Sorry for the late thank you, I expected this iRule cause lots of XSS type events in the ASM logs, my initial thought was that if that happens I would have to rewite it so that the first virtual strips the TS cookies out and the second virtual would the combine them again. However thats not now necessary.
in the meantime, I have requested an RFE to provide an option to choose which cookies are protected by ASM, for instance a initial request which also has its path and sets language or location cookie within the app header are not critical and certainly do not require additional ASM generated TS cookie to protect them, dont care if an attacker fiddles with these, however i do care about transactional cookies and should be able to pick & prioritize these within the ASM.
Furthermore, F5 setting a max value of 10 for cookie paths is beyond me, there is no rfc that gives F5 this permission.
F5 decided that a site should not have more that 10 paths per domain inorder to have ASM cookie protection, surely this should be business management decision not a suppliers one.
in my opinion, ASM has fallen in to the Microsoft trap of setting (non-standard) minimum cookies requirement per site of 20 until IE7, when the rfc clearly states that the minimum should be 20 and ms took the decision to make the minimum & max the same (20), , see: http://support.microsoft.com/kb/941495/en-us .
Thanks again.