely, why don't you remove it from the ASM policy instead?&nbsp;

dawei_s_300040 · Answer

Hello Thanks for your answer, how can I remove it from the ASM policy ?&nbsp;
Best Regards&nbsp;
David&nbsp;

msz · Answer

If you remove the cookie then it might cause trigger the cookie violation if enabled.&nbsp;

msz · Answer

If you remove the cookie then it might cause trigger the cookie violation if enabled.&nbsp;

samstep · Answer

HTTP_REQUEST_RELEASE is fired just before the Request from the Client is being sent to the Server-side (pool member), so my understanding is that is not what you want. You want the opposite - you want ASM to stop sending TS cookies to your client, you need to use HTTP_RESPONSE_RELEASE event,e.g:
  HTTP_RESPONSE_RELEASE    {
  set cookies [HTTP::cookie names]
  foreach aCookie $cookies {
    if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
       Remove ASM Cookies
      log local0. $aCookie
      HTTP::cookie remove $aCookie
    }
  }
}

I am not quite sure about the version of BIG-IP you are using, I reported a bug in HTTP::cookie remove functionality to F5 years ago, it is likely that this will work only from version 11.6.1/12.0, a workaround was to use HTTP::header remove instead of cookie remove.

Forum Discussion

AppWorld Berlin iRules Contest!

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

Recent Discussions

Changes to DO and AS3 GitHub - no longer monitored

SSL Forward Proxy, iRules and Client Hello

monitor/healthcheck issue with envoy gateway

Recommendation for Adv. Lab

How to Verify config before loading to F5

Related Content

Removal Cookies on Client Browser

Remove alerts showing r-series LCD/Dashboard.

Removal of Client Side F5 Persistence Pool Cookie

Cookie-based DDoS protection

Encrypting Cookies