Bug ID 550547: URL including a "token" query fails results in a connection reset

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 13.0.0

Fixed In:
13.1.0, 13.0.0 HF1, 12.1.3

Opened: Oct 06, 2015
Severity: 3-Major

Symptoms

Per Request Policy access to URL containing a "token" query parameter fails and results in a connection reset with the following error: "ERR_NOT_FOUND: access2 token not found; subsession might be inactive"

Impact

Clients receive this response: "ERR_NOT_FOUND: access2 token not found; subsession might be inactive"

Conditions

Configure an Explicit SWG with a PRP that includes [protocol lookup (https) + category-lookup] It does not matter ntlm or basic auth. This is triggered on sites that have "token" in the query parameters.

Workaround

Workaround iRule: when HTTP_REQUEST { if { [HTTP::query] contains "token" } { set fix 1 HTTP::query [string map "token aabbcc" [HTTP::query]] } } when HTTP_REQUEST_SEND { if { [info exists fix] && $fix equals 1 } { clientside { HTTP::query [string map "aabbcc token" [HTTP::query]] unset fix } } }

Fix Information

Customization namespace for subsession state prefix with default value as "000fffff" has been added controlled via db variable "tmm.access.subsessionstateprefix" before state/token query param and validation is ensured to check for the prefix value before triggering serialize/deserialize code to avoid RST. In case if a UCS is being restored and used for a Hotfix, the newly added DB variable may not be present in /config/Bigdb.dat file. The following information needs to be added in /config/Bigdb.dat file followed by a "bigstart restart" to ensure proper working. # # This string is used as the prefix for the subsession state value that is sent as # part of the redirect URI being sent to the client. # [Tmm.Access.SubsessionStatePrefix] default=000fffff type=string realm=local display_name=Tmm.Access.SubsessionStatePrefix scf_config=true max=32

Behavior Change