Bug ID 641559: Session-based brute force resets failed logins counter upon successful login

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Fixed In:

Opened: Jan 26, 2017
Severity: 3-Major


ASM counts failed login attempts per session (browser cookie) and blocks an end user if the number of failed exceeds a predefined threshold (default 5). If an ASM end user makes a successful login before the number of failed attempts reaches the threshold, the counter of failed attempts resets to zero.


An ASM end user allowed to do a number of failed logins higher than threshold. This happens only in when that APM end user sent a successful login before number of failures hits the threshold.


ASM policy attached on the virtual server and brute force session-based feature is configured along with the login page.



Fix Information

Session-based brute force now handles this issue.

Behavior Change