Forum Discussion

zack_254145's avatar
zack_254145
Icon for Nimbostratus rankNimbostratus
Sep 06, 2017

When will ASM generate "Illegal session ID in URL" violation?

Hi Folks,

 

I am trying to understand this violation: Illegal session ID in URL, but still quite confusing after a bunch of tests. How/when does ASM consider the session ID in URL is illegal?

 

In GUI, it says "The system checks that the request contains a session ID value that matches the session ID value which was set by the server to this session."

 

So it sounds like there has to be a response containing the session id first to ASM, before ASM can tell whether the session id from next request will be valid or not. Is my understanding correct?

 

If pool mbr returns a redirect response (302), will ASM also check the "Location" header to extract the dynamic session id? Or is it only to watch 200 response?

 

Thanks!

 

application delivery
ASM Advanced WAF
security

2 Replies

Sort By
  • ErkkiS_295148's avatar
    ErkkiS_295148
    Icon for Cirrus rankCirrus
    Sep 19, 2017

    Could it be someone has a bookmark he uses to go to the site which has an URL that contains session ID from some past session which ASM detects and marks as invalid?

     

  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Oct 21, 2017

    Illegal Session ID in URL is only used to match the session ID in the URL with the ID tracked in TS cookie.

     

    Using Session ID in URL is a very very old way of session management used back in the early-mid 2000 Java applications where instead of cookies early version Tomcat would issue URLs like this:

     

    https://webapp.com/index.jsp?jsessionid=557206C363F1267A24AB769CA0DE4529

     

    This is of course highly insecure as anyone with access to the weblogs at your ISP for example could copy this whole URL to access someone's bank account.

     

    I have not seen any web applications using this methodology probably since 2009 - everyone is using cookies for session management these days.

     

    Do not forget that ASM is quite an old product started in 2004 with F5's acquisition of Magnifire and their TrafficShield product (hence the TS cookie name). The feature to protect Session ID in URL dates back to Traffic Shield and 2004 and back then this protection was essential.