Forum Discussion

Nimbostratus

Sep 06, 2017

When will ASM generate "Illegal session ID in URL" violation?

Hi Folks, I am trying to understand this violation: Illegal session ID in URL, but still quite confusing after a bunch of tests. How/when does ASM consider the session ID in URL is illegal? ...

Cirrocumulus

Oct 21, 2017

Illegal Session ID in URL is only used to match the session ID in the URL with the ID tracked in TS cookie.

Using Session ID in URL is a very very old way of session management used back in the early-mid 2000 Java applications where instead of cookies early version Tomcat would issue URLs like this:

https://webapp.com/index.jsp?jsessionid=557206C363F1267A24AB769CA0DE4529

This is of course highly insecure as anyone with access to the weblogs at your ISP for example could copy this whole URL to access someone's bank account.

I have not seen any web applications using this methodology probably since 2009 - everyone is using cookies for session management these days.

Do not forget that ASM is quite an old product started in 2004 with F5's acquisition of Magnifire and their TrafficShield product (hence the TS cookie name). The feature to protect Session ID in URL dates back to Traffic Shield and 2004 and back then this protection was essential.

Forum Discussion

When will ASM generate "Illegal session ID in URL" violation?

Recent Discussions

GTM Packet Capture command

Citrix XenServer Big-IP Upgrade help

BIG-IP DNS iRule issue with static variable

F5 ASM logging profile to specify source IP

Portal Access to HTTPS resources slow

Related Content

About AWAF "Redirect URLs" in "Responses and Blocks"

Rate limiting GraphQL API query using iRule and Advanced WAF Violation

Separating False Positives from Legitimate Violations

AWAF - Do not log Geolocation violations from the Event Log

No Learning Suggestions But could see Violations in the event logs