cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

violations

suthomas1
Cirrus
Cirrus

In our adc security policy events, one of the website always gets blocked for some of its contents on the page.

logs point to few violations including modified domain cookie which has a cookie name with two cookie values. if this is the block reason, how do we trace what definition of cookie is it checking against to block the page?

4 REPLIES 4

Erik_Novak
F5 Employee
F5 Employee

Do you mean legitimate clients are getting blocked because of the modified domain cookie violation? In the Request Details section of the violation, you should be able to see the exact value of the domain cookie that was modified by the client. Check with your app developers to determine if that modification should be allowed or blocked.

suthomas1
Cirrus
Cirrus

yes, legitimate clients get blocked for some of the contents on the page. i am trying to find out where this cookie is defined within f5 against which it does the check?

Erik_Novak
F5 Employee
F5 Employee

The F5 cookie that is set to secure your domain cookie starts with the prefix TS and is then followed by a hexadecimal string. Do you have a learning suggestion to add your domain cookie to the allowed cookies list?

Ivan_Chernenkii
F5 Employee
F5 Employee

If "Modified domain cookie(s)" violation is detected, then this means that this cookie (or wildcard, which matches this cookie) is defined as enforced on "Security ›› Application Security : Headers : Cookies List" page.

"Enforced" means that cookie can not be modified by user and in case of any modification "Modified domain cookie(s)" violation must be detected.

"Enforced" need to be used for cookies (like session ID), which are set by application via "Set-Cookie" header and can not be modified by user.

If in your case you expect, that cookie can be modified, then you need to change it's type to "Allow".

 

Thanks, Ivan