Forum Discussion
Masking jsessionid with ASM
I am looking for some input on how we can resolve an issue we have with a weblogic based application which is behind an F5 with ASM. The problem is that we would like to mask the jsesionid from the ur...
hoolio
Cirrostratus
CirrostratusWhat is your security concern with the jsessionid in the URI? Is the application only accessed over HTTPS? That would be the simplest way of ensuring third parties couldn't steal the session ID. The jsessionid is already encrypted, so I don't think masking it would add any security.
ASM provides the ability to track the value of a dynamic session ID in the URI. This would allow you to block a client who makes a request with a jsessionid that the server didn't set itself. You can check the ASM configuration guide to get more details on configuring extraction and enforcement of dynamic session IDs:
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_945_config_guide/asm_web_apps.html1027969
To be honest, I'm not sure if you need to configure extraction of the jsessionid as a dynamic parameter or if ASM automatically looks in the response content using the regex you designate in the web application properties. Maybe someone can clarify this or you could test it?
Here is the section on dynamic parameter extraction/enforcement:
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_945_config_guide/asm_parameters.html1031654
Aaron
