ASM stripping double quotes from cookie values post v14?

Question

Noticed one of our apps stopped working after moving from v13.1 &gt; v14.1.0.2
Investigation suggests ASM is stripping quotes from JSESSIONID cookies and preventing sessions from being initiated - has anyone encountered this before?
For example:
Mar  7 15:00:58  : JSESSIONID="uniquevalue.servername:server-one";

Mar  7 15:00:58  : JSESSIONID=uniquevalue.servername:server-one;

Backend servers interpret this as two separate values and session can't be established.
Removing ASM policy from VS removes the issue, and quotes are maintained on http_request_release

dan_bowman · Accepted Answer

To close this off - the issue was corrected in v14.1.2.1

769997-1 : ASM removes double quotation characters on cookies

Component: Application Security Manager

Symptoms:

ASM removes the double quotation characters on the cookie.

Conditions:

Cookie sent that contains double quotation marks.

Impact:

The server returns error as the cookie is changed by ASM.

Workaround:

Set asm.strip_asm_cookies to false using the following command:

tmsh modify sys db asm.strip_asm_cookies value false

Fix:

ASM no longer removes the double quotation characters on the cookie.

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-14-1-2-1.html#A769997-1

samstep · Answer

v14 is relatively new and this might be a genuine issue in ASM v 14.x - I suggest opening a Support Case with F5 to investigate&nbsp;

francis_m__mend · Answer

We are experiencing exactly the same: ASM seems to be stripping double quotes to cookies in our applications.&nbsp;
The behaviour started after updating to v14.0.&nbsp;
Edit: the problem is the same, not the opposite.&nbsp;

dan_bowman · Answer

Raised a SR with F5 Support and they advised the following:
A feature to not pass ASM cookies was introduced in this version. Engineering Services team indicated to disable the feature: 
 tmsh modify sys db asm.strip_asm_cookies value false

Forum Discussion

ASM stripping double quotes from cookie values post v14?

4 Replies

Recent Discussions

F5 ASM logging profile to specify source IP

Portal Access to HTTPS resources slow

Cannot login to Avaya wanx using f5 apm network access

Hi All, We have viprion 4300 with 4450 blades with 6 blades all blades having same configuration

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

App Stack, the "iRule" of F5 Distributed Cloud

How I did it - "Remote logging with F5 BIG-IP Next and OpenTelemetry"

Stable point of Configuration " Rescue Point "

F5 Partner Solution Showcase - "ImmuniWeb - Application Security Testing and Remediation"

F5 Partner Solution Showcase - "BlockAPT Platform - Command for Unified Visibility"