Forum Discussion

Nimbostratus

Oct 25, 2022

Modified domain cookie

Receive some blocked event about "modified domain cookie". After some research , a cookie "TSxxxxxxxx" is generated by F5 ASM and it used to hash the enforce cookie. When user got blocked, I found ...

security

Nikoolayy1

MVP

Oct 26, 2022

This is a tricky one as maybe the user is comming from a jump host or there is a proxy device before the F5 that does something. Also if just one browser has the issue is interesting as if you have AD an the user is internal there could be some rules that the AD enforces on the browser (also the users shouldn't be using incognito mode 🙂 )

Maybe see the links below as the ASM cookie is generated for every domain and path and maybe something happens on the browser that does not send the cookie. Also if it was API traffic/Bot traffic they normally do not support cookies.

https://support.f5.com/csp/article/K72137013

https://support.f5.com/csp/article/K54905165

https://support.f5.com/csp/article/K5907

Other thing is if you maybe enabled some flags:

https://support.f5.com/csp/article/K13787

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)