Bug ID 738148: Misleading 'Invalid Nonce' error message

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3

Fixed In:
15.0.0

Opened: Jul 25, 2018
Severity: 3-Major

Symptoms

An error occurs during access policy evaluation, resulting in a redirect to /my.logout.php3?errorcode=21 The end-user receives a logout/deny page that displays an error message of 'Invalid Nonce', which is an inaccurate and confusing log message.

Impact

The error message of 'Invalid Nonce' is partially correct, since sessionID rotation is a form of cryptographic nonce. But the message is very confusing for end-users. It is also confusing for admins who do not think they have configured any nonce-based protocols. The error message should be more related to the real problem of invalid sessionID.

Conditions

'Invalid Nonce' is normally reserved for On-Demand Cert Auth nonce failures. It is also being mistakenly shown for some cases of invalid APM session IDs, especially a sessionID that fails any security checks. This can sometimes be the symptom of the 'retry-after-reset' scenario. In this scenario, there is an unrelated failure in the access policy evaluation resulting in a reset being sent to the client. The client then tries to retry the original request. If the APM system has already rotated the sessionID (a security defense against session hijacking), then the retry has a stale sessionID. This invalid session ID results in displaying 'Invalid Nonce'.

Workaround

There is no workaround at this time.

Fix Information

None

Behavior Change