For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

strongarm_46960's avatar
strongarm_46960
Icon for Nimbostratus rankNimbostratus
Dec 01, 2008

To many Cookies

I have just recenty put ASM in front of a large app, this app has been known to set up to 17 or more cookes per session depending on what transaction the user is doing, problem is ASM seems to set a f...
app sec
BIG-IP Access Policy Manager (APM)
security
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 10, 2008
Hi jquadri,

 

 

I wonder if the requests are passing through multiple ASM-enabled virtual servers? Can you post some examples of the ASM cookie names. They should start with TS. I'd expect the cookie name for one web application should always be the same as it's a hash of the web application name. If the clients are accessing several subdomains on the same domain which all use ASM, maybe a solution would be to use an iRule to set the domain on the cookies to the fully qualified subdomain. This would ensure the client would only include the ASM cookie for the specific web application.

 

 

That said, F5 Support should be able to explain the logic for when ASM cookies are used--if not what the cookies contain (the latter being proprietary). If the high number of cookies is breaking your application and the product manager of ASM says the behavior you're seeing isn't expected, I think you have good grounds to push F5 to explain why you're seeing so many ASM cookies.

 

 

Aaron