For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mike_Ho's avatar
Mike_Ho
Icon for Cirrus rankCirrus
Jul 25, 2008

How unique are session IDs supposed to be?

Hiya, newbie Firepass (FP) user here. I'm auditing logins to our FPs via syslogs and I was hoping I could rely on the "Sid" reported during logon and logoff events to be good ways to track sessions. That does not appear to be true and I'm wondering if what I'm seeing is what I *should* be seeing or not.

 

 

We're running 6.0.2 by the way. See this example of what looks like two distinct logins by a user on the same day and the SID is the same for two distinct sessions:

 

 

Jul 24 20:16:48 1.2.3.4 security[4776]: [foobar@authtype] User foobar logged on from 4.5.6.7 Sid = fd3cf

 

 

Jul 24 20:28:42 1.2.3.4 GarbageCollection[9232]: session 'fd3cf63b065a8398d3dc9c501682be70' is expired due to inactivity. User may have logged out improperly.

 

 

Jul 24 20:28:50 1.2.3.4 security[9083]: [foobar@authtype] User foobar logged on from 4.5.6.7 Sid = fd3cf

 

 

Jul 24 20:49:42 1.2.3.4 GarbageCollection[16585]: session 'fd3cf63b065a8398d3dc9c501682be70' is expired due to inactivity. User may have logged out improperly.

 

 

Can anyone share what the SID is a hash of? Thanks.
BIG-IP Access Policy Manager (APM)
remote access
security

3 Replies

  • mal_57091's avatar
    mal_57091
    Icon for Nimbostratus rankNimbostratus
    Jul 29, 2008
    Hi Michael,

     

     

    Welcome aboard! FirePass uses an abbreviated SessionID when sending logs out via Syslog/System Log facility. It used to send out the full SID but a few versions back this got changed to the abbreviated format. Probably your best bet is to export the Session Report (or Logon Report) from the AdminUI cause that should give you what you need.

     

     

    In regards to what the SID is a hash of - your guess is as good as mine...that would come under the category of 'F5 black magic'.

     

     

    Cheers,

     

    Mal
  • Mike_Ho's avatar
    Mike_Ho
    Icon for Cirrus rankCirrus
    Aug 29, 2008
    Thanks Mal for the response! I haven't checked back here in a while but I'm happy to see someone wrote back. What I was working on before was automated reporting so downloading additional logs manually isn't my cup of tea, but it is helpful to know that info is there should I need to look it up.

     

     

    Mike
  • mal_57091's avatar
    mal_57091
    Icon for Nimbostratus rankNimbostratus
    Aug 31, 2008
    Hey Mike,

     

     

    Sure thing! No problems at all. The most useful scripting language (I've found personally) to use with FirePass is cURL. I use to write script that log into the admin UI and do all sorts of stuff. If you had some time you should check it out and see if can do what you want automagically! :-)

     

     

    Cheers,

     

    Mal