SESN0008E and anonymous access to authenticated session errors occur with IBM Worklight and IBM Mobile Foundation

Technote (troubleshooting)


Problem(Abstract)

You use Worklight with the WebSphere Application Server Liberty Profile. With this configuration, the Worklight Console, Application Center, and applications regardless of whether they previewed or using a web browser, share the same LTPA token. When you log out of one of these components, it effectively logs you out of all of them, which might not be the desired effect

Symptom

You then see SESN0008E errors in the WebSphere Application Server Liberty Profile server logs with a message that says:

A user authenticated as anonymous has attempted to access a session owned by user_name 

If the Worklight Console is not protected with a user name and password, there might not be an obvious way to recover access to it.

Cause

When you log out of one of the components, both the session, which was used by that component, and the shared LTPA token are destroyed. When you subsequently attempt to use one of the other components, the server understands that the session for that component is owned by the user. However, it cannot locate an LTPA token to confirm the authentication for the user.

Resolving the problem

Use one of the following methods to authenticate with the Worklight console and Application Center Console. Both methods have its advantages and disadvantages.

  • Option 1: LTPA with a shared token.
    • Advantage: This option provides a single sign-on for both the console and the implementation.
    • Disadvantage: When you log out of one console and attempt to visit the other console using the same browser, you see an "anonymous session" exception. For example, this situation occurs when you use the same session. This behavior is expected from the WebSphere Application Server Liberty Profile. The solution is to log on using a different browser or clear the cache of your current browser.

  • Option 2: LTPA with different token.
    • Advantage: This option avoids the anonymous session exception in the first option.
    • Disadvantage: This option requires separate logins for the two consoles.


    With this option, you use two different domain names for the application and Worklight.

    You can test this option using the following steps:
    1. Connect to http://your_IP_address/worklight/console
    2. Connect to http://local_host:port_number/appcenterconsole
      You must login because you are using your IP address instead of the localhost for the domain name.
    3. Disconnect from the Application Center Console.
    4. Continue on the Worklight console.

    You should find that the steps work.


    To implement this process, you need to define one domain name for Application Center. For example, you might use appcenter.somedomain.com. You must define another domain for Worklight. For example, you might use worklight.somedomain.com.

Cross reference information
Segment Product Component Platform Version Edition
Mobile- Speech and Enterprise Access IBM Mobile Foundation AIX, Linux Red Hat - xSeries, Linux SUSE - xSeries, Windows, Windows 2008 server, Windows 7, Windows XP, Windows 8 6.0, 5.0.6 Consumer, Enterprise

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Worklight
Server

Software version:

5.0.6, 6.0

Operating system(s):

AIX, Linux Red Hat - xSeries, Linux SUSE - xSeries, Windows, Windows 2008 server, Windows 7, Windows 8, Windows XP

Software edition:

Consumer, Enterprise

Reference #:

1649895

Modified date:

2013-09-13

Translate my page

Machine Translation

Content navigation