Blocking client that uses existing cookie

Question

Hi,We are trying to block a client that uses existing cookie. We try to configure session hijacking protection but they are still able to connect.May I know another method to block the client that uses existing cookie?&nbsp;&nbsp;

paulius · Answer

What makes you believe they're using an existing cookie rather than receiving a new one?

jayson27 · Answer

Hi,We are running this to a UAT, and they are trying to access first the legitimate user once successfully login they copied the cookies of the legit user then it will be imported to another user browser.&nbsp;

zamroni777 · Answer

in my opinion, it's not valid test case for waf or reverse proxy such as f5 asm/ltmbecause browsers also reuse non expired cookies in legitimate access.i suggest the application should add captcha to verify human users.if you have enough apm user session license, you can also put the app access via apm webtop portal.my customer use this mechanism for corporate internet banking access.

paulius · Answer

To be clear, this is what you did already?
https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/preventing-session-hijacking-and-tracking-user-sessions.html

Forum Discussion

Blocking client that uses existing cookie

Recent Discussions

RTMP protocol Virtual Services

CRYPTO INVESTMENT SCAM RECOVERY HIRE HACK BUSTER RECOVERY

Cryptocurrency Scam Recovery / / How to Find a Legitimate Crypto Recovery Company ?

Slack Channel?

Office hours for BIG-IP Next...

Related Content

domain blocking

Response and blocking page

Zero Trust building blocks - Machine Identity Management (MIM) and Workload Protection

MS Exchange ProxyNotShell block implemented via iRules

iRule based RADIUS Client Stack

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS