IT20994: DATAPOWER DOES NOT SET A PROPER DPJSESSION COOKIE WHEN THE COOKIE WITH AN INVALID ROUTING ID PART COMES WITH A REQUEST
Fixes are available
Closed as program error.
The expiration of the DPJSESSIONID cookies is kind of a "session cookie". I.e. the expiration is not set, and thus is assumed the cookie holds till the client ends his/her session - e.g. closes the browser. In the active-conditional it's different, as it's governed by a response Set-Cookie header, so the cookie creating is actually left for the backend to resolve. [active: The DataPower appliance forces session affinity for every HTTP request irrespective of the need for session affinity by the remote server application. active-conditional: The DataPower appliance forces session affinity when the remote server application indicates that session affinity is required. The list of monitored cookies is used to verify that the remote server is requesting session affinity.]
Workaround could be to name the cookie name - DPJSESSIONID differently across DC's. But it may still break client sessions. This fix will need to be applied to prevent that behavior.
Affected are all customers using a Load Balancer with session affinity. In a failover scenario the HTTP client is left with a DPJSESSIONID cookie of the failed server even though requests now flow to a different one at which time the cookie should get updated accordingly.
Fix is available in 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124 and 126.96.36.199 For a list of the latest fix packs available, please see: http://www-01.ibm.com/support/docview.wss?uid=swg21237631
Reported component name
Reported component ID
NoSpecatt / Xsystem
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID
Applicable component levels