predictable session ID

Question

Hello,  
&nbsp;  
&nbsp; WE are failing a security audit due to having a predicitable session ID number for the HTTP protocol. 
&nbsp;  
&nbsp; We have a group of webservers in a pool and a virtual server polls from the pool, we use cookies for the  
&nbsp;  
&nbsp; persistence profile. Is this a problem in the F5 or should I look in the IIS 6 webservers sitting in the pool. 
&nbsp;  
&nbsp; The F5 handles the HTTP and HTTPS traffic. 
&nbsp;  
&nbsp; Thanks

hoolio · Answer

Hi, 
&nbsp;  
&nbsp; I would guess the security audit is errantly identifying the LTM persistence cookie as predictable because the values of the cookie doesn't change over the course of multiple users' sessions.  The persistence cookie is not a session identifier--it is simply an encoding of the pool member's IP address and port.  You can check SOL6917 for details on the encoding: 
&nbsp;  
&nbsp; SOL6917: Overview of BIG-IP LTM cookie encoding for the cookie persistence profile 
&nbsp; https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html 
&nbsp;  
&nbsp; If you consider the exposure of the server IP:port a security risk, you could configure LTM to encrypt the persistence cookie value using the HTTP profile option.  I think this option was added at some point in 9.4.x. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

predictable session ID

Recent Discussions

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

AI Security - LLM-DOS, and predictions of 2025 and beyond

Your 2023 Predictions?

Reactive, Proactive, Predictive: SDN Models

The Top 10, Top Predictions for 2012

F5 Predicts: Education gets personal

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS