Bug ID 752217: Invalid Bot Defense Cookie might be raised when browser is open for too long

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3

Fixed In:
15.0.0

Opened: Dec 07, 2018
Severity: 3-Major

Symptoms

When using Bot Defense profile, if a browser page remains open too long (more then 24 hours) without surfing the webserver, BIG-IP raises an Anomaly "Invalid Bot Defense Cookie" and mitigate the request.

Impact

Clients are mitigated by this anomaly.

Conditions

-- Bot Defense Profile is attached to VS. -- Browser remains open for more then 24 hours without surfing the site (after first surfing to the site)

Workaround

Add Exception for "Invalid Bot Defense Cookie" to "Captcha" - clients will have to solve captcha, but cookies will renew and issue would be solved (no more Captchas)

Fix Information

Not raising the anomaly in case securemsg key does not exists.

Behavior Change