Hi Aantat ,
Are there any device in your path makes any kind of Cookie persistence or not ?
I want to say if there are " any persistence Cookies " in Requests that pass via F5 ASM , it will make such these violations and in this case this is a false positve you should dis-check mark from "block" box in learning and blocking setting for the impacted service.
> another solution , take a har file or extract the payload itself from F5 Event logs and see which cookies are sent in requests , After That contact with server developer to discuss with him these cookies and expiration periods or validate if these cookies accept modification or not , the only one who should decide if these cookies accept modification or not is server developer/owner for better visability in your applications.
Note : you should find server cookies in http header called " set-cookie" header.
- To get the har Archive file , Follow this KB :
https://support.f5.com/csp/article/K10370211
- For more info about Modified domain cookies violations and its possibility to be false positive , read the following articls :
https://support.f5.com/csp/article/K89255958
https://support.f5.com/csp/article/K5907
I hope my reply helps you