ASM stripping double quotes from cookie values post v14?
Noticed one of our apps stopped working after moving from v13.1 > v14.1.0.2
Investigation suggests ASM is stripping quotes from JSESSIONID cookies and preventing sessions from being initiated - has anyone encountered this before?
For example:
Mar 7 15:00:58 : JSESSIONID="uniquevalue.servername:server-one";
Mar 7 15:00:58 : JSESSIONID=uniquevalue.servername:server-one;
Backend servers interpret this as two separate values and session can't be established.
Removing ASM policy from VS removes the issue, and quotes are maintained on http_request_release
To close this off - the issue was corrected in v14.1.2.1
769997-1 : ASM removes double quotation characters on cookies
Component: Application Security Manager
Symptoms:
ASM removes the double quotation characters on the cookie.
Conditions:
Cookie sent that contains double quotation marks.
Impact:
The server returns error as the cookie is changed by ASM.
Workaround:
Set asm.strip_asm_cookies to false using the following command:
tmsh modify sys db asm.strip_asm_cookies value false
Fix:
ASM no longer removes the double quotation characters on the cookie.