Forum Discussion

Approxee's avatar
Approxee
Icon for Nimbostratus rankNimbostratus
Sep 28, 2017

What happens if the ASM sees a TS cookie it did not set.

I have a configurtion and I am wondering if this causing Timestamp Expired cookie violations.

 

I have a configuration where a TS cookie can pass back through a policy that did not set it. In this config we have different policies for different Url's. In the responce the set-cookie is for a 'higher' point in the domain tree. For exmaple the policy sets the cookie for .abcdef.com in a policy that is mapped to xyz.abcdef.com. Another request is made to another policy that is mapped to 123.abcdef.com but in the request the cookie from the other policy is the TS cookie from the last request, but this policy did not set it so is not aware of it.

 

Policy one set cookie TSxxxxxx in domain abcdef.com from request to zyx.abcdef.com Policy two gets request to 123.abcdef.com and receices the TS cookie for the sub domain abcdef.com

 

Would this create a Cookie Violation - Expired TimeStamp. I am think the ASM reconises it as a TS cookie but also knows it was not set by the policy that is inspeciting it.

 

Any clues would be great

 

Graham

 

ASM Advanced WAF
cookies
security

1 Reply

Sort By
  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Oct 21, 2017

    Graham,

     

    Expired Timestamp violation will indeed happen in this case. TS cookie set in response contains the encrypted timestamp which is compared by ASM with the current time on the next request. If TS cookie is "too old" (more than 600 seconds/10 minutes) Expired Timestamp violation will be generated - this prevents replay attacks (hackers using stolen HTTP requests of a user and then trying to replay them).

     

    The expiration period can be controlled by cookie_expiration_time_out parameter in the ASM Advanced config.

     

    Information about ASM cookies can be found here:

     

    https://support.f5.com/csp/article/K6850

     

    The config you are describing is problematic from ASM point of view, there should really be an irule redirecting requests to abcdef.com to xyz.abcdef.com

     

    Hope this helps,

     

    Sam