Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 15.1.2, 15.1.2.1
Fixed In:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
Opened: Jun 16, 2020 Severity: 4-Minor
When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.
A cookie is set on the URL.
-- Bot Defense profile is attached to virtual server. -- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'. -- 'Cross Domain Requests' set to 'Validate Upon Request'. -- Surfing on Safari browser to a related domain.
None.
A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.
BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL. This is done by a new BigDB variable: tmsh modify botdefense.safari_redirect_no_cookie_mode value disable Default value is the original behavior (enable), which sets the cookie in the URl. NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.