Forum Discussion

carolyndiep_163's avatar
carolyndiep_163
Icon for Nimbostratus rankNimbostratus
Dec 02, 2015

Difference between APM Cookie Options & ASM Cookie Properties

I noticed recently that in both APM and ASM, there is the ability to configure cookie options like Secure Flag and HTTP Only. Does anyone know the difference between how each module handles these cookie options and how they coexist? It appears that they both add the secure flag and http only attributes to cookies, but does one take precedent over the other? Should they be configured in both modules or just one?

 

ASM Advanced WAF
BIG-IP Access Policy Manager (APM)
security

4 Replies

Sort By
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Dec 02, 2015

    The APM options are used to modify the APM cookies that are used for APM session management (MRHSession). The ASM options are used to modify other cookies traversing ASM.

     

    I don't know if there is really a precedence issue here since the targets for the options are different. APM comes before ASM, so ASM settings shouldn't modify the APM cookies coming from the same BIG-IP.

     

    • carolyndiep_163's avatar
      carolyndiep_163
      Icon for Nimbostratus rankNimbostratus
      Dec 02, 2015
      Thanks for the reply Lucas. Anyway you can be more specific on your comment about "other cookies" that would traverse ASM? I didn't realize there was more than just a session cookie involved.
    • Lucas_Thompson_'s avatar
      Lucas_Thompson_
      Historic F5 Account
      Dec 02, 2015
      ASM has cookies that itself to identify flows vs users, so there are settings for that. They're covered here: https://support.f5.com/kb/en-us/solutions/public/13000/700/sol13787.html Separately, ASM has security options to modify *other* application cookies, like from an HTTP service being protected by ASM. So, those cookies are not set by ASM itself. Rather, ASM is modifying 3rd party cookies.
    • carolyndiep_163's avatar
      carolyndiep_163
      Icon for Nimbostratus rankNimbostratus
      Dec 03, 2015
      The solution article you provided is to modify the ASM cookie and not the application cookie correct? The settings where ASM is modifying the cookie used by the web servers is located in the cookie properties in ASM under Security > Application Security > Headers > Cookie List > Edit Cookie, is that correct?