Updated on 2025-08-05 GMT+08:00

Stopping WAF from Inserting Cookie Fields

This topic describes how to stop WAF from inserting the HWWAFSESTIME and HWWAFSESID fields into cookies. However, you should exercise caution when enabling this function. If WAF does not insert the HWWAFSESTIME and HWWAFSESID fields into cookies, CC attack protection rules (verification code), known attack source rules, and dynamic anti-crawler rules will be unable to work.

Prerequisites

You have selected Dedicated Mode or Cloud Mode - Load balancer when adding the website to WAF.

Procedure

  1. Log in to the WAF console.
  2. Click in the upper left corner and select a region or project.
  3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
  4. In the navigation pane on the left, click Website Settings.
  5. On the Website Settings page, click the target website domain name.
  6. In the Do Not Insert the Cookie Field column, click to enable the function.

    After the above configuration is complete, access the protected website. If the configuration works, the returned response cookie does not contain the HWWAFSESTIME or HWWAFSESID fields.