Forum Discussion

Cirrus

Mar 07, 2019

Solved

ASM stripping double quotes from cookie values post v14?

Noticed one of our apps stopped working after moving from v13.1 > v14.1.0.2 Investigation suggests ASM is stripping quotes from JSESSIONID cookies and preventing sessions from being initiated - has...

Dan_Bowman
Nov 13, 2019
To close this off - the issue was corrected in v14.1.2.1

769997-1 : ASM removes double quotation characters on cookies
Component: Application Security Manager
Symptoms:
ASM removes the double quotation characters on the cookie.
Conditions:
Cookie sent that contains double quotation marks.
Impact:
The server returns error as the cookie is changed by ASM.
Workaround:
Set asm.strip_asm_cookies to false using the following command:

tmsh modify sys db asm.strip_asm_cookies value false
Fix:
ASM no longer removes the double quotation characters on the cookie.

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-14-1-2-1.html#A769997-1

Dan_Bowman

Cirrus

Mar 28, 2019

Raised a SR with F5 Support and they advised the following:

A feature to not pass ASM cookies was introduced in this version. Engineering Services team indicated to disable the feature:

 tmsh modify sys db asm.strip_asm_cookies value false

Forum Discussion

ASM stripping double quotes from cookie values post v14?

Recent Discussions

Errors in setup of BIGIP-NEXT CM VE on KVM

SEEK ADVICE FROM WEB BAILIFF CONTRACTOR ON STOLEN CRYPTO

AS3 Deployments (shared objects)

rSeries and tenant upgrades

iRule interpretation assistance

Related Content

App Stack, the "iRule" of F5 Distributed Cloud

How I did it - "Remote logging with F5 BIG-IP Next and OpenTelemetry"

Stable point of Configuration " Rescue Point "

F5 Partner Solution Showcase - "ImmuniWeb - Application Security Testing and Remediation"

F5 Partner Solution Showcase - "BlockAPT Platform - Command for Unified Visibility"