Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.4.0, 11.4.1
Fixed In:
11.5.0, 11.4.1 HF9, 11.4.0 HF4
Opened: Aug 06, 2013 Severity: 3-Major Related Article:
K15855
The http-set-cookie action in an LTM policy can have several parameters. The parameters 'domain' and 'path' are reversed. The value of the domain parameter is used as the path in the Set-Cookie header and the value of the path parameter is used as the domain in the Set-Cookie header. It is also possible to use an http-set-cookie action without supplying a value. This results in an invalid Set-Cookie header.
An invalid Set-Cookie header might be sent to the browser.
The issue happens whenever the http-set-cookie action is executed with a domain and/or path parameter, or without a value parameter.
Reverse the values for the domain and path parameters and make sure a value parameter is supplied.
The http-set-cookie action in an ltm policy now correctly uses the domain and path parameters when generating a Set-Cookie header. It is no longer possible to use the http-set-cookie actions without supplying a value.