Bug ID 1069441: Cookie without '=' sign does not generate rfc violation

Last Modified: Jul 24, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Fixed In:
17.1.1, 16.1.5, 15.1.10

Opened: Dec 21, 2021

Severity: 3-Major

Symptoms

If a request includes a Cookie header that only contains the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation as expected according to the RFC (Request for Comments) specifications.

Impact

The request is not blocked.

Conditions

-Set Cookie not RFC-compliant to 'Block' -Request with Cookie header with name only, for example 'Cookie:a'

Workaround

None

Fix Information

The request is blocked and reported with "Cookie not RFC-compliant violation"

Behavior Change

Previously, if a request included a Cookie header that contained only the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation. Now, such a request is blocked and reported with a "Cookie not RFC-compliant" violation as expected according to the RFC (Request for Comments) specifications.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips