Fixes are available
8.5.5.1: WebSphere Application Server V8.5.5 Fix Pack 1
8.5.5.2: WebSphere Application Server V8.5.5 Fix Pack 2
8.5.5.3: WebSphere Application Server V8.5.5 Fix Pack 3
8.5.5.4: WebSphere Application Server V8.5.5 Fix Pack 4
8.5.5.5: WebSphere Application Server V8.5.5 Fix Pack 5
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
APAR status
Closed as program error.
Error description
The HTTP session manager checks for an existence of ANY cookie in request header and does not encode the URL properly. Problem scenario: - Both "Enable cookies" and "Enable URL rewriting" options are enabled - Browser does not accept cookie - If some tool in between browser and WebSphere Application Server inserts its own cookie Application Server does not encode the URL.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server Version * * 8, and 8.5 users. * **************************************************************** * PROBLEM DESCRIPTION: When invoking the * * javax.servlet.http.HttpServletResponse. * * encodeURL() method, the session * * manager may not encode the session * * identifier when it is expected. * **************************************************************** * RECOMMENDATION: * **************************************************************** When url encoding is enabled, the session manager will not include the session identifier when cookies are allowed by the browser. This causes confusion as some expect it to be excluded only if the session cookie is present.
Problem conclusion
The WebSphere Application Server session manager will add a new custom property, CheckSessionCookieNameOnEncodeURL (default=false). Set this property to true to enable the Session Manager to only check for the existence of the HTTP session cookie when determining whether the session ID needs to be encoded in the URL. Here are the steps for setting the custom property for session management at the server level: In the administrative console click Servers > Server Types > WebSphere application servers > server_name > Session management. Under Additional Properties select Custom Properties. On the Custom Properties page, click New. On the settings page, enter CheckSessionCookieNameOnEncodeURL in the Name field and true in the Value field. Click Apply or OK. Click Save on the console task bar to save your configuration changes. Restart the server. The fix for this APAR is currently targeted for inclusion in fix packs 8.0.0.7 and 8.5.5.1. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PM89843
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-05-27
Closed date
2013-05-27
Last modified date
2013-05-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
Document Information
Modified date:
12 January 2022