JSESSIONID with Weblogic 10.3 and IDM 7.1.1.13

Hello All,

I hope you're enjoying the holidays. I wanted to make a post before the new year so I went back to review some of my old cases and I came up with this one.


Issue:

After an upgrade from 7.0 to 7.1.1.13 we would run a recon and then go check the recon status and we saw the error:


When I was trying to duplicate it on my box I was not able to see the same behavior. I tested many browsers and was still not able to duplicate it. What we found out was that the customer was using WebLogic 10.3 and I was running Tomcat.

Customer was running Weblogic 10.3 with jdk 1.6.0.11

His local JDK is also 1.6.0.11

Firefox is 3.5.2

IE (which I've also reproduced the issue with) 6.0.2900.5512 xpsp_3


So when I tried this on Weblogic 10.3 I was able to duplicate this. Now IDM does not issue the JSessionID but Weblogic does. Customer stated this worked in 10.1 so I checked what changed between the WebLogic versions. What I found was that the changes are listed at:


http://download.oracle.com/docs/cd/E12840_01/wls/docs103/notes/new.html

Largest change is jdk a move to JDK 1.6 and JDBC 4.0 support.


After quite a bit of testing and debugging and I determined it's a session issue. I have verified that the login configuration objects are the same for both server.

On the clean system which is working, the JSESSIONID requested by the applet is the same as the JSESSIONID that my browser already has. On the systems that were upgraded the JESESSIONID requested by the applet is NOT the same.

WORKING applet debug:


network: Cache entry not found [url: http://localhost:8080/idm/servlet/activitystatus?type=recon&id=%23ID%239F99B07EF5539812%3A14AD75FD%3A123387A0598%3A-7FB5, version: null]

network: Connecting http://localhost:8080/idm/servlet/activitystatus?type=recon&id=%23ID%239F99B07EF5539812%3A14AD75FD%3A123387A0598%3A-7FB5 with proxy=DIRECT

network: Connecting http://localhost:8080/idm/servlet/activitystatus?type=recon&id=%23ID%239F99B07EF5539812%3A14AD75FD%3A123387A0598%3A-7FB5 with cookie "JSESSIONID=275AA39D941A10E754DBA617DF3DCBC1"


HTTP Session

http://localhost:8080/idm/resources/reconStatus.jsp?id=Oracle+ERP%3AOracleERP&lang=en&cntry=US

1 cookie

Name JSESSIONID

Value 275AA39D941A10E754DBA617DF3DCBC1

Host localhost

Path /idm

Secure No

Expires At End Of Session


NOT WORKING applet debug:


network: Cache entry not found [url: http://idm:8010/idm/servlet/activitystatus?type=recon&id=%23ID%2363810CA51CE494A8%3A1185844%3A10F3439692A%3A-7FBC, version: null]

network: Connecting http://idm:8010/idm/servlet/activitystatus?type=recon&id=%23ID%2363810CA51CE494A8%3A1185844%3A10F3439692A%3A-7FBC with proxy=DIRECT

network: Server http://idm:8010/idm/servlet/activitystatus?type=recon&id=%23ID%2363810CA51CE494A8%3A1185844%3A10F3439692A%3A-7FBC requesting to set-cookie with "JSESSIONID=nhjYKSxbjz4LKJ0QYnpMMQWT7jXLrY23dvTD21mT57wHv4nfppZL!

-1708013428; path=/; HttpOnly="

http://idm:8010/idm/resources/reconStatus.jsp?id=Oracle+ERP%3AOracle-ERP&lang=en&cntry=US

1 cookie

Name JSESSIONID

Value p2jzKSxQHR5xJtQNvTR0kTGZb1P1D4GG37yGC7R1F0jfs64hvhzJ!-1708013428

Host idm

Path /

Secure No

Expires At End Of Session


So as you can see in the one that was working the JSESSIONID matched and the one that didn't the JSESSIONID didn't match. I did a search on WebLogic 10.3 and JSESSIONID and came up with the following link.


http://forums.oracle.com/forums/thread.jspa?messageID=3745820


In the link you will see that this is caused by a Weblogic session-descriptor cookie-http-only default value. By default, cookie-http-only is true. According the httponly directive, if httponly is true, then browser clients do not send out any cookies including JSESSIONID cookie when requesting any scripting codes such as Javascripts and Java applets.


The fix is to make the browser client send out cookies with such requests, you must set httponly FALSE. You can do this by by including the following in weblogic.xml file:

<session-descriptor>
<cookie-http-only>false</cookie-http-only>
</session-descriptor>

By the way, the latest weblogic 10.3 documentation is missing this fix.

Once we set this in the weblogic.xml file everything was working fine.

I am not sure how many people use this configuration and I have not heard this issue from anyone else with different Application Servers. So I hope this can be of use to someone.

Thanks,

    Jeff



Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

I have been in support for about 10 years now and have been doing IDM support for 5 years now. I have been working for SUN for 9 years and have supported the whole JES Stack during that time.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today