Bug ID 964245: ASM reports and enforces username always

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 16.0.0,, 16.0.1,,, 17.0.0,,

Fixed In:
16.1.0, 15.1.4,, 13.1.5

Opened: Nov 11, 2020
Severity: 3-Major


When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.


Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.


Session tracking is enabled for login URLs with the Username Threshold set to 1.



Fix Information

Username from the Authorization not appearing with status = BLOCK-ALL in session tracking status list.

Behavior Change