Bug ID 427201: Issues with the LTM policy http-set-cookie action

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.0, 11.4.1

Fixed In:
11.5.0, 11.4.1 HF9, 11.4.0 HF4

Opened: Aug 06, 2013
Severity: 3-Major
Related AskF5 Article:
K15855

Symptoms

The http-set-cookie action in an LTM policy can have several parameters. The parameters 'domain' and 'path' are reversed. The value of the domain parameter is used as the path in the Set-Cookie header and the value of the path parameter is used as the domain in the Set-Cookie header. It is also possible to use an http-set-cookie action without supplying a value. This results in an invalid Set-Cookie header.

Impact

An invalid Set-Cookie header might be sent to the browser.

Conditions

The issue happens whenever the http-set-cookie action is executed with a domain and/or path parameter, or without a value parameter.

Workaround

Reverse the values for the domain and path parameters and make sure a value parameter is supplied.

Fix Information

The http-set-cookie action in an ltm policy now correctly uses the domain and path parameters when generating a Set-Cookie header. It is no longer possible to use the http-set-cookie actions without supplying a value.

Behavior Change