Bug ID 488588: APM Session invalidated when accessing /public folder URLs on modifying session cookie information

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:

Opened: Nov 04, 2014

Severity: 3-Major

Related Article: K17387


An APM session is invalidated when accessing the /public folder URLs on modifying session cookie information. If the modified LastMRHSession cookie collides with an existing session but the full MRHSession does not, then APM kills the closest matching session when accessing /public URLs.


Session is invalidated and new session is created.


This issue occurs under the following conditions: 1. Configure an APM virtual server with a simple policy (any policy will suffice). 2. Configure an LTM virtual server that calls the APM virtual server with the iRule command: virtual. 3. Access the virtual server and get the APM session established. 4. Use the Cookies acquired to send a request for any resource in the /public folder on the BIG-IP system, but modify the MRHSession cookie so that it is slightly different from the correct value. 5. Observe that APM kills the session identified by the LastMRHSession cookie.


The following iRule can be used to remove the cookie to prevent the issue: when HTTP_REQUEST { if {[HTTP::path] contains "/public"} { HTTP::cookie remove "LastMRH_Session" HTTP::cookie remove "MRHSession" } }

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips