Forum Discussion
jayson27
Cirrus
CirrusBlocking client that uses existing cookie
Hi, We are trying to block a client that uses existing cookie. We try to configure session hijacking protection but they are still able to connect. May I know another method to block the client tha...
Paulius
MVP
MVPWhat makes you believe they're using an existing cookie rather than receiving a new one?
jayson27Cirrus
CirrusHi,
We are running this to a UAT, and they are trying to access first the legitimate user once successfully login they copied the cookies of the legit user then it will be imported to another user browser.
- zamroni777
Nacreous
in my opinion, it's not valid test case for waf or reverse proxy such as f5 asm/ltm
because browsers also reuse non expired cookies in legitimate access.i suggest the application should add captcha to verify human users.
if you have enough apm user session license, you can also put the app access via apm webtop portal.
my customer use this mechanism for corporate internet banking access. - Paulius
To be clear, this is what you did already?
https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/preventing-session-hijacking-and-tracking-user-sessions.html
