Bug ID 663535: Sending ASM cookies with "secure" attribute even without client-ssl profile

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3

Fixed In:
14.0.0, 13.1.1.4, 12.1.3.2

Opened: May 08, 2017
Severity: 3-Major

Symptoms

ASM cookies can be set with "secure" attribute on when BIG-IP works on SSL profile.

Impact

When working with encrypted network in the client side but clear network in the ASM virtual, cookies cannot be set with "secure" attributes.

Conditions

Enabling ASM, network to BIG-IP without client-ssl.

Workaround

There is no workaround at this time.

Fix Information

Added an internal parameter "assume_https", to decide always setting the "secure" attribute, even when the BIG-IP network is clear.

Behavior Change