Bug ID 918097: Cookies set in the URI on Safari

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4, 15.1.0,,,,,, 15.1.1, 15.1.2,, 16.0.0,, 16.0.1,

Fixed In:
16.1.0,, 15.1.3,

Opened: Jun 16, 2020
Severity: 4-Minor


When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.


A cookie is set on the URL.


-- Bot Defense profile is attached to virtual server. -- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'. -- 'Cross Domain Requests' set to 'Validate Upon Request'. -- Surfing on Safari browser to a related domain.



Fix Information

A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.

Behavior Change

BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL. This is done by a new BigDB variable: tmsh modify botdefense.safari_redirect_no_cookie_mode value disable Default value is the original behavior (enable), which sets the cookie in the URl. NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.