Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4
Opened: Jul 29, 2015 Severity: 3-Major
Suppose there is an access profile with configured Logout URI and Logout URI Timeout (default 5 sec). When a request matching the configured Logout URI comes the session is queued for removal: Jul 23 11:59:53 aiohidcapm01 notice tmm1[18736]: 01490518:5: c89f6718: Session will be deleted in 5 secs due to user logout request. But it actually gets removed later: Jul 23 12:00:04 aiohidcapm01 notice tmm[18736]: 01490501:5: c89f6718: Session deleted due to user logout request.
Session is deleted several seconds after the Logout URI Timeout has already expired.
Configure HTTP virtual server with an access profile having Logout URI and Logout URI Timeout. Log on to APM, then send a request matching Logout URI. See apm log to calculate real session deletion timeout.
None.
None