Setting SameSite flag on ASM cookie using ASM system variables
Hello, I've a question, can we add samesite flag to ASM cookie with the same way we do for httponly and secure flags through creating system variables using the below KB: https://support.f5.com/csp/article/K13787 For Example: * Parameter Name: cookie_samesite_attr * Parameter Value: strict (or lax depending on the application need) Thanks in advance.
Setting cookie levels
During a review of www.testtest.com cookies for potential RWD checkout render we noticed that the F5 LTM and ASM cookies seem to be FQDN based (e.g., www.testtest.com) versus Top Level Domain based (e.g., .testtest.com). Is anyone aware of a mechanism to control the cookie level either at the profile, VCMP or appliance level?ASM TS cookie issue
Hello, I've some problems with ASM cookies. We have a webpage, where cookies are strictly not allowed. Is there any chance to stop ASM cookie injection? I checked all ASM cookies options available, but no luck. I didn't even found that in documentation. I want to know if it's possible to completely disable the ASM cookies? Best regards, Špela
How to add the 'Secure' and 'HttpOnly' attributes for ASM Frame cookies
I followed the instructions laid out in https://support.f5.com/csp/article/K13787?sr=45119777, but that only added the 'Secure' and 'HttpOnly' attributes for the ASM Main cookie. How do I add these same attributes to the ASM Frame cookies?
Question on setting ASM cookie attributes "Secure" "HTTPOnly"
I have followed the steps in the article: SOL13787: Configuring the 'secure' and 'HttpOnly' attributes for BIG-IP ASM cookies. https://support.f5.com/kb/en-us/solutions/public/13000/700/sol13787.html When I am testing to make sure that the ASM cookies contain these attributes, I get mixed results. Sometimes the cookie contains the flags and sometime the cookie does NOT. For example when I am viewing the headers/cookies on the http response my first attempt shows NO flags. HTTP/?.? 200 OK Date: Tue, 22 Mar 2016 15:06:21 GMT Last-Modified: Mon, 21 Mar 2016 16:47:02 GMT Etag: "5807c0-c60d-52e91d89b2686" Accept-Ranges: bytes Content-Length: 50701 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: TS01d1bdbc=01999b702344514c65c6ee86723db44c429e71aaf68a4c1b4289513367f0036995c4e212fa; Path=/ I then wait a bit, clear all cookies and content and try it again. This time I DO get the correct flags. HTTP/?.? 200 OK Date: Tue, 22 Mar 2016 15:23:30 GMT Last-Modified: Mon, 21 Mar 2016 16:48:03 GMT Etag: "540a57-c60d-52e91dc375f89" Accept-Ranges: bytes Content-Length: 50701 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: TS01d1bdbc=01999b7023e21db6b479cf33230c83d66e8734b4f54314b360bb74c458686a6bc00b4e0ff9; Path=/; Secure; HTTPOnly I have verified that the flags are set by following the steps in this thread: https://devcentral.f5.com/questions/sol13787-configuring-the-secure-and-httponly-attributes-for-big-ip-asm-cookies Can anyone give me ideas as to why these attributes are not showing every time this cookie is getting set? Thanks!!
