asm ts cookie
9 TopicsASM cookie, modifying "domain" field
Is it possible to modify "domain" field in the ASM cookie ? As it appears ASM is using a hostname from http header, unfortunately the host is replaced to an internal hostname (required by an app) in an irule. So scanners point that this is a vulnerability.481Views0likes2CommentsSetting SameSite flag on ASM cookie using ASM system variables
Hello, I've a question, can we add samesite flag to ASM cookie with the same way we do for httponly and secure flags through creating system variables using the below KB: https://support.f5.com/csp/article/K13787 For Example: * Parameter Name: cookie_samesite_attr * Parameter Value: strict (or lax depending on the application need) Thanks in advance.819Views1like3CommentsHow to add the 'Secure' and 'HttpOnly' attributes for ASM Frame cookies
I followed the instructions laid out in https://support.f5.com/csp/article/K13787?sr=45119777, but that only added the 'Secure' and 'HttpOnly' attributes for the ASM Main cookie. How do I add these same attributes to the ASM Frame cookies?362Views0likes1CommentASM TS cookie issue
Hello, I've some problems with ASM cookies. We have a webpage, where cookies are strictly not allowed. Is there any chance to stop ASM cookie injection? I checked all ASM cookies options available, but no luck. I didn't even found that in documentation. I want to know if it's possible to completely disable the ASM cookies? Best regards, Špela497Views0likes1CommentASM uses TS cookies as well against CSRF
I understoof ASM injecting a token in fields on static HTML POST forms or cliende side scripts to protect against CSRF. But i read somewhere that it uses as well the main TS cookie, how does it work exactly? An attacker can just replay the TS cookie...469Views0likes2CommentsF5 ASM - Client Session Record
Hello, I'm looking for a solution for recording users/clients who turn to my sites . For example , if a user turns my website I want to see what he was doing on the site and what links they click . I would like to see this as video recording . Is it possible?520Views0likes6CommentsSetting cookie levels
During a review of www.testtest.com cookies for potential RWD checkout render we noticed that the F5 LTM and ASM cookies seem to be FQDN based (e.g., www.testtest.com) versus Top Level Domain based (e.g., .testtest.com). Is anyone aware of a mechanism to control the cookie level either at the profile, VCMP or appliance level?582Views0likes10CommentsQuestion on setting ASM cookie attributes "Secure" "HTTPOnly"
I have followed the steps in the article: SOL13787: Configuring the 'secure' and 'HttpOnly' attributes for BIG-IP ASM cookies. https://support.f5.com/kb/en-us/solutions/public/13000/700/sol13787.html When I am testing to make sure that the ASM cookies contain these attributes, I get mixed results. Sometimes the cookie contains the flags and sometime the cookie does NOT. For example when I am viewing the headers/cookies on the http response my first attempt shows NO flags. HTTP/?.? 200 OK Date: Tue, 22 Mar 2016 15:06:21 GMT Last-Modified: Mon, 21 Mar 2016 16:47:02 GMT Etag: "5807c0-c60d-52e91d89b2686" Accept-Ranges: bytes Content-Length: 50701 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: TS01d1bdbc=01999b702344514c65c6ee86723db44c429e71aaf68a4c1b4289513367f0036995c4e212fa; Path=/ I then wait a bit, clear all cookies and content and try it again. This time I DO get the correct flags. HTTP/?.? 200 OK Date: Tue, 22 Mar 2016 15:23:30 GMT Last-Modified: Mon, 21 Mar 2016 16:48:03 GMT Etag: "540a57-c60d-52e91dc375f89" Accept-Ranges: bytes Content-Length: 50701 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: TS01d1bdbc=01999b7023e21db6b479cf33230c83d66e8734b4f54314b360bb74c458686a6bc00b4e0ff9; Path=/; Secure; HTTPOnly I have verified that the flags are set by following the steps in this thread: https://devcentral.f5.com/questions/sol13787-configuring-the-secure-and-httponly-attributes-for-big-ip-asm-cookies Can anyone give me ideas as to why these attributes are not showing every time this cookie is getting set? Thanks!!286Views0likes1Comment