Forum Discussion

pedinopa_170325's avatar
pedinopa_170325
Icon for Nimbostratus rankNimbostratus
Aug 06, 2018

jsessionid

I thought we had a solution (I was wrong). Appearently when you use ZAP or other header scanners they will find the JSESSIONID. I found the HTML code I need but would rather do it in the F5. The code is

 

true true COOKIE

 

I was reading about using a stream policy and an expression. what it comes down to is I need to remove the JSESSIONID from the response URL.

 

2 Replies

  • Little confused on what you are trying to do but with an iRule you can do the following to remove the JSESSIONID cookie in the response:

    when HTTP_RESPONSE {
      HTTP::cookie remove JSESSIONID
    }
    

    Would this not break the backend application as remove the session state between the client and the backend?

  • The correct place to implement the changes is on your back-end webserver configuration (I assume Tomcat?), so speak to your server sysadmins (if possible).

     

    However if you wish to remove it on F5 - here are the past DevCentral questions with iRule code which will do it for you:

     

    https://devcentral.f5.com/questions/hide-jsession-id-61022

     

    I hope this helps,

     

    Sam