PAS session mix-up in 11.7.2

Posted by mircea.alexandru on 26-Nov-2017 01:58


Lately I’ve been having some issues with our web app and I was wondering if anyone could help or point me to the right direction.

Symptoms are:

  1. When having multiple users working at the same time in our new Portal solution, sometimes the sessions get mixed up, so suddenly they turn into someone else. Most often this has been reported after a runtime errors from ABL which was visible in the agent log file. As a workaround (beside fixing the runtime error), for now I have a catch that is both to try and avoid this one, but also to format an ABL runtime error into an agreed response structure that our front-end application knows to display. A situation we cannot handle though is a Java runtime error coming from either Spring or the REST Adapter, so if any of these appear, the session get mix-up again. When the session mix-up occurs, I have logged the data coming from the session Client-Principal and it’s indeed a different user. CP object is retrieved the classic way, via SESSION:CURRENT-REQUEST-INFO:GETCLIENTPRINCIPAL().
  2. I have a user that is authenticated, so a session is created. Then sometimes a request gets through to our ABL logic which is OK, but the Client-Principal object is undefined even if the user was authenticated correctly, causing errors since we are unable to identify the user.
  3. Our front-end developers have reported a couple of times that the JSDO session object “tells” the session is valid but then Tomcat/Spring returns a 401 Unauthorized which is weird.

In the first 2 cases I have monitored and the JSESSIONID cookie is correctly set and returned with all subsequent requests (always the same).

But there is something that troubles me regarding the JSESSIONID. When having multiple PAS on the same server, the JSESSIONID is post fixed with the PAS name, like: JSESSIONID=SomeUniqueKey.PasName. In our configuration, we have 2 Appservers (let's say PrimaryAppSrv and SecondaryAppSrv), where only the last one is configured to host the webApp containing the REST services in question here. So I would have expected the JSESSIONID to be in form of "SomeUniqueKey.SecondaryAppSrv", and it's like this in our development environment, but in production and on the server causing the errors you see in the attached log file (Application.2017-11-25.log) is like this: "SomeUniqueKey.PrimaryAppSrv", where the postfix is of the other AppServer. Is this a normal thing?

I have added also the log file (see Application.2017-11-25.log), where starting with "14:00:00" you will see some relevant (I hope) errors. What I did was, go to the login page, enter a valid username (mfa) and password -> success. Then I simply requested another service and I got back tons of errors. The CP did reach my ABL logic, but it was not containing any valid information (USER-ID, ROLES).

Some more information about our setup:

  • Our new Portal platform is basically a SPA.
  • We are using oerealm & form authentication model, and we have our own HybridRealm class for authentication against a custom table, where implementation is not much different than all the demo material out there.
  • I am using the REST Adapter for exposing some web services the application interacts with.
  • Server is operating in “session-free” mode.
  • Before the migration to 11.7, multitenancy was not enabled, but I see in 11.7 this is set to “true” by default. We do not set domains under
  • We have not changed anything in the authManager.xml or formLoginModel.xml in 11.7, so all are default.

I have attached some configuration files and one of the logs.

Thank you,



All Replies

This thread is closed