Last Modified: Jul 24, 2024
Affected Product(s):
BIG-IP ASM
Fixed In:
17.1.1, 16.1.5, 15.1.10
Opened: Dec 21, 2021 Severity: 3-Major
If a request includes a Cookie header that only contains the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation as expected according to the RFC (Request for Comments) specifications.
The request is not blocked.
-Set Cookie not RFC-compliant to 'Block' -Request with Cookie header with name only, for example 'Cookie:a'
None
The request is blocked and reported with "Cookie not RFC-compliant violation"
Previously, if a request included a Cookie header that contained only the name of the cookie without an equal sign (=) and a corresponding value, it might not result in a violation. Now, such a request is blocked and reported with a "Cookie not RFC-compliant" violation as expected according to the RFC (Request for Comments) specifications.