Bug ID 2306957

Bug Tracker
ID 2306957

Bug ID 2306957: Changes To The sys http auth-pam-validate-ip Setting May Not Take Effect When PAM Cache Files Are Present

Last Modified: Jun 19, 2026

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
16.1.6.1, 17.1.3.2, 17.5.1.6

Opened: May 29, 2026

Severity: 3-Major

Symptoms

Changing auth-pam-validate-ip from 'on' to 'off' does not work if /run/pamcache contains token files Login attempts fail unexpectedly, sometimes logging "Cookie impersonation detected" in /var/log/httpd/httpd_errors. Transition from 'off' to 'on' works as expected

Impact

- Login disruptions for users - Security configuration changes fail to take effect

Conditions

Occurs when older token files are still present in the /run/pamcache directory after changing the auth-pam-validate-ip setting from 'on' to 'off'

Workaround

- set auth-pam-validate-ip to "off" - make sure that no active client sessions are sending or receiving data to/from httpd - delete all tokens from /run/pamcache

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips