Bug ID 1069441: Cookie without '=' sign does not generate rfc violation

Last Modified: Dec 14, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Fixed In:
17.1.1, 15.1.10

Opened: Dec 21, 2021

Severity: 3-Major

Symptoms

If a request includes a Cookie header that only contains the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation as expected according to the RFC (Request for Comments) specifications.

Impact

The request is not blocked.

Conditions

-Set Cookie not RFC-compliant to 'Block' -Request with Cookie header with name only, for example 'Cookie:a'

Workaround

None

Fix Information

The request is blocked and reported with "Cookie not RFC-compliant violation"

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips