Manage Cookies

Overview

Many web-based applications use cookies to help users navigate the website efficiently and perform certain functions. For example, web servers may use cookies to authenticate users logging in to secure applications, or an application can use cookies to store user preferences. Whether using automatic policy building or manually creating a security policy, you may want to add cookies that the web application uses.

You can specify the cookies that you want to allow, and the ones you want to enforce in a security policy:

  • Allow - The security policy ignores certain known and recognized cookie headers that are included in HTTP requests and allows clients to change the cookies.

  • Enforce - The security policy prevents changes to specific cookies, such as session-related cookies that are set by the protected application. The cookie in the request must not be modified, or it generates the Modified Domain Cookie violation.

Both allowed and enforced cookies can be put in staging when they are created so that you can make sure that they do not cause false positives during the staging period.

If the cookies in the web application change, you can edit or delete the cookies.

Wildcard syntax

If you are adding cookies to your policy, the syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of cookies, file types, URLs, or parameters so that the entity name can match multiple objects.

Wildcard Character Matches
* All characters
? Any single character
[abcde] Exactly one of the characters listed
[!abcde] Any character not listed
[a-e] Exactly one character in the range
[!a-e] Any character not in the range

Prerequisites

  • Verify any attached application services to ensure proper security after changes are deployed.

  • You need to have a user role of Security Manager or Administrator to manage a WAF policy.

How to manage policy cookies

Add policy cookies

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Policies under WAF.

  3. Select the name of the policy.

    A panel for the General Settings opens.

  4. From the panel menu, click Headers.

    The panel displays the Methods tab.

  5. Select the Cookies tab.

  6. Click Create.

    The Cookie Properties panel opens.

  7. If you would like the policy to add attributes to the response header of the cookie domain, enable Advanced View to the top right of the panel.

  8. Enter a Cookie Name. Type either the name of the cookie, or the pattern string for the wildcard to match cookie names.

  9. Select the Cookie Type:

    1. Explicit (Default) - The policy identifies the cookie by its specific name.

    2. Wildcard - The policy identifies the cookie by regular expression.

    Note: The pure wildcard () is automatically added to the policy so you do not need to add it. You can add more specified wildcards such assite.com. See Wildcard Syntax for more information.

  10. Select the Enforcement Type:

    1. Enforce - The policy prevents clients from modifying the cookie.

    2. Allow (Default) - The policy allows the cookie. You may want to add allowed cookies for certain known and recognized cookie headers that are often included in HTTP requests.

  11. Enable Staging if you want the security policy to evaluate traffic before allowing or enforcing the cookie.

  12. Enable Mask Value in Logs if you want to treat the parameter you are creating as a sensitive parameter (data not visible in logs or the user interface).

  13. (Advanced View enabled) Enable Insert HTTP Only Attribute if you want the policy to add the HttpOnly attribute to the domain cookie’s response header.

    The HttpOnly attribute is added to the domain cookie’s response header. This is done to prevent cookies from being modified or intercepted on the client side by unwanted third parties that run scripts on the web page. Using HttpOnly when generating a cookie helps mitigate the risk of the client side script from accessing the protected cookie (depending on the browser support).

  14. (Advanced View enabled) Enable Insert Secure Attribute if you want the policy to add the Secure attribute to the domain cookie’s response header.

    The Secure attribute is added to the domain cookie’s response header. This is done to ensure that the cookies are returned to the server only over SSL (by using the HTTPS protocol). This prevents the cookie from being intercepted, but does not guarantee its integrity.

  15. (Advanced View enabled) Enable Insert SameSite Attribute if you want the policy to add the SameSite attribute to the domain cookie’s response header. Select the strictness for the browser mitigation:

    The SameSite attribute is added to the domain cookie’s response header. The SameSite cookie attribute allows servers to instruct the browser not to send cookies along with cross-site requests. This assertion allows mitigation of CSRF attacks. If multiple SameSite attributes are present, the browser will implement the strictest value.

    1. (Default) Disabled - The SameSite attribute option is disabled.

    2. None - Instructs the browser to send a cookie with same-site and any cross-site requests. This won’t mitigate all risks associated with cross-site access but it will provide protection against network attacks.

      Note: This value requires the Secure attribute.

    3. Lax - Instructs the browser to send a cookie with same-site and cross-site top-level navigation requests. For a cross-site request, a SameSite cookie is only sent when a user is navigating to the origin site from an external site.

    4. Strict - Instructs the browser to send a cookie with same-site requests only. This instructs the browser to disallow sending the cookie with any cross-site request, even when the user follows a link.

      Note: If the SameSite attribute was set by an application service, then another attribute-value pair is added for the same cookie only if the policy setting is more strict than all SameSite attribute values in the response. There is no additional attribute-value pair from policy if the same SameSite attribute was already set by application.

  16. Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.

  17. Click Deploy to deploy changes.

The new cookie is now in the Cookies list. If you note a high number of block or alert events for allowed cookies, you may require a signature override. See Override an allowed cookie attack signature on BIG-IP Next Central Manager.

Modify policy cookies

You can change the enforcement properties of an existing cookie. The cookie name and type cannot be modified.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Policies under WAF.

  3. Select the name of the policy.

    A panel for the General Settings opens.

  4. From the panel menu, click Headers.

    The panel displays the Methods tab.

  5. Select the Cookies tab.

  6. Click the cookie name.

    The Cookie Properties panel opens.

  7. Make the required changes to the cookie properties. See steps 10-16 in Add policy cookies for more information about each property.

  8. Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.

  9. Click Deploy to deploy changes.

If you note a high number of block or alert events for allowed cookies, you may require a signature override. See Override an allowed cookie attack signature on BIG-IP Next Central Manager.

Resources

Configure using API