When the HTTP session is kept by the browser based traffic, at least one session base cookies can be found in the HTTP request/response headers. When the security integration feature is enabled, WebSphere will continue validating current session against all available cookies. If one end-user who logged out from Connections without shutting down their browser or flushing out existing cookies, the other user who is trying to log into Connections will be blocked.
The error will display:
com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user: [detailed user information]
The Security integration feature for the HTTP session management should validate session base cookies. However, Connections logout scripts can not clean up cookies reliably.
All supported browsers running against Connections servers on supported Linux/Windows OS
Diagnosing the problem
Login with the other user after logout from one user using the same instance of browser
Resolving the problem
Automatic logout on HTTP Session Expiration must be disabled
This feature is disabled by default in WebSphere, so a standard installation directly following installation instructions should not encounter this setting. This WebSphere feature is only applicable to single web applications which do not integrate with other web applications through single sign-on. Since Connections is a set of tightly integrated web applications and not a single web application, this setting cannot be applied. If you have not explicitly enabled this feature, it will be disabled by default. If you have set custom properties in security in WebSphere, ensure this WebSphere setting is not enabled.
1) In the WebSphere administrative console, click Security > Global security.
2) Under Custom properties, make sure that com.ibm.ws.security.web.logoutOnHTTPSessionExpire is either not listed or set to false.
Session Security Integration
Ensure that security integration is disabled. Note that if you have multiple servers, you will need to do this on all of them and if you create new servers after the installation, you may have to change this setting to be disabled.
In the WebSphere administrative console, Servers > Server Types > Application servers > [server] > Web container > Session management-> Security integration
Security integration is a feature of WebSphere which will flag errors when another authenticated user or an anonymous user even attempts to access a session created by a different logged in user. This may occur during normal operation with a login (LTPA) timeout that did not have a corresponding session timeout. For instance, this will occur if a user is active in their session during LTPA timeout. In this case, with session security integration enabled, users would be unable to access Connections until clearing their (session) cookies in the browser. Consequently, session security integration is disabled by the Connections install and must remain disabled.