Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Modified domain cookie TSPD_101

Based on the article we know that the cookie TSPD_101 can be set by ASM even there's no Proactive Bot Defence or DoS-Profile aktive.

We have set the type of the cookie with name: * to Enfored, which means that a cookie set (at server side) may not be changed by the client. Interesting is that ASM complains about TSPD_101 has been modified.

Do we have to define the TSPD_101 cookie explicit with type Allowed?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The cookie should not be modified by the client. If you find that the client is modifying the TSPD_101 cookie, I would take an httpwatch capture and open a case with support.

1
Comments on this Answer
Comment made 1 month ago by schusb 58

Thanks for your answer. I think that the cookie isn't modified by the client but attached to the requests. If the option "Detect Session Hijacking by Device ID Tracking" is responsible for creating the TSPD_101 cookie, then the Violations appears because we have disabled it now and the clients are still sending the cookie along with the requests.

0
Comment made 1 month ago by Chris Grant

That cookie should not be modified by the client. If your client is modifying your TSPD_101 cookie, we are probably correctly saying something bad is happening: https://support.f5.com/csp/article/K19556739

When you enable a feature in the security policy that supports device identification, the BIG-IP system uses JavaScript to obtain a device ID for the client device. The JavaScript makes a series of function calls to determine the unique attributes of the client, such as the browser type and version, installed updates, installed fonts, and others. The BIG-IP ASM system encrypts and stores the device ID in the TSPD101 cookie, which remains with the client for the duration of the HTTP session. If the device ID or message key changes during the session or the session times out, the BIG-IP ASM system considers the request to be an attack and performs the actions defined in the learning and blocking settings for the policy.

1