Bug ID 964245: ASM reports and enforces username always

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.3,,,,,,, 13.1.4,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 16.0.0,, 16.0.1,,, 17.0.0,,

Fixed In:
16.1.0, 15.1.4,, 13.1.5

Opened: Nov 11, 2020

Severity: 3-Major


When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.


Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.


Session tracking is enabled for login URLs with the Username Threshold set to 1.



Fix Information

Username from the Authorization not appearing with status = BLOCK-ALL in session tracking status list.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips