Forum Discussion

am_gli_287451's avatar
am_gli_287451
Icon for Nimbostratus rankNimbostratus
Apr 19, 2018

ASM cookie exposing server name?

Hi,

 

I just ran into an issue regarding ASM cookies. I have a transparent policy for a VS in place, that is called by an external portal. This external portal works with java and they get some exceptions, because our application sends a cookie that they can't handle properly.

 

According to their log, our application sends following cookie:

 

values:TS01876501=01de...34cbdea; Path=/<->JSESSIONID=0D...Q4d7.original_server_name; <->path=/test; <->01-Jan-1970 <->Max-Age=0; <->Expires=Thu,<->00:00:00<->GMT

 

I'm now a bit concerned, because this cookie seems to expose the original server name to the client, which is somehow strange for ASM to do...

 

But the real issue that throws an exception at this client portal is the cookie-expiration date:

 

Rewriting Set-Cookie value:01-Jan-1970

 

... ERROR Exception occured while handling request

 

... ERROR java.lang.StringIndexOutOfBoundsException: String index out of range: -1

 

... ERROR at java.lang.String.substring(String.java:1967)

 

Any idea how to adjust the date & time in the cookie properly? And how to hide the original server name (node)?

 

application delivery
ASM Advanced WAF
cookie
security

1 Reply

Sort By
  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Apr 19, 2018

    These are two different cookies - the original server name seems to be in the JSESSIONID cookie which is set by the server. I would suggest that you do some more tcpdumping and see where the issue lies. You can quite easily manipulate the cookies with either iRules ( flexible but require some iRule knowledge ) or LTM policies ( operationally more easy to manage than iRules but less flexible )