Forum Discussion
Masking jsessionid with ASM
I am looking for some input on how we can resolve an issue we have with a weblogic based application which is behind an F5 with ASM. The problem is that we would like to mask the jsesionid from the ur...
hoolio
Cirrostratus
CirrostratusForcing everything over SSL would the most secure option I can think of--and by far the easiest. If this isn't an option, conceptually you could try to tie the jsessionid to an attribute of the client that would be present for every request. This could be the client IP address (though this is prone to change for DHCP clients or those going through mega-proxies) or the User-Agent header. You could parse response content for the jsessionid, append the client IP address or User-Agent string and then encrypt it. Adding a timestamp to the string you encrypt would allow you to enforce a timeout. You would need to do this encryption for all jsessionid values in the response content, decrypt the jsessionid in the path and replace the encrypted string with the original jsessionid. You would need to handle clients who do support cookies as well as those that don't.
I did something similar for a client previously using payload collection and rewriting, but it was quite an undertaking. Now that I know about the STREAM_MATCHED event it might be a bit simpler and more efficient to use a stream profile and iRule to do this.
It wouldn't be easy to develop such a rule. And it's not a bulletproof solution. I'd think it would be a lot easier, more efficient and more secure to just encrypt everything using HTTPS.
Aaron
