PAM admins are used to checking on health with a browser to verify that the external load balancer will exclude the right nodes, mostly while setting or resetting maintenance mode on individual PAM servers, e.g. during patching. The admin checking on health/load balancer behavior may not be the one setting maintenance mode and does not want to have to logon to each node first. This used to work fine but appears to be broken after the upgrade to 4.2.0.

A security fix in the 4.2 release to protect against injection attacks flagged all but the first health.php call as suspicious and prevented successful completion, because the browser included a session ID established during the first call in subsequent calls. This is not observed in a browser, where the user also has an authenticated session, and thus a valid session ID, to the same PAM node, which makes the problem look inconsistent. In a new browser window with no authenticated PAM session the first call to health.php will be successful, since the new browser instance doesn't have any session ID from a previous call, while subsequent calls will fail, enforcing the perception of inconsistent results.

This problem is resolved in PAM 4.3 and will be resolved in the upcoming 4.2.4 maintenance release.

Note that health checks by load balancers are not affected, because load balancers do not include the session ID from a previous check in a new one.