Forum Discussion

Dan_Bowman's avatar
Mar 07, 2019

ASM stripping double quotes from cookie values post v14?

Noticed one of our apps stopped working after moving from v13.1 > v14.1.0.2

Investigation suggests ASM is stripping quotes from JSESSIONID cookies and preventing sessions from being initiated - has anyone encountered this before?

For example:

Mar  7 15:00:58  : JSESSIONID="uniquevalue.servername:server-one"; 



Mar  7 15:00:58  : JSESSIONID=uniquevalue.servername:server-one;

Backend servers interpret this as two separate values and session can't be established.

Removing ASM policy from VS removes the issue, and quotes are maintained on http_request_release

  • To close this off - the issue was corrected in v14.1.2.1

     

     

    769997-1 : ASM removes double quotation characters on cookies

    Component: Application Security Manager

    Symptoms:

    ASM removes the double quotation characters on the cookie.

    Conditions:

    Cookie sent that contains double quotation marks.

    Impact:

    The server returns error as the cookie is changed by ASM.

    Workaround:

    Set asm.strip_asm_cookies to false using the following command:

     

    tmsh modify sys db asm.strip_asm_cookies value false

    Fix:

    ASM no longer removes the double quotation characters on the cookie.

     

    https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-14-1-2-1.html#A769997-1

     

     

  • v14 is relatively new and this might be a genuine issue in ASM v 14.x - I suggest opening a Support Case with F5 to investigate

     

  • We are experiencing exactly the same: ASM seems to be stripping double quotes to cookies in our applications.

     

    The behaviour started after updating to v14.0.

     

    Edit: the problem is the same, not the opposite.

     

  • Raised a SR with F5 Support and they advised the following:

    A feature to not pass ASM cookies was introduced in this version. Engineering Services team indicated to disable the feature:

     tmsh modify sys db asm.strip_asm_cookies value false

  • To close this off - the issue was corrected in v14.1.2.1

     

     

    769997-1 : ASM removes double quotation characters on cookies

    Component: Application Security Manager

    Symptoms:

    ASM removes the double quotation characters on the cookie.

    Conditions:

    Cookie sent that contains double quotation marks.

    Impact:

    The server returns error as the cookie is changed by ASM.

    Workaround:

    Set asm.strip_asm_cookies to false using the following command:

     

    tmsh modify sys db asm.strip_asm_cookies value false

    Fix:

    ASM no longer removes the double quotation characters on the cookie.

     

    https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-14-1-2-1.html#A769997-1