F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Tom_Lauwereins_'s avatar
Tom_Lauwereins_
Icon for Nimbostratus rankNimbostratus
Apr 11, 2019

LTM/ASM Prevent session hijacking using an iRule

Hello all   We have noticed a security issue on our sharepoint website. If a hacker manages to steal someone's FedAuth cookie (Sharepoint proprietary) and the TS* cookie (ASM), the ASM policy will...
application delivery
iRules
LTM
security
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
Apr 11, 2019

Hi,

 

it was a strange behaviour, before trying to fix your behavior using an irule or other we will just be sure that asm policy was correctly configured:

 

When you apply session hijacking (Preventing) ASM stores the device ID along with other client data (including the message key or session ID) in a cookie that remains with the client for the length of the HTTP session. The system periodically checks that the device ID of the client is the same one that was assigned when the session started.

 

So In all Case ASM will blocked user request because the system periodically checks that the device ID of the client is the same one that was assigned when the session started...

 

You confirm that in ASM (Security ›› Application Security : Sessions and Logins : Session Tracking)

 

You apply:

 

  • Detect Session Hijacking by Device ID Tracking

Note: When you are using device ID to track traffic, make sure that the Accept XFF setting is enabled in the HTTP profile that is assigned to the virtual server.

 

set the blocking modes for the hijacking violation, click Security > Application Security > Policy Building > Learning and Blocking Settings (select in ASM Cookie Hijacking violation Learn, Alarm, and Block. ).

 

For more info:

 

https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/15.html

 

Keep me in touch