Forum Discussion
NimbostratusOWASP A2 HTTP Cookie Protection
Hello all,
I'm looking for any information regarding configuration of HTTP cookie protection on ASM v12.1.2. I understand automatic policy builder includes this protection when using enhanced and comprehensive policy types but when using the manual policy builder, this must be manually configured (am I correct?). Is there any documentation on how to configure this? At a dead end...
Thanks!
Toneman
Shann_P_160848I was under the impression that this was default with ASM as I've never had to configure it. ASM adds in a Traffic Shield cookie that is a key/value pair with the cookie itself so that if the cookie is altered or the TS cookie is altered, the violation is thrown.
Just my experience with ASM.
toneman172_1806Thanks for the reply. One of the ASM controls addressing A2 is "HTTP cookie protection (Enhanced)". In the BIG-IP ASM Operations Guide (September 2017) pg. 35, the guide reads "Where applicable, the policy type that automatically includes the mechanism is listed in parenthesis". "Fundamental", "Enhanced", and "Comprehensive" are listed in parenthesis following this statement for various ASM controls in Table 4.1 OWASP Compliance which, I believe, implies that if you are not using the Automatic Policy Builder (that contains these three policy types) it must be configured manually. Since I'm using the manual method, I'm concerned that this protection is not enabled.
Thanks!
natheCirrocumulus
toneman172,
The feature you are after is Enforced Cookies. By configuring a cookie as Enforced protects it against modification. See the v12 Implementation Guide for further information, including how to set this up Implementation Guide - About Cookies
Hope this helps,
N