Bug ID 531851: Login access criteria not validated

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:

Opened: Jul 06, 2015

Severity: 3-Major


When a response arrives without a content-type header and a login page has a search in response text criteria, the system does not detect failed logins. When brute force or session tracking is configured with this login page, it causes the system not to detect the brute force attack or track the session.


Brute force attacks are not detected, other login features may fail.


Login criteria includes string searches on the full response. Response arrives without content type.


Add a "content-type: text/html" header to the responses using an iRule. The content type should be textual (for example, "text/X" where X can be anything) or a list of "application/X" where X is one of the following: xml, html, xhml, json, soap+xml, x-javascript.

Fix Information

We fixed a possible failing scenario of the response-side features.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips