Bug ID 531851: Login access criteria not validated

Last Modified: Mar 17, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:

Opened: Jul 06, 2015
Severity: 3-Major


When a response arrives without a content-type header and a login page has a search in response text criteria, the system does not detect failed logins. When brute force or session tracking is configured with this login page, it causes the system not to detect the brute force attack or track the session.


Brute force attacks are not detected, other login features may fail.


Login criteria includes string searches on the full response. Response arrives without content type.


Add a "content-type: text/html" header to the responses using an iRule. The content type should be textual (for example, "text/X" where X can be anything) or a list of "application/X" where X is one of the following: xml, html, xhml, json, soap+xml, x-javascript.

Fix Information

We fixed a possible failing scenario of the response-side features.

Behavior Change