1 reply Latest Post - ‏2011-04-29T06:06:34Z by kark
15 Posts

Pinned topic After LTPA token expired, HTTP request gets UnauthorizedSessionRequestExcep

‏2011-04-28T02:26:47Z |
From browser, user login, wait for the LTPA token expired, click the link in the web page, then get HTTP 500 error.
The WebSphere log shows the UnauthorizedSessionRequestException.
It looks like the logic was:
User click a link to access the protected resouce after LTPA token timeout, WebSphere redirect the browser to the login page (loginForm.jsp) according to web.xml configuration.
When browser request the login page, the previsou http session cookie is still in the HttpServletRequest. When servlet filter tried to access the HTTP session when handling the loginForm.jsp, it got UnauthorizedSessionRequestException because the current request has not be authenticated since the LTPA token expired, but the HTTP session is still valid and owned by previouse user.

What can we do for this situation? It sounds like WebSphere should invalid the HTTP session if the LTPA token is expired.

Here is the part of the ASBAuthenticationFilter which is in the stacktrace.
188 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
189 ServletException
190 {
191 System.out.println("enter ASBAuthenticationFilter.doFilter");
192 HttpServletRequest req = (HttpServletRequest) request;
193 HttpServletResponse res = (HttpServletResponse) response;
195 dumpCookie(req);
197 if (!req.isRequestedSessionIdValid()) {
198 System.out.println("isRequestedSessionIdValid return false for " + req.getRequestURL().toString());
199 req.getSession(false);
200 }
The related WebSphere log is in SystemOut.log.
4/27/11 22:04:01:694 EDT 00000036 webapp E logServletError SRVE0293E: Servlet Error-http://com.ascential.asb.web.root.loginForm_jsp: SESN0008E: A user authenticated as {0} has attempted to access a session owned by {1}.(anonymous,user:ASBRealm/b1c497ce.285feb.cfl2v6491.rpg84h3.5miir9.b50i47squa2rv9pbodvii00)
Updated on 2011-04-29T06:06:34Z at 2011-04-29T06:06:34Z by kark
  • kark
    18 Posts

    Re: After LTPA token expired, HTTP request gets UnauthorizedSessionRequestExcep

    ‏2011-04-29T06:06:34Z  in response to tzhao
    As per the servlet specification, the session expiration is based on inactivity. It has its own time out. We do not invalidate the session when the ltpa token has expired. Invalidating the session can lead to customer data being lost. This behavior should be consistent from previous releases when session security is enabled. It is enabled by default in v8.0 Beta.

    As per as your situation is concerned, can you try to get the session after the subject has been established after the re-login? We will investigate more to see if there are any other additional options available here.