For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Antoine_80417's avatar
Antoine_80417
Icon for Nimbostratus rankNimbostratus
Feb 12, 2015

APM Session ID not displayed in error page

Hello folks,

 

I ran into an issue today that you may have already encountered : I am using APM to authenticate users on a web application, and an error page is returned to the user (whatever the reason), the session id is not displayed.

 

Looking through the error page code, I managed to find where the session id was displayed and found out that the session id is extracted from the LastMRH_Session cookie. Here is the source code from the logout.inc page :

 

var display_session = get_cookie("LastMRH_Session");
if(null != display_session) {
  document.getElementById("sessionDIV").innerHTML = '
%[session_id_caption]  ' + display_session + '
';
 document.getElementById("sessionDIV").style.visibility = "visible";
}

So the session id is extracted by some JavaScript code in order to be displayed to the user. That means that if you set the "HTTP Only" flag on the cookie in the SSO/Auth Domains properties of your Access profile, the session id won't be displayed as the browser won't allow the JavaScript to read the cookie value.

 

Has anyone encountered this issue before ? That's an issue for me because I want the session id to be displayed to users when they have an error and I cannot unset the "HTTP Only" flag on the cookie due to security reasons. Has anyone managed to circumvent that issue ?

 

Antoine

 

BIG-IP Access Policy Manager (APM)
design
security

3 Replies

  • Antoine_80417's avatar
    Antoine_80417
    Icon for Nimbostratus rankNimbostratus
    Feb 12, 2015
    BTW I am running BIG-IP 11.2.1 and I checked on BIG-IP 11.4.1 and the source code is the same.
  • Walter_Kacynski's avatar
    Walter_Kacynski
    Icon for Cirrostratus rankCirrostratus
    Feb 12, 2015

    To my knowledge, this would not be possible if you deem this information to be a security problem. What might work to mitigate the exposure is to create a surrogate key to this session id that is not a problem if it is stolen by a third party.

     

  • Adam_Ingle_1300's avatar
    Adam_Ingle_1300
    Icon for Cirrus rankCirrus
    Sep 12, 2017

    Replaced the code in Access Policy> Ending Pages> Deny> logout.inc

     

    Brad Parker may correct me, but this seems to be working for me:

     

    var display_session = "%{session.user.sessionid}";
    if(null != display_session) {
      document.getElementById("sessionDIV").innerHTML = '
%[session_id_caption]  ' + display_session + '
';
      document.getElementById("sessionDIV").style.visibility = "visible";
    }

    %{session.user.sessionid} pulls the variable for the session ID off the APM directly when the user started the session, rather than from javascript on the local browser as the original script was configured. Might not work in all conditions, but for simple cases it appears to be working.