Last Modified: Sep 13, 2023
Known Affected Versions:
14.1.2, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 14.1.3, 184.108.40.206, 14.1.4, 15.1.2, 220.127.116.11
16.1.0, 18.104.22.168, 15.1.3, 22.214.171.124
Opened: Jun 16, 2020 Severity: 4-Minor
When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.
A cookie is set on the URL.
-- Bot Defense profile is attached to virtual server. -- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'. -- 'Cross Domain Requests' set to 'Validate Upon Request'. -- Surfing on Safari browser to a related domain.
A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.
BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL. This is done by a new BigDB variable: tmsh modify botdefense.safari_redirect_no_cookie_mode value disable Default value is the original behavior (enable), which sets the cookie in the URl. NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.