Issue with MS Clarity and F5 WAF Blocking _uetsid Cookie (Containing "ftp" String)

Question

Issue with MS Clarity and F5 WAF Blocking _uetsid Cookie (Containing "ftp" String)

Sečkář Jaroslav 85

Dear Team,

We've encountered a widespread issue affecting many of our websites that utilize Microsoft Clarity. Our F5 Web Application Firewall (WAF) is blocking the _uetsid cookie, specifically due to the presence of the string "ftp" within its value.

Example of the blocked cookie: _uetsid=a6f3bd20f28b11ef9c2255706f8b86cf|198c6ic|2|ftp|0|1234

Our security team flags the "ftp" string as potentially indicative of an attempt to inject executable commands within the cookie.

Key Questions:

Is there a legitimate reason for Microsoft Clarity to include the string "ftp" within the _uetsid cookie? This appears to be the trigger for our WAF's security rules.
Can we expect Microsoft to address this issue in a future update to Clarity? This is causing significant disruption to our website analytics.

We appreciate your prompt attention to this matter.

Thank you,

David Frederick 21 Reputation points

2025-02-24T21:46:34.97+00:00

We ran into the same issue. It started around 5pm PST on 2/23. We had to adjust our WAF rules in order to get our website functioning again.
David Frederick 21 Reputation points

2025-02-24T21:57:48.3933333+00:00

I should add that in our case, we found the "ftp" value in the _clck cookie, but that is also a Clarity cookie.
JOSE ANDRES ORTIZ GONZALEZ 96 Reputation points

2025-02-25T13:48:57.16+00:00

Hi, the same Issue in our production Web Site, we found the "ftp" value in the _clck cookie. It was detected on 2/23. We had to adjust our WAF rules in order to get our website functioning again. Please, it's very important an answer from Microsoft Clarity team. Thanks
Nicolás González 0 Reputation points

2025-02-25T15:12:25.0533333+00:00

In our environment, we also encountered this issue, which refers to the _clck cookie containing the "ftp" parameter that our WAF also blocked. This resulted in service unavailability on several of our sites, so we need to understand why this happened and whether there is official documentation regarding the changes made to the library.

On the other hand, our action was to disable signatures 200003534 and 200003036 in our WAF while awaiting a response from Microsoft.

Accepted answer

2 additional answers

Your answer

David Frederick 21 Reputation points

2025-02-24T21:46:34.97+00:00

We ran into the same issue. It started around 5pm PST on 2/23. We had to adjust our WAF rules in order to get our website functioning again.
David Frederick 21 Reputation points

2025-02-24T21:57:48.3933333+00:00

I should add that in our case, we found the "ftp" value in the _clck cookie, but that is also a Clarity cookie.
JOSE ANDRES ORTIZ GONZALEZ 96 Reputation points

2025-02-25T13:48:57.16+00:00

Hi, the same Issue in our production Web Site, we found the "ftp" value in the _clck cookie. It was detected on 2/23. We had to adjust our WAF rules in order to get our website functioning again. Please, it's very important an answer from Microsoft Clarity team. Thanks
Nicolás González 0 Reputation points

2025-02-25T15:12:25.0533333+00:00

In our environment, we also encountered this issue, which refers to the _clck cookie containing the "ftp" parameter that our WAF also blocked. This resulted in service unavailability on several of our sites, so we need to understand why this happened and whether there is official documentation regarding the changes made to the library.

On the other hand, our action was to disable signatures 200003534 and 200003036 in our WAF while awaiting a response from Microsoft.

Answer 1

JOSE ANDRES ORTIZ GONZALEZ 96

We have received this official response from MS Clarity Team: The _clck cookie in Clarity helps stitch sessions for the same user by using a random user ID and user preferences, including the date represented as a base36 string to optimize performance. During a specific time window, the date was represented as "ftp" in base36, which led to a false positive from the WAF ruleset, mistakenly identifying it as an FTP protocol attack. Clarity will now set a different value since the date has changed - automatically resolving the conflict with the WAF rule set. We recommend reviewing the WAF rules to prevent such false positives. Additionally, we are working to ensure that our randomly generated strings in cookies do not contain sensitive keywords.

Graham Douglas 0 Reputation points

2025-02-26T22:32:55.12+00:00

This is very helpful thank you. Does FTP convert to Feb 25 2025 UTC?

Answer 2

Alexander Paterikin 0

Hi.

We also experienced the same issue today with the 'ftp' value in the _clck cookie, but it resolved itself 'magically' about 30 minutes ago.

We discovered that code was automatically added to our page, which was loading a script from https://www.clarity.ms/s/0.7.69/clarity.js and generating the _clck cookie.

After the issue disappeared, we found that the clarity.js script was no longer present, and the cookie is no longer being created.

Everything seems to be working ok now.

Answer 3

JOSE ANDRES ORTIZ GONZALEZ 96

Hi, now We see the FTQ in the _clck cookie value, maybe Microsoft now resolved the issue changing FTP by FTQ. Please anyone else noticing this change? Thanks

Share via

Issue with MS Clarity and F5 WAF Blocking _uetsid Cookie (Containing "ftp" String)

2 additional answers

Your answer