Modified domain cookie

KF2 · ‎25-Oct-2022

Receive some blocked event about "modified domain cookie".

After some research , a cookie "TSxxxxxxxx" is generated by F5 ASM and it used to hash the enforce cookie.

When user got blocked, I found that this cookie "TSxxxxxxx" is missing in the browser, so that's why user got block.

but i am wondering why browser will automatically delete this cookie if no user intervention?

Nikoolayy1 · ‎26-Oct-2022

This is a tricky one as maybe the user is comming from a jump host or there is a proxy device before the F5 that does something. Also if just one browser has the issue is interesting as if you have AD an the user is internal there could be some rules that the AD enforces on the browser (also the users shouldn't be using incognito mode 🙂 )

Maybe see the links below as the ASM cookie is generated for every domain and path and maybe something happens on the browser that does not send the cookie. Also if it was API traffic/Bot traffic they normally do not support cookies.

https://support.f5.com/csp/article/K72137013

https://support.f5.com/csp/article/K54905165

https://support.f5.com/csp/article/K5907

Other thing is if you maybe enabled some flags:

https://support.f5.com/csp/article/K13787

KF2 · ‎26-Oct-2022

The user is not internal.

"This is a tricky one as maybe the user is comming from a jump host or there is a proxy device before the F5 that does something" <-- You mean the proxy device will modify or delete the cookie?

All the links you posts i have already read before I post this question in this forum.

Nikoolayy1 · ‎26-Oct-2022

I admit that are all my suggestions as if the F5 is sending the cookie what happens on the client device, I can't tell 🙂

My final suggestion could be to also use One Connect profile as it helps with cookies and upstream proxy devices but outside of that I am out of ideas.

https://support.f5.com/csp/article/K7964

DevCentral

Modified domain cookie

MFA required on DevCentral