Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Joe_Erchul_4263's avatar
Joe_Erchul_4263
Icon for Nimbostratus rankNimbostratus
Aug 12, 2013

Replacing JESSIONID in the URI with contents of JSESSIONID cookie

Gang,   I have an issue where end-users are saving the post-authentication login page to an application as a Favorite, which also stores the JSESSIONID in the URI. When they go back to use that f...
application delivery
devops
irules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 12, 2013

Something like this perhaps:

when HTTP_REQUEST {
   set j_uri [findstr [string tolower [HTTP::uri]] ";jsessionid=" 12]
   if { ( $j_uri ne "" ) and ( [HTTP::cookie exists JSESSIONID] ) } {
      if { $j_uri ne [HTTP::cookie value JSESSIONID] } {
         set newuri [string map "$j_uri [HTTP::cookie value JSESSIONID]" [HTTP::uri]]
         HTTP::redirect "http://[HTTP::host]$newuri"
      }
   }
}

Admittedly this is a crude example. I wasn't sure exactly how the jsessionid is formatted in the URI (part of the path, a query string value), or what (if any) values were after it and how they are delimited. Ultimately you'll need to tweak the findstr function to extract the jsessionid value from the URI. If the jsessionid value in the URI doesn't match the JSESSIONID cookie value, create a new URI by replacing the original value with the cookie value and then redirect the user to the new URI (with matching cookie).