Bug ID 679735: Multidomain SSO infinite redirects from session ID parameters

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,

Fixed In:

Opened: Aug 22, 2017
Severity: 3-Major


If an application uses a URL parameter of 'sid', 'sess', or 'S', the APM can enter an infinite redirect loop. In a packet capture, the policy completes on the auth virtual server. After policy completion, the client is redirected back to the resource virtual server. The resource virtual server cannot find the session, and redirects back to the auth virtual server. This begins the infinite loop of redirecting between resource and auth virtual servers.


Applications that use 'sid', 'sess', or 'S' parameters cannot be fronted by an APM.


Application with URL paramater containing 'sid', 'sess', or 'S' while using multidomain SSO.



Fix Information

Continue to lookup for token param to find session ID for multidomain SSO configuration even when the URI contains S/sess/sid query param to prevent infinite redirects.

Behavior Change