Bug ID 781021: ASM modifies cookie header causing it to be non-compliant with RFC6265

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,, 15.0.0, 15.0.1,,,,

Fixed In:

Opened: May 09, 2019

Severity: 3-Major


When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects: -- No space after the semicolon -- A cookie with no value is sent without the equals sign


Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.


-- ASM Security Policy is used. -- Request includes an ASM cookie.


Disable the cookie stripping by modifying the DB variable as follows: tmsh modify sys db asm.strip_asm_cookies value false

Fix Information

ASM now strips the ASM cookies from the request in a way that is compliant with RFC6265.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips