Bug ID 427201: Issues with the LTM policy http-set-cookie action

Last Modified: Nov 22, 2021

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.0, 11.4.1

Fixed In:
11.5.0, 11.4.1 HF9, 11.4.0 HF4

Opened: Aug 06, 2013

Severity: 3-Major

Related Article: K15855


The http-set-cookie action in an LTM policy can have several parameters. The parameters 'domain' and 'path' are reversed. The value of the domain parameter is used as the path in the Set-Cookie header and the value of the path parameter is used as the domain in the Set-Cookie header. It is also possible to use an http-set-cookie action without supplying a value. This results in an invalid Set-Cookie header.


An invalid Set-Cookie header might be sent to the browser.


The issue happens whenever the http-set-cookie action is executed with a domain and/or path parameter, or without a value parameter.


Reverse the values for the domain and path parameters and make sure a value parameter is supplied.

Fix Information

The http-set-cookie action in an ltm policy now correctly uses the domain and path parameters when generating a Set-Cookie header. It is no longer possible to use the http-set-cookie actions without supplying a value.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips