Bug ID 781021: ASM modifies cookie header causing it to be non-compliant with RFC6265

Last Modified: Sep 11, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2, 15.0.0, 15.0.1

Opened: May 09, 2019
Severity: 3-Major

Symptoms

When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects: 1. No space after the semicolon 2. A cookie with no value is sent without the equals sign

Impact

Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.

Conditions

-- ASM Security Policy is used -- Request includes an ASM cookie

Workaround

Disable the cookie stripping by modifying the DB variable as follows: tmsh modify sys db asm.strip_asm_cookies value false

Fix Information

None

Behavior Change