Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Mar 02, 2015

APM swallowing JSESSIONID cookie; workaround possible by copying cookie to return stream?

Hi, all - we have a layer 7 VIP secured with an APM policy. The VIP proxies to a Tomcat server, which returns a JSESSIONID cookie after user logon. Sporadically, the F5 does not return the JSESSIONI...
BIG-IP Access Policy Manager (APM)
deployment
jsessionid
security
tomcat
daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Jun 14, 2015

Putting a close to this whole question - I did successfully implement the code to copy the JSESSIONID header from the incoming response to the outgoing response, in both directions - and it didn't fix the issue. It turns out there was another device between the F5 and the real servers - and that device was occasionally caching in an incorrect way. Once that caching behavior was fixed on that proxy, the issue disappeared.

 

But it was an interesting effort, looking for it, and I certainly learned more about the event lifecycle - so there is that!