Bug ID 571588: Add DB variables to allow DoS cookies to be set with the 'secure' flag

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4

Fixed In:
12.1.0

Opened: Feb 03, 2016
Severity: 3-Major

Symptoms

The various features in the Application DoS profile, including Proactive Bot Defense, use cookies as part of the enforcement. These cookies do not include the 'secure' flag on deployments that utilize HTTPS.

Impact

The internal DoS / Proactive Bot Defense cookies are set without the 'secure' flag on HTTPS deployments. The relevant cookies are only internal ones that are used to maintain the state; they do not contain any user-data or any sensitive information.

Conditions

Any of the Client-Side features are enabled in the DoS profile: Client-Side Mitigation, Proactive Bot Defense, or Device-ID-based detection. This is only a problem for deployments that use HTTPS.

Workaround

None

Fix Information

The DoS / Proactive Bot Defense cookies can now be optionally set with the 'secure' flag, according to these new DB variables: DOSL7.use_secure_cookies enables the 'secure' flag on cookies that are set on a Virtual Server with a client-side SSL profile (default disabled). DOSL7.assume_https assumes HTTPS on all Virtual Servers, even those without an SSL profile (default disabled). This may be used in case the SSL proxy is performed on a different Virtual Server, or a different device.

Behavior Change