Blocking client that uses existing cookie

Question

Hi,We are trying to block a client that uses existing cookie. We try to configure session hijacking protection but they are still able to connect.May I know another method to block the client that uses existing cookie?&nbsp;&nbsp;

paulius · Answer

What makes you believe they're using an existing cookie rather than receiving a new one?

jayson27 · Answer

Hi,We are running this to a UAT, and they are trying to access first the legitimate user once successfully login they copied the cookies of the legit user then it will be imported to another user browser.&nbsp;

zamroni777 · Answer

in my opinion, it's not valid test case for waf or reverse proxy such as f5 asm/ltmbecause browsers also reuse non expired cookies in legitimate access.i suggest the application should add captcha to verify human users.if you have enough apm user session license, you can also put the app access via apm webtop portal.my customer use this mechanism for corporate internet banking access.

paulius · Answer

To be clear, this is what you did already?
https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/preventing-session-hijacking-and-tracking-user-sessions.html

Forum Discussion

Blocking client that uses existing cookie

Recent Discussions

SSL bridging without SSL proxy forward

Client SSL Profile set to Require Client Certificate breaks RDP in APM

TS Declarations for DNS

APM file and registry key date check 8 days old

Should config via cli rather than gui?

Related Content

Block IP after a number of ASM Blocks

Block traffic

SSL Orchestrator Advanced Use Cases: Custom Blocking Pages

Enhance your Application Security using Client-side signals

Bigip restful API remove all the existing client ssl profiles in a virtualserver.

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS