Applies To:
Show VersionsBIG-IP ASM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Preventing Session Hijacking and Tracking User Sessions
Overview: Preventing session hijacking
Session hijacking, also called cookie hijacking, is the exploitation of a valid computer session to gain unauthorized access to an application. The attacker steals (or hijacks) the cookies from a valid user and attempts to use them for authentication. Application Security Manager™ (ASM™) can prevent session hijacking by tracking clients with a device ID. The device ID is a unique identifier that ASM creates by sending JavaScript to get information about the client device. If the client browser does not accept JavaScript, the client receives a message saying to enable JavaScript to view the page content. Clients that do not accept JavaScript are stopped even when the security policy is in transparent mode.
ASM stores the device ID along with other client data (including the message key or session ID) in a cookie that remains with the client for the length of the HTTP session. The system periodically checks that the device ID of the client is the same one that was assigned when the session started.
If the device ID or message key changes during the session or the session timed out, the system considers that to be an attack and issues an ASM cookie hijacking violation. It looks like an attacker has stolen cookies from a legitimate user and is trying to gain illegal access. Note that the ASM cookie hijacking violation only occurs if you enabled the Learn, Alarm, or Block settings for the violation.
You set up session hijacking along with session tracking. However, you do not have to track user sessions to set up hijacking prevention.
Task Summary
Preventing session hijacking
You can use Application Security Manager™ to prevent session hijacking by tracking the device ID and session ID of each user.
- Message key mismatch between cookies
- Device ID mismatch
- Device ID mismatch and message key mismatch between cookies
Because the security policy enforcement mode is set to blocking, the request is blocked and the client receives the cookie hijacking response page. By default, ASM erases the cookies for the session, and redirects the client to the login page. If the client is legitimate, the login should be successful. Attackers that had attempted to hijack the session are blocked.
Configuring the response to cookie hijacking
Overview: Tracking user sessions using login pages
You can track user sessions using login pages configured from within Application Security Manager™ (ASM™), or have the policy retrieve the user names from Access Policy Manager®(APM®). This implementation describes how to set up session tracking for a security policy using login pages. The advantage of using session tracking is that you are able to identify the user, session, device ID, or IP address an attack.
Login pages, created manually or automatically, define the URLs, parameters, and validation criteria required for users to log in to the application. User and session information is included in the system logs so you can track a particular session or user. The system can log activity, or block a user or session if either generates too many violations.
If you configure session awareness, you can view the user and session information in the application security charts.
Task Summary
Creating login pages automatically
If the Learning Mode is Manual, the login page is added to the learning suggestions on the Traffic Learning screen where you can add it to the policy. The login pages in the security policy are included in the Login Pages List.
Creating login pages manually
Setting up session tracking
Monitoring user and session information
Tracking specific user and session information
Overview: Tracking application security sessions using APM
You can track sessions using login pages configured from within Application Security Manager™ (ASM™), or have the policy retrieve the user names from Access Policy Manager® (APM®). This implementation describes how to set up session tracking for a security policy using APM to verify user credentials. Then, you can set up session awareness from within ASM to identify the user, session, or IP address that instigated an attack.
If you configure session tracking, you can view the user and session information in the application security charts.
Prerequisites for setting up session tracking with APM
In order to set up session tracking from within Application Security Manager™ (ASM™) so that the security policy retrieves the user names from Access Policy Manager ® (APM®), you need to perform basic these system configuration tasks according to the needs of your networking configuration:
- Run the setup utility and create a management IP address.
- License and provision ASM, APM, and Local Traffic Manager™ (LTM®).
- Configure a DNS address ( ).
- Configure an NTP server ( ).
- Restart ASM (at the command line, type tmsh restart /sys service asm).
Task summary
Use the following tasks to set up application security session tracking with APM authentication integrated.
Creating a VLAN
Creating a self IP address for a VLAN
Creating a local traffic pool for application security
Creating a virtual server to manage HTTPS traffic
Creating a security policy automatically
Creating an access profile
Configuring an access policy
Adding the access profile to the virtual server
You associate the access profile with the virtual server created for the web application that Application Security Manager™ is protecting.
You associate the access profile with the virtual server so that Access Policy Manager®can apply the profile to incoming traffic.