Forum Discussion
Illegal Session ID in URL is only used to match the session ID in the URL with the ID tracked in TS cookie.
Using Session ID in URL is a very very old way of session management used back in the early-mid 2000 Java applications where instead of cookies early version Tomcat would issue URLs like this:
https://webapp.com/index.jsp?jsessionid=557206C363F1267A24AB769CA0DE4529
This is of course highly insecure as anyone with access to the weblogs at your ISP for example could copy this whole URL to access someone's bank account.
I have not seen any web applications using this methodology probably since 2009 - everyone is using cookies for session management these days.
Do not forget that ASM is quite an old product started in 2004 with F5's acquisition of Magnifire and their TrafficShield product (hence the TS cookie name). The feature to protect Session ID in URL dates back to Traffic Shield and 2004 and back then this protection was essential.