predictable session ID

Question

Hello,  
&nbsp;  
&nbsp; WE are failing a security audit due to having a predicitable session ID number for the HTTP protocol. 
&nbsp;  
&nbsp; We have a group of webservers in a pool and a virtual server polls from the pool, we use cookies for the  
&nbsp;  
&nbsp; persistence profile. Is this a problem in the F5 or should I look in the IIS 6 webservers sitting in the pool. 
&nbsp;  
&nbsp; The F5 handles the HTTP and HTTPS traffic. 
&nbsp;  
&nbsp; Thanks

hoolio · Answer

Hi, 
&nbsp;  
&nbsp; I would guess the security audit is errantly identifying the LTM persistence cookie as predictable because the values of the cookie doesn't change over the course of multiple users' sessions.  The persistence cookie is not a session identifier--it is simply an encoding of the pool member's IP address and port.  You can check SOL6917 for details on the encoding: 
&nbsp;  
&nbsp; SOL6917: Overview of BIG-IP LTM cookie encoding for the cookie persistence profile 
&nbsp; https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html 
&nbsp;  
&nbsp; If you consider the exposure of the server IP:port a security risk, you could configure LTM to encrypt the persistence cookie value using the HTTP profile option.  I think this option was added at some point in 9.4.x. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

predictable session ID

1 Reply

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Not seeing the latest F5OS-A when running Journeys

Related Content

Your 2023 Predictions?

AI Security - LLM-DOS, and predictions of 2025 and beyond

MCP Session Affinity With F5 NGINX Plus

Reactive, Proactive, Predictive: SDN Models

The Top 10, Top Predictions for 2012

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS