Bug ID 879777: Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7

Fixed In:
16.0.0, 15.1.1, 14.1.2.8

Opened: Feb 11, 2020

Severity: 4-Minor

Symptoms

After configuring the "validate upon request" option in "Cross Domain Requests" in a Bot Defense profile, JS challenges continue to be sent.

Impact

Browser receives another JS challenge, instead of retrieving the cookie from the related domain. This causes extra latency for the client.

Conditions

-- Bot Defense profile is enabled -- "Cross Domain Request":"validate upon request" option is enabled -- A browser navigates to a qualified (HTML) page from a related domain.

Workaround

Use "validate in a bulk" option.

Fix Information

Retrieving the cookie from the related domain even if the page is qualified.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips