Forum Discussion
Approxee
Nimbostratus
NimbostratusWhat happens if the ASM sees a TS cookie it did not set.
I have a configurtion and I am wondering if this causing Timestamp Expired cookie violations.
I have a configuration where a TS cookie can pass back through a policy that did not set it. In this config we have different policies for different Url's. In the responce the set-cookie is for a 'higher' point in the domain tree. For exmaple the policy sets the cookie for .abcdef.com in a policy that is mapped to xyz.abcdef.com. Another request is made to another policy that is mapped to 123.abcdef.com but in the request the cookie from the other policy is the TS cookie from the last request, but this policy did not set it so is not aware of it.
Policy one set cookie TSxxxxxx in domain abcdef.com from request to zyx.abcdef.com Policy two gets request to 123.abcdef.com and receices the TS cookie for the sub domain abcdef.com
Would this create a Cookie Violation - Expired TimeStamp. I am think the ASM reconises it as a TS cookie but also knows it was not set by the policy that is inspeciting it.
Any clues would be great
Graham
samstepCirrocumulus
Graham,
Expired Timestamp violation will indeed happen in this case. TS cookie set in response contains the encrypted timestamp which is compared by ASM with the current time on the next request. If TS cookie is "too old" (more than 600 seconds/10 minutes) Expired Timestamp violation will be generated - this prevents replay attacks (hackers using stolen HTTP requests of a user and then trying to replay them).
The expiration period can be controlled by cookie_expiration_time_out parameter in the ASM Advanced config.
Information about ASM cookies can be found here:
https://support.f5.com/csp/article/K6850
The config you are describing is problematic from ASM point of view, there should really be an irule redirecting requests to abcdef.com to xyz.abcdef.com
Hope this helps,
Sam