Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Facing problem with Modified domain cookies

Aantat
Cirrus
Cirrus

Hello.

I'm facing problem with Modified domain cookies. I have configured ASM policy in blocking mode with some enforced cookies. Also I have enabled blocking on Modified domain cookies on Learning and Blocking settings. So the problem is some users get blocked with  Modified domain cookies, but they can access to app via Incognito mode of browser. Seems like the reason of this is because they're using old cookies (?) Is this correct behaviour of ASM? Is it because of expired cookies? What should I do? Any suggestions?

8 REPLIES 8

G-Rob
F5 Employee
F5 Employee

BIG-IP ASM cookies are session based and do not get written to disk. When the user is connecting to the application using incognito mode, there is no existing cookie so the violation is not triggered. See K5907: BIG-IP ASM violation: Modified domain cookie 

The most common reason the cookie changes is that the client makes a request to another app on the same domain not passing through the same ASM policy which modifies the cookie. Another common cause for the violation is that the ASM cookie is set with a different expiry than the app's cookie. If you can reproduce the issue, try using your browser's development tools to view the cookies in use for the application and monitor changes to the cookie between ASM sessions. 

Hi, so I think I find the reason of my problem. Violation is triggered when user uses my app via example.com after www.example.com. Is there any suggestion on that? Should I do redirect from www to my example.com?

Hi @Aantat , 
Are there any device in your path makes any kind of Cookie persistence or not ?
I want to say if there are " any persistence Cookies " in Requests that pass via F5 ASM , it will make such these violations and in this case this is a false positve you should dis-check mark from "block" box in learning and blocking setting for the impacted service. 

> another solution , take a har file or extract the payload itself from F5 Event logs and see which cookies are sent in requests , After That contact with server developer to discuss with him these cookies and expiration periods or validate if these cookies accept modification or not , the only one who should decide if these cookies accept modification or not is server developer/owner for better visability in your applications. 
Note : you should find server cookies in http header called " set-cookie" header. 

- To get the har Archive file , Follow this KB : 
https://support.f5.com/csp/article/K10370211
- For more info about Modified domain cookies violations and its possibility to be false positive , read the following articls : 

https://support.f5.com/csp/article/K89255958

https://support.f5.com/csp/article/K5907

I hope my reply helps you

_______________________
Regards
Mohamed Kansoh

Hi, i dismarked block setting and find the reason of problem. So violation is triggered when user uses my app via example.com after www.example.com. Is there any suggestion on that? Should I do redirect from www to my example.com?

Hi @Aantat ,

Can you clarify more , 

What is your APP , and www.examble.com / example.com. 

Do you want to redirect all requests to example.come instead of www.example.com ,

I need some clarification. 

 

_______________________
Regards
Mohamed Kansoh

Hi,

So my app is simple web application - example.com. So violation is triggered when user access to app via example.com after www.example.com. I mean the problem is triggered with "www". Is there any suggestion on that? IDK about redirect, it was just my suggestion. 

Hi @Aantat , 
The problem is triggered with issuing "www" but everything goes fine with using "example.com" directly. 
so I think if we redirect from "www.example.com" to "example.com" may this solve this issue. 
if you want to try the redirection , you can do it by LTM policy or irule , I can help you in this.
 

_______________________
Regards
Mohamed Kansoh

Also this is nice article:

 

 

K47327904: BIG-IP ASM Main cookie domain attribute not set

In some specific cases domain attribute for ASM Main cookie may not be set.

https://support.f5.com/csp/article/K47327904