Bug ID 571588: Add DB variables to allow DoS cookies to be set with the 'secure' flag

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3,,,,, 11.6.4, 11.6.5,,,

Fixed In:

Opened: Feb 03, 2016

Severity: 3-Major


The various features in the Application DoS profile, including Proactive Bot Defense, use cookies as part of the enforcement. These cookies do not include the 'secure' flag on deployments that utilize HTTPS.


The internal DoS / Proactive Bot Defense cookies are set without the 'secure' flag on HTTPS deployments. The relevant cookies are only internal ones that are used to maintain the state; they do not contain any user-data or any sensitive information.


Any of the Client-Side features are enabled in the DoS profile: Client-Side Mitigation, Proactive Bot Defense, or Device-ID-based detection. This is only a problem for deployments that use HTTPS.



Fix Information

The DoS / Proactive Bot Defense cookies can now be optionally set with the 'secure' flag, according to these new DB variables: DOSL7.use_secure_cookies enables the 'secure' flag on cookies that are set on a Virtual Server with a client-side SSL profile (default disabled). DOSL7.assume_https assumes HTTPS on all Virtual Servers, even those without an SSL profile (default disabled). This may be used in case the SSL proxy is performed on a different Virtual Server, or a different device.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips