It seems that if man could catch a hold of the right key, man could retrieve the APM session cookie for another APM session
 
set apm_cookie_list [ACCESS::user getsid $the_guessed_user_key]
set apm_cookie [ACCESS::user getkey [lindex $apm_cookie_list 0]]
it will be really appreciated if F5 experts could explain in details on how the external SIDs are associated with such a key and what is the name convention or requirements for that key and who comes out with such a key? Should the key contain something closely related with that concerned session, such as hashed password? How does F5 internally avoid collision for those keys across APM sessions? is it the internal session variable session.user.uuid that holds the value for the specified key?
 
@Kevin Stewart could you please shed the light on it?