Forum Discussion

SanYang's avatar
Icon for Cirrus rankCirrus
Aug 31, 2023

About Session Hijacking


I've been testing session hijacking lately.
Here is my setting

I have found that when I change SESSION or TS01340bfb individually, F5 blocks it.
However, when I change both, it doesn't block it and I can run session hijacking successfully.

Why is this happening ... ?


Any help is appreciate.


4 Replies

  • Better see this as I do not see feature cookie only the main F5 cookie


    Maybe enable session tracking and see that the SESSION cookie is enforced.


    The ASM Feature cookies

    The ASM Feature cookies are set for client requests when one or more BIG-IP ASM features are activated or enabled, such as the following policy features:

    • Login/Logout page enforcement
    • CSRF enforcement
    • Session tracking
    • Dynamic parameters
    • CAPTCHA enforcement

  • Did you test it? Also you can add session tracking by Device ID that is generated by the bot defense and this way if someone steals the 2 cookies they can't use them.


    Still when you mentioned that when changing the 2 cookies F5 does not block you, well the idea is to someone not using real cookies that are not their own, so when you randomly changed the two cookies they are no longer a real TS or real sesson cookie that can be used.

    • Daniel_Wolf's avatar
      Icon for MVP rankMVP

      Funny, I came across the same issue recently in a customer scenario. Nikoolayy1 is correct.
      Here are my 5 cents.
      1. Steal one cookie > ASM will block.
      2. Steal both cookies > ASM won't block this, Session Hijacking is possible.
      3. Enable a Bot Defense profile for this VS and configure it to create a Device ID.
      4. Configure the following in the learning and blocking settings:

      This way hijacking the session by stealing both cookies will fail.