Last Modified: Apr 10, 2019
See more info
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 11.6.4
Opened: Feb 03, 2016
The internal DoS / Proactive Bot Defense cookies are set without the 'secure' flag on HTTPS deployments. The relevant cookies are only internal ones that are used to maintain the state; they do not contain any user-data or any sensitive information.
Any of the Client-Side features are enabled in the DoS profile: Client-Side Mitigation, Proactive Bot Defense, or Device-ID-based detection. This is only a problem for deployments that use HTTPS.
The DoS / Proactive Bot Defense cookies can now be optionally set with the 'secure' flag, according to these new DB variables: DOSL7.use_secure_cookies enables the 'secure' flag on cookies that are set on a Virtual Server with a client-side SSL profile (default disabled). DOSL7.assume_https assumes HTTPS on all Virtual Servers, even those without an SSL profile (default disabled). This may be used in case the SSL proxy is performed on a different Virtual Server, or a different device.