Bug ID 879777: Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5

Fixed In:
16.0.0, 15.1.1, 14.1.2.8

Opened: Feb 11, 2020
Severity: 4-Minor

Symptoms

After configuring the "validate upon request" option in "Cross Domain Requests" in a Bot Defense profile, JS challenges continue to be sent.

Impact

Browser receives another JS challenge, instead of retrieving the cookie from the related domain. This causes extra latency for the client.

Conditions

-- Bot Defense profile is enabled -- "Cross Domain Request":"validate upon request" option is enabled -- A browser navigates to a qualified (HTML) page from a related domain.

Workaround

Use "validate in a bulk" option.

Fix Information

Retrieving the cookie from the related domain even if the page is qualified.

Behavior Change