Bug ID 918097: Cookies set in the URI on Safari

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 15.1.2, 15.1.2.1

Fixed In:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1

Opened: Jun 16, 2020

Severity: 4-Minor

Symptoms

When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.

Impact

A cookie is set on the URL.

Conditions

-- Bot Defense profile is attached to virtual server. -- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'. -- 'Cross Domain Requests' set to 'Validate Upon Request'. -- Surfing on Safari browser to a related domain.

Workaround

None.

Fix Information

A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.

Behavior Change

BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL. This is done by a new BigDB variable: tmsh modify botdefense.safari_redirect_no_cookie_mode value disable Default value is the original behavior (enable), which sets the cookie in the URl. NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips