High-Value Session Cookie Token

Detects high-value session cookies by name-plus-value: framework and SSO session cookies (ESTSAUTH / ESTSAUTHPERSISTENT, JSESSIONID, PHPSESSID, connect.sid, _session_id, sessionid) assigned a long token value. A captured session cookie lets an attacker resume an authenticated session and bypass MFA entirely.

Type: regex
Engine: universal
Confidence: high
Confidence justification: High confidence: requiring a specific high-value session-cookie name immediately assigned a 16+ character token value is a distinctive structure. Documentation that merely names these cookies without a real value will not match.
Jurisdictions: global
Regulations: GDPR
Frameworks: CIS Controls, ISO 27001, NIST CSF, SOC 2
Data categories: credentials, security
Scope: narrow
Risk rating: 9
Platform compatibility: Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

(?<![A-Za-z0-9_])(?:ESTSAUTHPERSISTENT|ESTSAUTH|JSESSIONID|PHPSESSID|connect\.sid|_session_id|sessionid|SSESS[a-f0-9]{8,})\s*[=:]\s*[A-Za-z0-9%._-]{16,}

Corroborative evidence keywords

session cookie, session token, set-cookie, session hijack, cookie theft, MFA bypass, token theft, authentication

Proximity: 300 characters

Should match

JSESSIONID=A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4 — Java servlet session cookie with 32-char fake value
set-cookie: PHPSESSID=0123456789abcdef0123456789abcdef — PHP session cookie in a Set-Cookie header, fake value
ESTSAUTHPERSISTENT: AQABAAEAAAD-fakeMicrosoftEntraSessionTokenValue123 — Microsoft Entra persistent auth cookie with fake token value

Should not match

JSESSIONID=short — Token value too short (under 16 chars)
COLORID=A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4 — Unknown cookie name, not a tracked session cookie
The JSESSIONID cookie identifies the user session on the server — Prose naming the cookie with no assigned token value

Known false positives

Example or expired cookie values in API documentation, HAR captures used for debugging, or test fixtures. Mitigation: Require corroborative session/cookie-theft keywords and treat obvious placeholders (all zeros, "example") as non-sensitive.