IBM Support

PI85394: WHEN USING WEBAPP SECURITY A SESSION MAY BE CREATED EVEN IF ONE SHOULD NOT BE CREATED FOR THE REQUEST

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • When using Webapp, http session may be created even if these
    should not be created.
    
    For example a JSP can have the directive session=false which
    should prevent a session from being created.
    
    However, in the traces we see a session created during
    authenticating a user.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: When the seucurity auditing is          *
    *                      enabled, a http session cookie might    *
    *                      be created even if it should not.       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When the security audit is enabled, http session cookie
    (JSESSIONID) is being created even an application does not
    created. And since this session is not deleted by the runtime,
    potentially, excessive http sessions are generated.
    The cause of the issue is in the security audit code that it
    invokes getSession() method which creates a session if it does
    not exist.
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    PI85394

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-08-02

  • Closed date

    2017-08-10

  • Last modified date

    2017-08-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 850

Reference #: PI85394

Modified date: 11 August 2017


Translate this page: