I have a question regarding the ASM brute force login mitigation feature using captchas.
Based on the failed logins setting the user gets challenged with a captcha. After solving the capture succesfully the user gets redirected back to the login page. Entering the correct credentials this time forces another captcha challenge! If this is solved successfully the user is allowed to enter the website.
I can´t understand this last captcha challenge because the user has entered the correct credentials before. He shouldn´t be challenged again at this point.
The sequence when using captchas is not documented in that very detail, so could it be that the last captcha is one too much?
Has anyone made a similar experience or does anyone know how ASM should work at this stage?
Tested with versions 184.108.40.206 and 14.1.
You shouldn't get the 2nd CAPTCHA. Although I have seen some difference in behavior when hitting enter after solving the CAPTCHA vs actual clicking on the button. Do you have 2 illegal request log entries when you have this issue?
I have never seen this on v12.1.x branch, so difficult to comment for v13/14, this potentially might be related to your application specifics or configuration details. Also the problem might be in 'Re-enable login after' settings - do you have it configured?
Unfortunately there is no "Re-enable login after" setting anymore in v13.1 & 14.
While digging through the documentation i found the following statement within https://support.f5.com/csp/article/K18650749:
"Note that successful logins do not reset the failed login attempts over the detection period."
But even this statement doesn´t fully explain the observed behaviour.