For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

pedinopa_170325's avatar
pedinopa_170325
Icon for Nimbostratus rankNimbostratus
Aug 09, 2018

remove dynamic session id in url

I am trying to remove jsessionid from the requested URL. I have tried using irules to do it (with no luck). I see is ASM it is possible according to knowledge article K7513. I created a new policy...
ASM Advanced WAF
security
samstep's avatar
samstep
Icon for Cirrocumulus rankCirrocumulus
Aug 09, 2018

I see you have already found a solution using an iRule as your comment in this post?:

https://devcentral.f5.com/questions/hide-jsession-id-61022

Knowledgebase article K7513 talks about hiding jsessionid in URL from ASM to prevent ASM from treating each user session as a unique URL.

you really need to change this in your backend server's JBOSS config.xml and make sure tracking-mode is set to COOKIE:



true
true
 
     COOKIE

if you cannot change the JBOSS config for some reason you need to add http-only and Secure attributes to your JSESSIONID cookie.

So basically there are only 2 ways how jsessionid=xxx can get into your browser:

1) the server sends it to the client(browser) in a Redirect response - you can remove it using an iRule

2) the application on the client-side (Javascript) extracts the JSESSIONID from a cookie and generates a request appending jsessionid to the URL - you can stop this by making sure the JSESSIONID cookie is HTTP-Only, so it will no longer be accessible from JavaScript.