Issue with MS Clarity and F5 WAF Blocking _uetsid Cookie (Containing "ftp" String)

Sečkář Jaroslav 85 Reputation points
2025-02-24T13:36:46.74+00:00

Dear Team,

We've encountered a widespread issue affecting many of our websites that utilize Microsoft Clarity. Our F5 Web Application Firewall (WAF) is blocking the _uetsid cookie, specifically due to the presence of the string "ftp" within its value.

Example of the blocked cookie: _uetsid=a6f3bd20f28b11ef9c2255706f8b86cf|198c6ic|2|ftp|0|1234

Our security team flags the "ftp" string as potentially indicative of an attempt to inject executable commands within the cookie.

Key Questions:

  1. Is there a legitimate reason for Microsoft Clarity to include the string "ftp" within the _uetsid cookie? This appears to be the trigger for our WAF's security rules.
  2. Can we expect Microsoft to address this issue in a future update to Clarity? This is causing significant disruption to our website analytics.

We appreciate your prompt attention to this matter.

Thank you,

Community Center | Not monitored
{count} votes

Accepted answer
  1. JOSE ANDRES ORTIZ GONZALEZ 96 Reputation points
    2025-02-25T19:12:19.26+00:00

    We have received this official response from MS Clarity Team: The _clck cookie in Clarity helps stitch sessions for the same user by using a random user ID and user preferences, including the date represented as a base36 string to optimize performance. During a specific time window, the date was represented as "ftp" in base36, which led to a false positive from the WAF ruleset, mistakenly identifying it as an FTP protocol attack. Clarity will now set a different value since the date has changed - automatically resolving the conflict with the WAF rule set. We recommend reviewing the WAF rules to prevent such false positives. Additionally, we are working to ensure that our randomly generated strings in cookies do not contain sensitive keywords. 

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Alexander Paterikin 0 Reputation points
    2025-02-24T22:37:22.5333333+00:00

    Hi.

    We also experienced the same issue today with the 'ftp' value in the _clck cookie, but it resolved itself 'magically' about 30 minutes ago.

    We discovered that code was automatically added to our page, which was loading a script from https://www.clarity.ms/s/0.7.69/clarity.js and generating the _clck cookie.

    After the issue disappeared, we found that the clarity.js script was no longer present, and the cookie is no longer being created.

    Everything seems to be working ok now.

    0 comments No comments

  2. JOSE ANDRES ORTIZ GONZALEZ 96 Reputation points
    2025-02-25T14:02:33.4133333+00:00

    Hi, now We see the FTQ in the _clck cookie value, maybe Microsoft now resolved the issue changing FTP by FTQ. Please anyone else noticing this change? Thanks

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.