For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nik_67256's avatar
Nik_67256
Icon for Nimbostratus rankNimbostratus
Jul 27, 2012

Modified Domain Cookies - Basic Rules

Hi All,

 

 

I know there are tons of info on doman cookie modification . But basically needed to confirm this basic understanding :-

 

 

 

1) What are the different legitimate reasons that allow clients programs like webapp change server sent cookies?

 

 

 

2) Should all modified domain cookies learnt by f5 be presented to the developers to get their confirmation on which cookies are allowed to be modified by the webapp?

 

 

3) Like JSESSIONID are there any legit cookie modifications that are allowed by default and can be safely ignored.

 

 

Any other input will be helpful. -thanks

 

 

regards

 

Nik
security

1 Reply

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 01, 2012
    Hi Nik,

     

     

    With most web apps, there isn't a legitimate reason for the client modifying the cookie value. I don't think I've ever worked directly with such an app.

     

     

    The most common reason the cookie changes is that the client makes a request to another app on the same domain not passing through the same ASM policy which modifies the cookie. Another common cause for the violation is that the ASM cookie is set with a different expiry than the app's cookie.

     

     

    I'd try to reproduce the issue with a browser plugin like HttpFox or an interception proxy like burpsuite on the client. You could also check with your app developers to get more information on what you find.

     

     

    Aaron