Bug ID 722294: Reported session ID keeps changing for the same user session when ASM does not track sessions

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1

Fixed In:
14.1.0

Opened: May 30, 2018
Severity: 4-Minor

Symptoms

A reported session ID is not maintained for the same user session.

Impact

The TS cookie is not created since there is no cookie-enforcing feature that is turned on (such as session tracking). Although this is correct behavior, it might result in confusion when there is a different, random session ID on each request.

Conditions

-- Simple, feature-less policy (i.e., policy contains only attack signatures). -- There are no cookies coming in from the server.

Workaround

Turn on a cookie-related feature (such as session tracking).

Fix Information

session_id is no longer shown in request log when TS cookie does not exist. This prevents any potential confusion when viewing the logs in this situation.

Behavior Change