Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4
Fixed In:
12.1.0, 11.6.3
Opened: Feb 26, 2016 Severity: 3-Major Related Article:
K32581271
When client gets authenticated, and then the session is deleted (times out or is manually deleted from memcache), the browser still has its authorization token. If client refreshes the page, the browser passes the existing 'authorization' token, which gets deleted by the agent processing the existing task (a message box, in this case) for the targeted agent (HTTP_401_Response agent, in this case).
Although client (browser) sends the pre-authenticated token, the browser still posts a challenge for credential (pop up window). This is unnecessary and should not occur.
When a logon page is not the first agent in the access policy chain and it gets a pre-authenticated token from browser.
None.
An HTTP_401_RESPONSE page can be placed anywhere in the access policy chain. Any pre-authenticated information for the targeted agent will not be consumed by another agent sitting in front.