Manage Cookies¶
Overview¶
Many web-based applications use cookies to help users navigate the website efficiently and perform certain functions. For example, web servers may use cookies to authenticate users logging in to secure applications, or an application can use cookies to store user preferences. Whether using automatic policy building or manually creating a security policy, you may want to add cookies that the web application uses.
You can specify the cookies that you want to allow, and the ones you want to enforce in a security policy:
Allow - The security policy ignores certain known and recognized cookie headers that are included in HTTP requests and allows clients to change the cookies.
Enforce - The security policy prevents changes to specific cookies, such as session-related cookies that are set by the protected application. The cookie in the request must not be modified, or it generates the Modified Domain Cookie violation.
Both allowed and enforced cookies can be put in staging when they are created so that you can make sure that they do not cause false positives during the staging period.
If the cookies in the web application change, you can edit or delete the cookies.
Wildcard syntax¶
If you are adding cookies to your policy, the syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of cookies, file types, URLs, or parameters so that the entity name can match multiple objects.
Wildcard Character | Matches |
---|---|
* | All characters |
? | Any single character |
[abcde] | Exactly one of the characters listed |
[!abcde] | Any character not listed |
[a-e] | Exactly one character in the range |
[!a-e] | Any character not in the range |
Prerequisites¶
Verify any attached application services to ensure proper security after changes are deployed.
You need to have a user role of Security Manager or Administrator to manage a WAF policy.
How to manage policy cookies¶
Add policy cookies - Add a cookie to your policy.
Modify policy cookies - Change settings for a policy cookie.
Modify cookie enforcement status - Manually change cookie status to enforced or staging.
Delete a cookie - Remove a cookie from the policy list.
Modify cookie violations - Modify how your policy handles known cookie violations and/or cookie attributes detected in traffic. traffic.
Add policy cookies¶
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Headers.
The panel displays the Methods tab.
Select the Cookies tab.
Click Create.
The Cookie Properties panel opens.
If you would like the policy to add attributes to the response header of the cookie domain, enable Advanced View to the top right of the panel.
Enter a Cookie Name. Type either the name of the cookie, or the pattern string for the wildcard to match cookie names.
Select the Cookie Type:
Explicit (Default) - The policy identifies the cookie by its specific name.
Wildcard - The policy identifies the cookie by regular expression.
Note: The pure wildcard () is automatically added to the policy so you do not need to add it. You can add more specified wildcards such assite.com. See Wildcard Syntax for more information.
Select the Enforcement Type:
Enforce - The policy prevents clients from modifying the cookie.
Allow (Default) - The policy allows the cookie. You may want to add allowed cookies for certain known and recognized cookie headers that are often included in HTTP requests.
Enable Staging if you want the security policy to evaluate traffic before allowing or enforcing the cookie.
Enable Mask Value in Logs if you want to treat the parameter you are creating as a sensitive parameter (data not visible in logs or the user interface).
(Advanced View enabled) Enable Insert HTTP Only Attribute if you want the policy to add the
HttpOnly
attribute to the domain cookie’s response header.The HttpOnly attribute is added to the domain cookie’s response header. This is done to prevent cookies from being modified or intercepted on the client side by unwanted third parties that run scripts on the web page. Using HttpOnly when generating a cookie helps mitigate the risk of the client side script from accessing the protected cookie (depending on the browser support).
(Advanced View enabled) Enable Insert Secure Attribute if you want the policy to add the
Secure
attribute to the domain cookie’s response header.The Secure attribute is added to the domain cookie’s response header. This is done to ensure that the cookies are returned to the server only over SSL (by using the HTTPS protocol). This prevents the cookie from being intercepted, but does not guarantee its integrity.
(Advanced View enabled) Enable Insert SameSite Attribute if you want the policy to add the
SameSite
attribute to the domain cookie’s response header. Select the strictness for the browser mitigation:The SameSite attribute is added to the domain cookie’s response header. The SameSite cookie attribute allows servers to instruct the browser not to send cookies along with cross-site requests. This assertion allows mitigation of CSRF attacks. If multiple SameSite attributes are present, the browser will implement the strictest value.
(Default) Disabled - The SameSite attribute option is disabled.
None - Instructs the browser to send a cookie with same-site and any cross-site requests. This won’t mitigate all risks associated with cross-site access but it will provide protection against network attacks.
Note: This value requires the Secure attribute.
Lax - Instructs the browser to send a cookie with same-site and cross-site top-level navigation requests. For a cross-site request, a SameSite cookie is only sent when a user is navigating to the origin site from an external site.
Strict - Instructs the browser to send a cookie with same-site requests only. This instructs the browser to disallow sending the cookie with any cross-site request, even when the user follows a link.
Note: If the SameSite attribute was set by an application service, then another attribute-value pair is added for the same cookie only if the policy setting is more strict than all SameSite attribute values in the response. There is no additional attribute-value pair from policy if the same SameSite attribute was already set by application.
Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.
Click Deploy to deploy changes.
The new cookie is now in the Cookies list. If you note a high number of block or alert events for allowed cookies, you may require a signature override. See Override an allowed cookie attack signature on BIG-IP Next Central Manager.
Modify policy cookies¶
You can change the enforcement properties of an existing cookie. The cookie name and type cannot be modified.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Headers.
The panel displays the Methods tab.
Select the Cookies tab.
Click the cookie name.
The Cookie Properties panel opens.
Make the required changes to the cookie properties. See steps 10-16 in Add policy cookies for more information about each property.
Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.
Click Deploy to deploy changes.
If you note a high number of block or alert events for allowed cookies, you may require a signature override. See Override an allowed cookie attack signature on BIG-IP Next Central Manager.
Modify cookie enforcement status¶
Manually change a cookie’s status to enforced or staging. A staging status can help reduce the occurrence of false positives. Once enforced, the policy will manage traffic with a detected cookie according to your cookie’s configured properties.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Headers.
The panel displays the Methods tab.
Select the Cookies tab.
The Status column lists the cookie’s current enforcement status.
Click the check box next to the cookie row.
Click Stage to stage the cookie, and click Stage again to confirm the action.
Click Enforce to enforce the cookie, and click Enforce again to confirm the action.
The cookie’s status is immediately updated, but policy changes are not yet deployed. You can click Deploy to deploy changes to the BIG-IP Next instances.
Delete a cookie¶
You can delete cookies that are no longer needed in your security policy. If a cookie changes in your application, you may want to delete the old cookie and add a new cookie.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Headers.
The panel displays the Methods tab.
Select the Cookies tab.
The Status column lists the cookie’s current enforcement status.
Click the check box next to the cookie row.
Click Delete, and click Delete again to confirm the action.
The cookie is immediately removed from the list, but policy changes are not yet deployed. You can click Deploy to deploy changes to the BIG-IP Next instances.
Modify cookie violations¶
You can specify globally how WAF policies handle traffic with known cookie violations and/or specific cookie parameters. For more information about cookie violations, cookie properties, see Reference: Cookie Enforcement.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click Headers.
The panel displays the Methods tab.
Select the Cookies tab.
Click Violations.
The Cookie Violations panel opens.
Modify the policy violations settings:
Alarm - Sends an alert to the event log that the cookie violation/property was detected in traffic to protected applications.
Alarm & Block - Sends an alert to the event log and blocks traffic that includes the cookie violation/property.
Disabled - The policy does not enforce cookie violation.
Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.
Click Deploy to deploy changes.
Resources¶
Configure using API¶
Violation Settings¶
Cookie management using the policy Editor¶
Edit the WAF policy JSON declaration directly through the WAF policy editor.