IBM Support

JR48873: CMVC 233191 - CSRF error page shown instead of Logon in use message. Activity_id 0 may be in CTXMGMT too.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • This problem occurs when a user logs on to one browser, and then
    a second browser (this will cause the session on first browser
    to be expired). When they go back to the first browser and click
     a CSRF protected page, the CSRF error page is shown instead of
    the expected "Invalid cookie...Your logonId may be in use by
    another user".
    
     The CSRF exception handling will persist the temp activity 0
    cookie into the browser side first, and then the following
    request will re-use this 0 activity cookie and persist it into
    the daatabase when there is a logon or guest user created.
    
    
     In the trace you may see that it tries to resolve the activity
    token and then throws an "invalid cookie" error (as expected),
    then it creates a generic view command context before we see the
    findContextSPI with the activity id of 0 (0:false:false:0). From
    that point the activity id of 0 is used and persists it to the
    DB.
    
     CommerceSrvr  E WCAuthenticationCookie getUserId CMN1039E: An
    invalid cookie was received for the user, your logonId may be in
    use by another user.
    
     WC_SERVER     3 -273d4725:142c741d2f6:-7cce
    com.ibm.commerce.webcontroller.WebControllerHelper.startRequestP
    rocess(HttpServletRequest,HttpServletResponse,String,ServletCont
    ext,Integer) resolveActivityToken exception
    com.ibm.commerce.exception.ECSystemException: An invalid cookie
    was received for the user, your logonId may be in use by another
    user.
    
    
     WC_SERVER     3 -273d4725:142c741d2f6:-7cce
    com.ibm.commerce.webcontroller.WebControllerHelper.startRequestP
    rocess(HttpServletRequest,HttpServletResponse,String,ServletCont
    ext,Integer) create generic view command context
    
     WC_BUSINESSCO > -273d4725:142c741d2f6:-7cce
    com.ibm.commerce.component.contextserviceimpl.BusinessContextSer
    viceImpl.findContextSPI(ActivityToken, String) Entry
                                      0:false:false:0
    
    com.ibm.commerce.context.base.BaseContext
                                      <null>
    
     Then instead of now displaying the "invalid cookie...your
    logonid may be in use" error, the CSRF protection check is done.
    
     WC_SERVER     3
     417de734:1426fe9d107:-8000
     com.ibm.commerce.browseradapter.HttpBrowserAdapter.preInvokeCom
    mand(View
     CommandContext, HttpRequestAttributes) check for cross site
    scripting
     protection
    
     CSRF check fails
    
     WC_SERVER     3 417de734:1426fe9d107:-8000
    com.ibm.commerce.browseradapter.AbstractHttpBrowserAdapter.valid
    ateAuthenticationToken(ViewCommandContext) The request was
    passed with an authentication token value of
    2%2chfSTs1cZmGWOiIWQobJ1khASjac%3d and did not match the session
    cookie value.
    
     Then thee activity token is persisted to the DB
    
     WC_BUSINESSCO 3 -273d4725:142c741d2f6:-7cce
    com.ibm.commerce.component.contextserviceimpl.BusinessContextSer
    viceImpl.persistActivityToken() ActivityToken persisted: 0
    
    
     Eventually you may see a DuplicateKeyException for the CTXMGMT
    table (for activity_id 0)
    
     CommerceSrvr  E
    com.ibm.commerce.webcontroller.WebControllerHelper
    commitRequestProcess(RequestHandle,boolean,boolean,boolean
    CMN0409E: The following error occurred during processing:
    "com.ibm.commerce.context.exception.BusinessContextServiceExcept
    ion: The following create operation exception has occurred
    during processing: "javax.ejb.DuplicateKeyException: DB2 SQL
    Error: SQLCODE=-803, SQLSTATE=23505,
    SQLERRMC=1;WCSADMIN.CTXMGMT, DRIVER=4.3.111DSRA0010E: SQL State
    = 23505, Error Code = -803".".
    com.ibm.commerce.context.exception.BusinessContextServiceExcepti
    on: The following create operation exception has occurred during
    processing: "javax.ejb.DuplicateKeyException: DB2 SQL Error:
    SQLCODE=-803, SQLSTATE=23505, SQLERRMC=1;WCSADMIN.CTXMGMT,
    DRIVER=4.3.111DSRA0010E: SQL State = 23505, Error Code = -803".
       at
    com.ibm.commerce.component.contextserviceimpl.ActivityTokenProce
    ssor.persistActivityToken(ActivityTokenProcessor.java:180)
       at
    com.ibm.commerce.component.contextserviceimpl.BusinessContextSer
    viceImpl.persistActivityToken(BusinessContextServiceImpl.java:15
    91)
       at
    com.ibm.commerce.component.contextserviceimpl.BusinessContextSer
    viceImpl.endRequest(BusinessContextServiceImpl.java:749).
     ...
     Caused by: javax.ejb.DuplicateKeyException: DB2 SQL Error:
    SQLCODE=-803, SQLSTATE=23505, SQLERRMC=1;WCSADMIN.CTXMGMT,
    DRIVER=4.3.111DSRA0010E: SQL State = 23505, Error Code = -803
    

Local fix

  • Disable the CSRF if not required
    

Problem summary

  • USERS AFFECTED:
     WebSphere Commerce 7 users who have CSRF protection enabled.
    
     PROBLEM ABSTRACT:
     CSRF error page shown instead of Logon in use message.
    Activity_id 0 may be in CTXMGMT too.
    
     BUSINESS IMPACT:
     Users are shown CSRF error page instead of "invalid
    cookie...your logonid may be in use" message. You may also
    notice DuplicateKeyException for CTXMGMT table (for activity_id
    0).
    
     RECOMMENDATION:
    

Problem conclusion

  • The CSRF error will only be shown if there are no other
    Exceptions. For example if the user logged on from a second
    browser (invalidating the session on the first browser) and then
     goes back to the first browser and clicks link/button to a CSRF
     protected page, the "invalid cookie...your loginid may be in
    use" error will now be shown.
    
     This also should prevent the activity_id 0 from being saved to
    the CTXMGMT table in this scenario.
     -------------------------------------------------------------
     The latest available maintenance information can be obtained
    from the Recommended Fixes for WebSphere Commerce technote:
     http://www.ibm.com/support/docview.wss?rs=3046&uid=swg21261296
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR48873

  • Reported component name

    WC BUS EDITION

  • Reported component ID

    5724I3800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / Pervasive

  • Submitted date

    2013-12-18

  • Closed date

    2014-03-17

  • Last modified date

    2014-03-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WC BUS EDITION

  • Fixed component ID

    5724I3800

Applicable component levels

  • R700 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYSYL","label":"WebSphere Commerce Enterprise"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
17 March 2014