Bug ID 488588: APM Session invalidated when accessing /public folder URLs on modifying session cookie information

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0

Opened: Nov 04, 2014
Severity: 3-Major
Related Article:
K17387

Symptoms

An APM session is invalidated when accessing the /public folder URLs on modifying session cookie information. If the modified LastMRHSession cookie collides with an existing session but the full MRHSession does not, then APM kills the closest matching session when accessing /public URLs.

Impact

Session is invalidated and new session is created.

Conditions

This issue occurs under the following conditions: 1. Configure an APM virtual server with a simple policy (any policy will suffice). 2. Configure an LTM virtual server that calls the APM virtual server with the iRule command: virtual. 3. Access the virtual server and get the APM session established. 4. Use the Cookies acquired to send a request for any resource in the /public folder on the BIG-IP system, but modify the MRHSession cookie so that it is slightly different from the correct value. 5. Observe that APM kills the session identified by the LastMRHSession cookie.

Workaround

The following iRule can be used to remove the cookie to prevent the issue: when HTTP_REQUEST { if {[HTTP::path] contains "/public"} { HTTP::cookie remove "LastMRH_Session" HTTP::cookie remove "MRHSession" } }

Fix Information

None

Behavior Change