Forum Discussion

Nimbostratus

Oct 08, 2009

predictable session ID

Hello, WE are failing a security audit due to having a predicitable session ID number for the HTTP protocol. We have a group of webservers in a pool and a virtual server...

config

design

hooleylist

Cirrostratus

Oct 08, 2009

Hi,

I would guess the security audit is errantly identifying the LTM persistence cookie as predictable because the values of the cookie doesn't change over the course of multiple users' sessions. The persistence cookie is not a session identifier--it is simply an encoding of the pool member's IP address and port. You can check SOL6917 for details on the encoding:

SOL6917: Overview of BIG-IP LTM cookie encoding for the cookie persistence profile

https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html

If you consider the exposure of the server IP:port a security risk, you could configure LTM to encrypt the persistence cookie value using the HTTP profile option. I think this option was added at some point in 9.4.x.

Aaron

Forum Discussion

predictable session ID

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Your 2023 Predictions?

End of year summary and new year predictions, Dec 25th – 31st – F5SIRT This Week in Security

Reactive, Proactive, Predictive: SDN Models

The Top 10, Top Predictions for 2012

F5 Predicts: Education gets personal