Forum Discussion
BT_90520
Jun 30, 2012Nimbostratus
the cookie itself when generated by web server will already be signed and recognised as legit ones when passed back to client. So during client session, the cookie presented will have to be the same one and that is verified by ASM. Client will not intentionally tamper with it since it is not even obvious ... The challenge will be more from if attacker try to steal cookie, replay session and copied session cookie but that can be handled by having secure cookie, session timeout and even CSRF preventive measures.