Bug ID 918097: Cookies set in the URI on Safari

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.2,,,,,,,,, 14.1.3,, 14.1.4, 15.1.2,

Fixed In:
16.1.0,, 15.1.3,

Opened: Jun 16, 2020

Severity: 4-Minor


When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.


A cookie is set on the URL.


-- Bot Defense profile is attached to virtual server. -- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'. -- 'Cross Domain Requests' set to 'Validate Upon Request'. -- Surfing on Safari browser to a related domain.



Fix Information

A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.

Behavior Change

BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL. This is done by a new BigDB variable: tmsh modify botdefense.safari_redirect_no_cookie_mode value disable Default value is the original behavior (enable), which sets the cookie in the URl. NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips