For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Approxee's avatar
Approxee
Icon for Nimbostratus rankNimbostratus
Sep 28, 2017

What happens if the ASM sees a TS cookie it did not set.

I have a configurtion and I am wondering if this causing Timestamp Expired cookie violations.   I have a configuration where a TS cookie can pass back through a policy that did not set it. In this...
ASM Advanced WAF
cookies
security
samstep's avatar
samstep
Icon for Cirrocumulus rankCirrocumulus
Oct 21, 2017

Graham,

 

Expired Timestamp violation will indeed happen in this case. TS cookie set in response contains the encrypted timestamp which is compared by ASM with the current time on the next request. If TS cookie is "too old" (more than 600 seconds/10 minutes) Expired Timestamp violation will be generated - this prevents replay attacks (hackers using stolen HTTP requests of a user and then trying to replay them).

 

The expiration period can be controlled by cookie_expiration_time_out parameter in the ASM Advanced config.

 

Information about ASM cookies can be found here:

 

https://support.f5.com/csp/article/K6850

 

The config you are describing is problematic from ASM point of view, there should really be an irule redirecting requests to abcdef.com to xyz.abcdef.com

 

Hope this helps,

 

Sam