Last Modified: Oct 06, 2020
See more info
Known Affected Versions:
11.5.0, 11.4.1 HF9, 11.4.0 HF4
Opened: Aug 06, 2013
Related AskF5 Article: K15855
The http-set-cookie action in an LTM policy can have several parameters. The parameters 'domain' and 'path' are reversed. The value of the domain parameter is used as the path in the Set-Cookie header and the value of the path parameter is used as the domain in the Set-Cookie header. It is also possible to use an http-set-cookie action without supplying a value. This results in an invalid Set-Cookie header.
An invalid Set-Cookie header might be sent to the browser.
The issue happens whenever the http-set-cookie action is executed with a domain and/or path parameter, or without a value parameter.
Reverse the values for the domain and path parameters and make sure a value parameter is supplied.
The http-set-cookie action in an ltm policy now correctly uses the domain and path parameters when generating a Set-Cookie header. It is no longer possible to use the http-set-cookie actions without supplying a value.