Bug ID 691075: Safari 11 can drop APM multidomain sso cookies

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6

Opened: Oct 26, 2017

Severity: 2-Critical

Symptoms

The browser will be in an infinite redirect loop. The client begins with a GET to a resource. The APM redirects to a F5Networks-SSO-Req on the primary auth domain. If the policy has already completed, the APM will redirect to GET F5Networks-SSO-Resp on original resource domain. The APM then redirects to the original resource URL, with a Set-Cookie header for the MRHSessionCookie. At this point, the browser follows the redirect to the original resource URL, but decides to drop the cookie. When the APM receives this request, it initiates the multi-domain SSO process again, and the browser is now in an infinite redirect loop.

Impact

Safari 11 clients will be unable to access some resources.

Conditions

The issue is only reproduced if the resource is displayed in an iframe within the original webpage. It is also only reproduced if the second-level domain names are different, eg. resource.com and f5auth.com. This may be related Safari 11's Intelligent Tracking Prevention, as the iframe setup looks very similar to cross-site tracking cookies.

Workaround

Do not use the iframe construction with different second-level domain names. If the iframe construction is used, there are some browser options that can be changed. For iOS clients, the turn off the "Prevent Cross-Site Tracking" option. For OSX clients, change the cookie privacy options to "Always Allow"

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips