Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

zack_254145's avatar
zack_254145
Icon for Nimbostratus rankNimbostratus
Sep 06, 2017

When will ASM generate "Illegal session ID in URL" violation?

Hi Folks,   I am trying to understand this violation: Illegal session ID in URL, but still quite confusing after a bunch of tests. How/when does ASM consider the session ID in URL is illegal?   ...
application delivery
ASM Advanced WAF
security
samstep's avatar
samstep
Icon for Cirrocumulus rankCirrocumulus
Oct 21, 2017

Illegal Session ID in URL is only used to match the session ID in the URL with the ID tracked in TS cookie.

 

Using Session ID in URL is a very very old way of session management used back in the early-mid 2000 Java applications where instead of cookies early version Tomcat would issue URLs like this:

 

https://webapp.com/index.jsp?jsessionid=557206C363F1267A24AB769CA0DE4529

 

This is of course highly insecure as anyone with access to the weblogs at your ISP for example could copy this whole URL to access someone's bank account.

 

I have not seen any web applications using this methodology probably since 2009 - everyone is using cookies for session management these days.

 

Do not forget that ASM is quite an old product started in 2004 with F5's acquisition of Magnifire and their TrafficShield product (hence the TS cookie name). The feature to protect Session ID in URL dates back to Traffic Shield and 2004 and back then this protection was essential.