Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

pedinopa_170325's avatar
pedinopa_170325
Icon for Nimbostratus rankNimbostratus
7 years ago

remove dynamic session id in url

I am trying to remove jsessionid from the requested URL. I have tried using irules to do it (with no luck). I see is ASM it is possible according to knowledge article K7513. I created a new policy...
ASM Advanced WAF
security
samstep's avatar
samstep
Icon for Cirrocumulus rankCirrocumulus
7 years ago

I see you have already found a solution using an iRule as your comment in this post?:

https://devcentral.f5.com/questions/hide-jsession-id-61022

Knowledgebase article K7513 talks about hiding jsessionid in URL from ASM to prevent ASM from treating each user session as a unique URL.

you really need to change this in your backend server's JBOSS config.xml and make sure tracking-mode is set to COOKIE:



true
true
 
     COOKIE

if you cannot change the JBOSS config for some reason you need to add http-only and Secure attributes to your JSESSIONID cookie.

So basically there are only 2 ways how jsessionid=xxx can get into your browser:

1) the server sends it to the client(browser) in a Redirect response - you can remove it using an iRule

2) the application on the client-side (Javascript) extracts the JSESSIONID from a cookie and generates a request appending jsessionid to the URL - you can stop this by making sure the JSESSIONID cookie is HTTP-Only, so it will no longer be accessible from JavaScript.

Recent Discussions