Forum Discussion
CirrostratusAbout Session Hijacking
MVPDid you test it? Also you can add session tracking by Device ID that is generated by the bot defense and this way if someone steals the 2 cookies they can't use them.
Still when you mentioned that when changing the 2 cookies F5 does not block you, well the idea is to someone not using real cookies that are not their own, so when you randomly changed the two cookies they are no longer a real TS or real sesson cookie that can be used.
MVPFunny, I came across the same issue recently in a customer scenario. Nikoolayy1 is correct.
Here are my 5 cents.
1. Steal one cookie > ASM will block.
2. Steal both cookies > ASM won't block this, Session Hijacking is possible.
3. Enable a Bot Defense profile for this VS and configure it to create a Device ID.
4. Configure the following in the learning and blocking settings:
This way hijacking the session by stealing both cookies will fail.
KR
Daniel
- Nikoolayy1
Also APM can be added so that each device to be checked if it is corporate https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/15.html , using the APM checks. Even if someone steals even the APM cookie after some time their device will be checked.
Setting up ASM session tracking with APM
You can use session tracking to track, enforce, and report on user sessions and IP addresses. To perform tracking, you enable session awareness and indicate how to associate the application user name with the session.- On the Main tab, click Security > Application Security > Sessions and Logins > Session Tracking .
The Session Tracking screen opens.
- In the Session Tracking Configuration area, select the Session Awareness check box.
- From the Application Username list, select Use APM Usernames and Session ID.
-
- On the Main tab, click Security > Application Security > Sessions and Logins > Session Tracking .
