Forum Discussion

KF2's avatar
KF2
Icon for Nimbostratus rankNimbostratus
Oct 26, 2022

Modified domain cookie

Receive some blocked event about "modified domain cookie".

After some research , a cookie "TSxxxxxxxx" is generated by F5 ASM and it used to hash the enforce cookie.

When user got blocked, I found that this cookie "TSxxxxxxx" is missing in the browser, so that's why user got block.

but i am wondering why browser will automatically delete this cookie if no user intervention?

  • This is a tricky one as maybe the user is comming from a jump host or there is a proxy device before the F5 that does something. Also if just one browser has the issue is interesting as if you have AD an the user is internal there could be some rules that the AD enforces on the browser (also the users shouldn't be using incognito mode 🙂 )

     

    Maybe see the links below as the ASM cookie is generated for every domain and path and maybe something happens on the browser that does not send the cookie. Also if it was API traffic/Bot traffic they normally do not support cookies.

     

    https://support.f5.com/csp/article/K72137013

    https://support.f5.com/csp/article/K54905165

    https://support.f5.com/csp/article/K5907

     

    Other thing is if you maybe enabled some flags:

    https://support.f5.com/csp/article/K13787

     

     

    • KF2's avatar
      KF2
      Icon for Nimbostratus rankNimbostratus

      The user is not internal. 

      "This is a tricky one as maybe the user is comming from a jump host or there is a proxy device before the F5 that does something" <--  You mean the proxy device will modify or delete the cookie?

      All the links you posts i have already read before I post this question in this forum.

      • I admit that are all my suggestions as if the F5 is sending the cookie what happens on the client device, I can't tell 🙂

         

        My final suggestion could be to also use One Connect profile as it helps with cookies and upstream proxy devices but outside of that I am out of ideas.

         

        https://support.f5.com/csp/article/K7964