Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4
Fixed In:
12.1.0
Opened: Nov 04, 2014 Severity: 3-Major Related Article:
K17387
An APM session is invalidated when accessing the /public folder URLs on modifying session cookie information. If the modified LastMRHSession cookie collides with an existing session but the full MRHSession does not, then APM kills the closest matching session when accessing /public URLs.
Session is invalidated and new session is created.
This issue occurs under the following conditions: 1. Configure an APM virtual server with a simple policy (any policy will suffice). 2. Configure an LTM virtual server that calls the APM virtual server with the iRule command: virtual. 3. Access the virtual server and get the APM session established. 4. Use the Cookies acquired to send a request for any resource in the /public folder on the BIG-IP system, but modify the MRHSession cookie so that it is slightly different from the correct value. 5. Observe that APM kills the session identified by the LastMRHSession cookie.
The following iRule can be used to remove the cookie to prevent the issue: when HTTP_REQUEST { if {[HTTP::path] contains "/public"} { HTTP::cookie remove "LastMRH_Session" HTTP::cookie remove "MRHSession" } }
None