IBM Support

PI18177: ADD ADDITIONAL CHECK IN SESSION MANAGER TO REMOVE INCORRECT CLONEIDS IF HTTPSESSIONCLONEID PROPERTY IS SET.

Fixes are available

8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
7.0.0.35: WebSphere Application Server V7.0 Fix Pack 35
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.0.0.10: WebSphere Application Server V8.0 Fix Pack 10
7.0.0.37: WebSphere Application Server V7.0 Fix Pack 37
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
7.0.0.39: WebSphere Application Server V7.0 Fix Pack 39
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
7.0.0.41: WebSphere Application Server V7.0 Fix Pack 41
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.35: Java SDK 1.6 SR16 FP1 Cumulative Fix for WebSphere Application Server
7.0.0.37: Java SDK 1.6 SR16 FP3 Cumulative Fix for WebSphere Application Server
7.0.0.39: Java SDK 1.6 SR16 FP7 Cumulative Fix for WebSphere Application Server
7.0.0.41: Java SDK 1.6 SR16 FP20 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Add an additional check in session manager to remove incorrect
    cloneIds if HttpSessionCloneId property is set.
    
    WebSphere Application Server V70
    Distributed operating systems
    

Local fix

  • NA
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server Full       *
    *                  Profile versions 7.0,  8.0, 8.5 and IBM     *
    *                  WebSphere Application Server Liberty        *
    *                  Profile version 8.5 users with a            *
    *                  clustered environment.                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: Session manager does not check for      *
    *                      invalid clone IDs when processing       *
    *                      JSESSIONID cookies.                     *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    In a clustered environment, a typical JSESSIONID cookie may
    have a JSESSIONID value with a clone ID appended as a suffix.
    The clone ID is not used by the session manager to retrieve
    session information, thus by design a clone ID is not
    validated by the session manager.  In some extremely rare
    cases, users may still want session manager to validate clone
    IDs, thus session manager was updated to provide a way to
    enable clone ID validation.
    

Problem conclusion

  • The session management custom property ExpectedCloneIds was
    introduced to enable clone ID validation.  This
    custom property is designed to be used in conjunction with the
    HttpSessionCloneId session management custom property.  When
    these two custom properties are enabled, the session manager
    will compare an incoming clone ID against the ExpectedCloneIds
    list.  If the incoming clone ID does not match any of the
    clone IDs defined in ExpectedCloneIds, the session manager
    will purge all incoming clone IDs and normal session
    processing will continue.  Please refer to technote at
    http://www-01.ibm.com/support/docview.wss?uid=swg21675419 for
    information on how to configure your environment to enable
    clone ID validation.
    The fix for this APAR is currently targeted for inclusion in
    WebSphere Application Server fix packs 7.0.0.35, 8.0.0.10, and
    8.5.5.3. Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI18177

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-05-16

  • Closed date

    2014-06-16

  • Last modified date

    2014-10-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PI18177

Modified date: 23 October 2014