Bug ID 752217: Invalid Bot Defense Cookie might be raised when browser is open for too long

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6

Fixed In:
15.0.0

Opened: Dec 07, 2018

Severity: 3-Major

Symptoms

When using Bot Defense profile, if a browser page remains open too long (more then 24 hours) without surfing the webserver, BIG-IP raises an Anomaly "Invalid Bot Defense Cookie" and mitigate the request.

Impact

Clients are mitigated by this anomaly.

Conditions

-- Bot Defense Profile is attached to VS. -- Browser remains open for more then 24 hours without surfing the site (after first surfing to the site)

Workaround

Add Exception for "Invalid Bot Defense Cookie" to "Captcha" - clients will have to solve captcha, but cookies will renew and issue would be solved (no more Captchas)

Fix Information

Not raising the anomaly in case securemsg key does not exists.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips