Forum Discussion

pedinopa_170325's avatar
pedinopa_170325
Icon for Nimbostratus rankNimbostratus
Aug 06, 2018

jsessionid

I thought we had a solution (I was wrong). Appearently when you use ZAP or other header scanners they will find the JSESSIONID. I found the HTML code I need but would rather do it in the F5. The code is

 

true true COOKIE

 

I was reading about using a stream policy and an expression. what it comes down to is I need to remove the JSESSIONID from the response URL.

 

iRules
LTM
security
  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Aug 06, 2018

    Little confused on what you are trying to do but with an iRule you can do the following to remove the JSESSIONID cookie in the response:

    when HTTP_RESPONSE {
  HTTP::cookie remove JSESSIONID
}

    Would this not break the backend application as remove the session state between the client and the backend?

  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Aug 07, 2018

    The correct place to implement the changes is on your back-end webserver configuration (I assume Tomcat?), so speak to your server sysadmins (if possible).

     

    However if you wish to remove it on F5 - here are the past DevCentral questions with iRule code which will do it for you:

     

    https://devcentral.f5.com/questions/hide-jsession-id-61022

     

    I hope this helps,

     

    Sam