Last Modified: Sep 14, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6
Fixed In:
15.0.0
Opened: Jul 25, 2018 Severity: 3-Major
An error occurs during access policy evaluation, resulting in a redirect to /my.logout.php3?errorcode=21 The end-user receives a logout/deny page that displays an error message of 'Invalid Nonce', which is an inaccurate and confusing log message.
The error message of 'Invalid Nonce' is partially correct, since sessionID rotation is a form of cryptographic nonce. But the message is very confusing for end-users. It is also confusing for admins who do not think they have configured any nonce-based protocols. The error message should be more related to the real problem of invalid sessionID.
'Invalid Nonce' is normally reserved for On-Demand Cert Auth nonce failures. It is also being mistakenly shown for some cases of invalid APM session IDs, especially a sessionID that fails any security checks. This can sometimes be the symptom of the 'retry-after-reset' scenario. In this scenario, there is an unrelated failure in the access policy evaluation resulting in a reset being sent to the client. The client then tries to retry the original request. If the APM system has already rotated the sessionID (a security defense against session hijacking), then the retry has a stale sessionID. This invalid session ID results in displaying 'Invalid Nonce'.
There is no workaround at this time.
None