I am usually facing an issue with (Cookie Violation - Expired TimeStamp), the TS cookies keep are expired always and trigger this violation.
I am not sure if i am doing the configurations in the proper way so i need a help how and what is proper way to configure the protection?
I mean is there is a relation between the real server session cookie and ASM cookie and how i can avoid the issue which always alarming the violation?
it is a general question not specific to any case.
does this happen for all requests? is the system time of your BIG-IP correct?
in principle this shouldn't happen if requests are just regularly made and the correct reply is provided. but perhaps the clients are behind some device which acts odd ...
Cookie Violation - Expired TimeStamp violation happens if a user goes away for over 10 minutes and then issues a fresh request. . ASM TS cookie set in response contains the encrypted & digitally signed timestamp of the last sent response which is compared by ASM with the current time on the next request. If TS cookie is "too old" (more than 600 seconds/10 minutes) an Expired Timestamp violation will be generated - this prevents session replay attacks (hackers using stolen HTTP requests of a user and then trying to replay them hoping to hijack the user session).
If the application you are protecting with ASM allows idle timeout for users for more than 10 minutes you will need to adjust the expiration period of the cookie.
The expiration period can be controlled by cookie_expiration_time_out parameter in the ASM Advanced config menu (Security ›› Options : Application Security : Advanced Configuration : System Variables) and it is 600 seconds (10 minutes) by default. So if your application's idle timeout is 15 minutes (very popular timeout these days with online banking and other financial websites) you need to change the setting to 900 seconds.
If your application does not have a timeout and allows users to stay logged in for a very long time and you want to keep that behaviour you will need to disable this violation as it is not suitable for your application.
Hope this helps,
Thanks for your kind reply, i will make some more tests in the application behaviour during idle status and confirm back my findings.
I think you have explained the violation clearly and i can understand how the ASM works with this violation.