I have a Web service endpoint that is behind a BigIP server that requires authentication. Before using the Web service, the client (a browser) user must log in and use the cookies returned by the BigIP server to maintain the authentication in all subsequent queries with the Web service.
This works fine so far except for one annoying thing.
As the underlying Web service endpoint requires custom headers, the browser sends out a preflight request to the server. Unfortunately, the cookies are never sent along with the OPTIONS request - this is by design, the browser does not send any credentials during preflight. The query is thus rejected by the BigIP server. The rest of the process cannot continue because of the failed preflight.
What are the solutions that we could use in order to work around this restriction?
This is probably because you don't allow OPTIONS method in your ASM policy. If ASM blocking OPTIONS request breaks the rest of your application flow then OPTIONS must be allowed.