zack_254145
Sep 06, 2017Nimbostratus
When will ASM generate "Illegal session ID in URL" violation?
Hi Folks,
I am trying to understand this violation: Illegal session ID in URL, but still quite confusing after a bunch of tests. How/when does ASM consider the session ID in URL is illegal?
In GUI, it says "The system checks that the request contains a session ID value that matches the session ID value which was set by the server to this session."
So it sounds like there has to be a response containing the session id first to ASM, before ASM can tell whether the session id from next request will be valid or not. Is my understanding correct?
If pool mbr returns a redirect response (302), will ASM also check the "Location" header to extract the dynamic session id? Or is it only to watch 200 response?
Thanks!