Bug ID 651947: Token validate response session variables created with no prefix might collide with other session variables.

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Mar 16, 2017
Severity: 3-Major

Symptoms

Token validate responses create session variables without any sub-prefix, which may result in collisions with other session variables.

Impact

May collide with other session variables. If they collide with token introspect responses, one or the other will be overwritten, depending on the order in which the variables are executed.

Conditions

Executing policy containing 'introspect' session variables such as 'authresult' and 'errMsg'.

Workaround

None.

Fix Information

Now the APM OAuth Token validate response creates session variables with the prefix 'introspect' for introspect response specific session variables. This eliminates potential conflict with overwriting previous session variables. Upgrade Note: If you have existing access policy rules based on introspect response session variables, you must update the rule to use the new variable names.

Behavior Change