Forum Discussion

strongarm_46960's avatar
strongarm_46960
Icon for Nimbostratus rankNimbostratus
Dec 01, 2008

To many Cookies

I have just recenty put ASM in front of a large app, this app has been known to set up to 17 or more cookes per session depending on what transaction the user is doing, problem is ASM seems to set a few of its own TS cookie per session and LTM also has persistent cookie set aswell.

 

 

According to rfc2109, you can not have more than 20 cookies per domain name, problem is we are now reaching these limitation.

 

 

I noticed that it sometimes sets over 4 TS cookies with different names but same value in one session.

 

 

We need to allow TS cookies inorder to prevent XSS attacks vectors or cookie poisoning, however.

 

 

ASM seem to be creating one cookie per App cookie, or so it seems;

 

 

can you perhaps provide more insight into TS cookies creation critaria, is there any plan from F5 to combine all these ASM generated hashed TS cooies into just one hash'ed cookie prior to spitting it out.
app sec
BIG-IP Access Policy Manager (APM)
security

11 Replies

Sort By
Show More
  • strongarm_46960's avatar
    strongarm_46960
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2009
    Sorry for the late thank you, I expected this iRule cause lots of XSS type events in the ASM logs, my initial thought was that if that happens I would have to rewite it so that the first virtual strips the TS cookies out and the second virtual would the combine them again. However thats not now necessary.

     

     

    in the meantime, I have requested an RFE to provide an option to choose which cookies are protected by ASM, for instance a initial request which also has its path and sets language or location cookie within the app header are not critical and certainly do not require additional ASM generated TS cookie to protect them, dont care if an attacker fiddles with these, however i do care about transactional cookies and should be able to pick & prioritize these within the ASM.

     

     

    Furthermore, F5 setting a max value of 10 for cookie paths is beyond me, there is no rfc that gives F5 this permission.

     

     

    F5 decided that a site should not have more that 10 paths per domain inorder to have ASM cookie protection, surely this should be business management decision not a suppliers one.

     

     

     

    in my opinion, ASM has fallen in to the Microsoft trap of setting (non-standard) minimum cookies requirement per site of 20 until IE7, when the rfc clearly states that the minimum should be 20 and ms took the decision to make the minimum & max the same (20), , see: http://support.microsoft.com/kb/941495/en-us .

     

     

    Thanks again.