Forum Discussion
Bot protection "Browser Verification" results/experience
I am just wondering what everyones user experience has been with "Browser Verification" when enabling anything other than then the defaults via any Bot Protection profile.
For instance if I have Browser Verification set to anything other then "Challenge Free Verification" in our Sharepoint environments, "funky" things will happen such as users getting bot error/reference ID page when attempting to sign out or or an EXTREME amount of false positives occur and user traffic is impacted.
In environments with older Java based apps, it will cause some browsers to automatically sign out when clicking any link in the web application after login (as if cookie persistence is blocked).
I have gone back and forth with F5 in almost all my attempts to enable this future (as browser fingerprinting is something we really would like to utilize) but we just cant get it working in most cases (even with work arounds such as single page application or enable a DOS profile in transparent mode).
Is something like Device ID+ the solution for all of my problems? https://www.f5.com/products/security/shape-security/f5-device-idplus
- Romain_SALMONAltostratus
Hello,
The presence of the âX-Requested-With: XMLHttpRequestâ header indicates that the request is sent by an AJAX call which explains this malfunction. Indeed, javascript originally of this call is not capable of responding to the challenge sent by the F5 gateway.
The only way was to change the LTM policy configured : FOR AJAX CALLS
If http header named X-Requested-With exists at request then enable asm and disable botdefense.
FOR API RESTful or SOAP :
IF http header full string named Content-Type contains any of json /XML at request
enable asm and disable botdefense at request time.
Nevertheless, this exception can open access to scrappers... So i still didn't do it.
Have a great day,
- Romain_SALMONAltostratus
On my experience for an E-commerce website :
The problem with the strict parameter 'verify before access' was about the marketing (SEO) : the website was loaded twice and i had a problem to access straight to a jpg or png image if i didn't accessed to the website before. I changed this morning this parameter to this one : "verify after access".
But two anomalies appeared : High number of HTML transactions since JavaScript verification
Browser Masquerading (Malicious Bot). ==> I tryed to put this one with the "Alarm" action ==> Request still blocked.
Browser verification timed out
So i put it off and i ll open a ticket đ
Have a great one !
- habNimbostratus
Hi my friend - did you by any chance find solution for the following:
But two anomalies appeared : High number of HTML transactions since JavaScript verification
Browser Masquerading (Malicious Bot).
I am facing the same issue. Any help will be appreciated.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com