Forum Discussion

Darius44's avatar
Icon for Altocumulus rankAltocumulus
Jul 27, 2023

WAF ASP.NET_SessionId cookie not sent by the client


I have the following configuration and issue.

We have a WAF in place for one of the webservers, which is set to Transparent mode.

When a user tries to upload a file to that webserver using a JAVA command line tool in Linux he is unable to do it because the response from the server is "Session Expires" (the whole process is less than 1 sec so the timeout is not the reason). The HTTP method that is used is a "Put" method, which is not blocked by the WAF cause the policy is in Transparent mode

We noticed that when we disable the F5 WAF policy at all from the webserver the client is succesfull in uploading the file to  the webserver, and the diference is that when there is no WAF the ASP.NET_SessionId cookie set by the server remains the same through the whole process, while when using WAF there is no ASP.NET_SessionId cookie sent by the client to the server, only the TS cookie. In the response the server always sets a new ASP.NET_SessionId cookie which makes the client to send a new TS cookie value every time, so we assume that the issue is the fact that the client is not sending any ASP cookie back to the server and the server tries to create a new one every time and this triggers that Session Expired issue, cause the webserver expects a SessionID cookie (just my guess)

I checked with BurpSuite and in fact when using WAF the client is not adding the previously recieved ASP.NET_SessionId cookie to the request.

The weird stuff is that if we do the following process then the upload works: We have the WAF assigned to the server, the client connects using the JAVA client terminal program and creates a session, it tries to upload a file, it fails (as expected), we unnasign any WAF policy from the server, the user while connected to the same terminal session tries again to upload it works (as expected cause there is no WAF and the client sends the session cookie to the server ), we re-assign the same WAF to the server (while the client is still connected to the JAVA terminal session) and if he tries to upload now it works, and the client sends the ASP.NET_SessionId cookie this time, and it works every time untill we quit the current terminal session and we reconnect and the process begins again.

I noticed that when the server sets the ASP.NET_SessionId cookie it also has this flag set "HTTPOnly"

(Set-Cookie: ASP.NET_SessionId=wkojcpgjvwrnvk4poknmkjer; path=/; secure; HttpOnly)

which in my reasoning it should break the application because we are not using HTTP we are using a JAVA script/ terminal tool instead, but the same flag is set when the WAF is disabled or when we do that assing/unnasign trick and it work without problems (correct me if I am worng)

Does anyone have any ideea what can be done?

Thank you very much in advance 

3 Replies

    • Darius44's avatar
      Icon for Altocumulus rankAltocumulus


      Thank you for you answer first of all.

      I don't believe the number of cookies is the problem, as the WAF only learned 10 of them and in the request sent by the client when the process is not working it is sending only the TS cookie and when it does work (after the trick with unnasign and re-assign) it send both the TS and the ASP cookie.

      Thank you!

      • Nikoolayy1's avatar
        Icon for MVP rankMVP

        See the extra notes I just added but maybe it will need a TAC assistance.