Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

jayson27's avatar
jayson27
Icon for Cirrus rankCirrus
Oct 11, 2024

Blocking client that uses existing cookie

Hi, We are trying to block a client that uses existing cookie. We try to configure session hijacking protection but they are still able to connect. May I know another method to block the client tha...
application delivery
asm
security
waf
jayson27's avatar
jayson27
Icon for Cirrus rankCirrus
Oct 13, 2024

Hi,

We are running this to a UAT, and they are trying to access first the legitimate user once successfully login they copied the cookies of the legit user then it will be imported to another user browser. 

zamroni777's avatar
zamroni777
Icon for MVP rankMVP
Oct 14, 2024

in my opinion, it's not valid test case for waf or reverse proxy such as f5 asm/ltm
because browsers also reuse non expired cookies in legitimate access.

i suggest the application should add captcha to verify human users.

if you have enough apm user session license, you can also put the app access via apm webtop portal.
my customer use this mechanism for corporate internet banking access.