Bug ID 521330

Bug Tracker
ID 521330

Bug ID 521330: When session is initiated by POST request, and second POST is sent while access policy is in progress, this second POST request is lost

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6

Opened: May 05, 2015

Severity: 3-Major

Symptoms

When multiple POST request arrive while access policy is being evaluated, the second POST request is lost.

Impact

- Browser will follow 302 redirect, and resubmit GET to "https://hostname/application". Second POST request is now lost! - BIG-IP will redirect user to /my.logout.php3 and will start evaluating access policy. After access policy is completed, POST request will be gone.

Conditions

- Create a simple access policy with a login page. Assign it to virtual. - Generate a POST request to virtual (e.g. https://hostname/application). This is a first request to hit BIG-IP. User does not have a session/cookie yet. - BIG-IP will respond with 302 redirecting user to /my.policy: HTTP/1.0 302 Found Server: BigIP Connection: Close Content-Length: 0 Location: /my.policy - Do not enter any credentials on the login page. Instead generate another POST request to the same virtual (e.g. https://hostname/application). Second request sent to big-ip will contain a session cookie. - This second POST will result in 302 redirect to "https://hostname/application". (NOTE: Expected behavior: display error message)

Workaround

None.

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips