Applies To:
Show VersionsBIG-IP ASM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
About cookies
Many web-based applications use cookies to help users navigate the web site efficiently and perform certain functions. For example, web servers may use cookies to authenticate users logging in to secure applications, or an application can use cookies to store user preferences. Whether using automatic policy building or manually creating a security policy, you may want to add cookies that the web application uses.
You may want a security policy to ignore certain known and recognized cookie headers that are included in HTTP requests. For example, if cookies can change on the client side legitimately, you can create allowed cookies.
You may also want a security policy to prevent changes to specific cookies, such as session-related cookies that are set by the application. If so, you can create enforced cookies. The cookie in the request must not be modified, or it generates the Modified Domain Cookie violation.
In addition, some PHP applications treat cookies as parameters and use the value of the cookie as input to the application. For that reason, you can have the system check attack signatures on the cookie (as you can for parameters). You can apply attack signatures only to allowed cookies, because enforced cookies are set by the server, and therefore, are considered to be secure.
Both allowed and enforced cookies can be put in staging when they are created so that you can make sure that they do not cause false positives during the staging period.
If you are using automatic policy building, the security policy adds cookies automatically. If manually building a security policy, the manual traffic learning screens suggest cookies to add.
About pure wildcard cookies
When you create a security policy, it includes a pure wildcard (*) and it is created as an allowed cookie in the Allowed Cookies list. You cannot delete the pure wildcard from the security policy but you can change its type from allowed to enforced. The allowed cookie wildcard allows all cookies, and you can specify which cookies the users cannot change in the enforced cookies list .This is considered a negative security model, because you allow all cookies except the ones you specify.
However, new cookies are added to the security policy (or not) based on the Learn Explicit Entities value of the matched wildcard. The value can be Never (do not add cookies) or Selective (add cookies that match the wildcard). The default value differs depending on the deployment scenario you use to create the policy.
The following deployments create pure wildcard cookies using the value Never, thus they do not add (or suggest to add) explicit cookies to the security policy:
- All templates (including Rapid Deployment policy)
- Automatic policy building with Fundamental policy type
- Vulnerability assessment
All other deployment scenarios create the pure wildcard cookie with Learn Explicit Entities set to Selective. So it adds (if building the policy automatically) or suggests to add (if building the policy manually) explicit cookies encountered in the traffic to the security policy.
In Selective mode, the system learns cookies that violate the settings of the wildcard. In particular, cookies that do not change are learned as enforced cookies. Most cookies are added to the security policy as allowed cookies, and are checked for the configured signature set. These are captured by the * pure wildcard. The exceptions are the enforced cookies and cookies that need to be exempted from some of the signature checks. These are whitelisted.
Wildcard syntax
The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of file types, URLs, parameters, or cookies so that the entity name can match multiple objects.
Wildcard Character | Matches |
---|---|
* | All characters |
? | Any single character |
[abcde] | Exactly one of the characters listed |
[!abcde] | Any character not listed |
[a-e] | Exactly one character in the range |
[!a-e] | Any character not in the range |
About cookies and learning
When you create a security policy that includes cookies, the system adds new cookies (or suggests that you add them) to the security policy (or not) based on the Learn Explicit Entities value of the matched wildcard. The value can be Never (do not add cookies) or Selective (add cookies that match the wildcard). The default value differs depending on the deployment scenario you use to create the policy.
The following deployments create pure wildcard cookies using the value Never, thus they do not add (or suggest to add) explicit cookies to the security policy by default:
- Rapid Deployment policy
- Automatic policy building with Fundamental policy type
- Vulnerability assessment
All other deployment scenarios create the pure wildcard cookie with Learn Explicit Entities set to Selective. So the system adds (if building the policy automatically) or suggests to add (if building the policy manually) explicit cookies encountered in the traffic to the security policy.
You could start by having the wildcard set to selective in the allowed cookies, get a list of all the cookies that your web application uses, then move them to the enforced list. This would make it easier to add the cookies that your web application uses and that you want to enforce to the security policy.
About adding cookies
Application Security Manager (ASM) allows you to add cookies with different characteristics to security policies.
You can specify the cookies that you want to allow, and the ones you want to enforce in a security policy:
- Allowed cookies: The system allows these cookies and clients can change them.
- Enforced cookies: The system enforces the cookies in the list (not allowing clients to change them) and allows clients to change all others.
If the cookies in the web application change, you can edit or delete the cookies.
Adding allowed cookies
Adding enforced cookies
Changing the order in which wildcard cookies are enforced
Editing cookies
Deleting cookies
Specifying when to add explicit cookies
Configuring the maximum cookie header length
The system calculates and enforces the cookie header length based on the sum of the length of the cookie header name and value. Requests with headers that are longer than the maximum length cause an Illegal header length violation.