Forum Discussion

pedinopa_170325's avatar
pedinopa_170325
Icon for Nimbostratus rankNimbostratus
Aug 09, 2018

remove dynamic session id in url

I am trying to remove jsessionid from the requested URL. I have tried using irules to do it (with no luck). I see is ASM it is possible according to knowledge article K7513. I created a new policy and set the dynamic session id in url to ;jsessionid=.{32}. It does not appear to be working or maybe I am interpreting it wrong. Is there something more to configuring ASM? Does it take a while to take affect?

 

the site that I am trying to do this for is a jboss site (unfortunatley I cant do the jsessionid in the backend server). The behavior of the site places a jsessionid in the requested url (it is only visible with developer tools and is at no time put in the URL bar). I pasted the output of curl below and highlighted the jsessionid I need to remove. My ASM is 11.5.4 and I do see that the affected versions of the knowledge article skips that version.

 

curl 'https://myportal.pricechopper.com/myportal/auth/portal/default/default;jsessionid=1627FB0D31980F1EC4B25D3C23E79BB7' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: https://myportal.pricechopper.com/myportal/' -H 'Cookie: JSESSIONID=1627FB0D31980F1EC4B25D3C23E79BB7; TS01419a0d=0178d08b8ac66a3674cdd363f381d4f894c251c727cea9c4567db44202bd7eabef2a092690c6fe5e7942c6b7a044cdab3119770d63' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1'

 

1 Reply

  • I see you have already found a solution using an iRule as your comment in this post?:

    https://devcentral.f5.com/questions/hide-jsession-id-61022

    Knowledgebase article K7513 talks about hiding jsessionid in URL from ASM to prevent ASM from treating each user session as a unique URL.

    you really need to change this in your backend server's JBOSS config.xml and make sure tracking-mode is set to COOKIE:

    
    
    true
    true
     
         COOKIE
    
    

    if you cannot change the JBOSS config for some reason you need to add http-only and Secure attributes to your JSESSIONID cookie.

    So basically there are only 2 ways how jsessionid=xxx can get into your browser:

    1) the server sends it to the client(browser) in a Redirect response - you can remove it using an iRule

    2) the application on the client-side (Javascript) extracts the JSESSIONID from a cookie and generates a request appending jsessionid to the URL - you can stop this by making sure the JSESSIONID cookie is HTTP-Only, so it will no longer be accessible from JavaScript.