Bug ID 932193: Improper handling of multiple cookie headers results in security bypass

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Fixed In:

Opened: Jul 29, 2020

Severity: 3-Major


Improper handling of multiple cookies results in security bypass when certain server technologies are used. The multiple cookie headers are handled separately in ASM, but the backend server concatenates it and can lead to potential signature attacks.


Bypass of negative security enforcement and can affect certain server technologies


When PHP server technology is used as backend and a specially crafted request is sent with multiple cookies header.



Fix Information

Templates are modified to change the default value of 'Repeated Occurrences' for HTTP header 'cookie' to 'Disallow'.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips