Troubleshooting
Problem
When a client passes in a cookie with a JSESSIONID that does not match the expected length, the JSESSIONID will be ignored and a warning message is logged.
Symptom
A warning message similar to the following will appear in the WebSphere Application Server logs:
[WARNING ] Detected JSESSIONID with invalid length; expected length of 23, found 28, setting: 1A10E685B0651B96A1B3E840F724 to null.
Cause
The appearance of the warning message is caused by a clash of the session identifier name used by the application server and an outside source. Additionally, the warning message appears when the following conditions are met:
1. A client sends in a request with a JSESSIONID that was not generated by the session manager.
2. The JSESSIONID passed in does not match the length that is expected by the session manager.
If the above conditions are met, the JSESSIONID will be ignored and the warning message is written. As session processing continues, depending on how the session is requested, the following will occur:
- A request.getSession(true) or request.getSession() call returns a new session with a new JSESSIONID and a Set-Cookie header is sent back to the client.
- A request.getSession(false) call will return null. No Set-Cookie header is sent back to the client.
- It was found that the clash of the JSESSIONID identifier name occurred on one test client using Mozilla Firefox. Other web browsers on the test client did not encounter this issue. Thus, it is possible that this problem may be specific to clients running Mozilla Firefox. However, it should be emphasized that this problem was only reproduced on one test client and not on other test clients, thus the JSESSIONID name clash is attributable to the setup of that specific test machine.
- Should a JSESSIONID name clash occur, it may appear that session data is "lost". This "loss" of session data may cause an application to fail. In this scenario, the session data is not lost, rather the server is returning a new session with a well formed JSESSIONID.
Environment
IBM WebSphere Application Server Version 7.0.0.33, 8.0.0.9, and 8.5.5.2 or later.
Diagnosing The Problem
Examine the WebSphere Application Server logs to see if the warning message is present.
Resolving The Problem
When numerous "Detected JSESSIONID with invalid length..." warning messages are present in the logs, a session management configuration change should be considered to reduce the occurrences of these warning messages. The configuration change involves changing the cookie name in the session management configuration. By making this configuration change, the clash of the session identifier name between the source that generated the unexpected JSESSIONID and the application server is eliminated. Please note that a change in the session cookie name requires the regeneration and propagation of the plugin configuration file.
WebSphere Application Server Full Profile users
The session cookie name can be modified under the session management cookie settings. Please note that session management settings are configurable at different levels (refer to the WebSphere Application Server Information Center for more details).
For WebSphere Application Server Liberty Profile users
Add the "cookieName" attribute to the "httpSession" element in server.xml
Example: <httpSession cookieName="YOUR_DESIRED_COOKIE_NAME"/>
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21671600