LTM/ASM Prevent session hijacking using an iRule
Hello all
We have noticed a security issue on our sharepoint website. If a hacker manages to steal someone's FedAuth cookie (Sharepoint proprietary) and the TS* cookie (ASM), the ASM policy will not pick this up as session hijacking (since the info in the TS* cookie isn't modified) and the attacker will be able to circumvent having to log-in to the sharepoint website. Source IP info is not stored in this TS* cookie.
To have at least some sort of security in place for this particular issue we would like to have an iRule in place that does check the source IP of a request. If it sees that the same FedAuth and TS* cookie is being used in the request but from a different source IP, we want the iRule to redirect back to the login page or block the request all together.
My experience in creating iRules is rather limited so any help in setting up such a cookie would be very much appreciated!