We are facing one issue in application login where the application is protected by siteminder and using SPS as the reverse proxy.
The scenario is User A logs into the application, works as per his privileges and logs out. User B logs into the same application in the same browser without closing and reopening the browser.
User B gets the same view that User A last accessed, but after refreshing/clicking on any tab once, user B gets his own view.
User B is not able to perform any actions from User A's console but he is able to view the application-view for user A.
In the second case, the same application is using Apache as reverse proxy, in this case the previous user's view is never visible to the new user.
Please suggest, what could be the possible reason for this behavior, also how can this be resolved?
Using fiddler can you check after the User A logs out SMSESSION cookie is deleted to "logged off"?
Yes Ujwol, when user A logs out SMSESSION cookie is deleted to "logged off".
What is the authentication scheme used? Looks like caching on the web server. Fiddler trace with the use case should give us better idea.
We are using a form based authentication scheme.
Please refer to the fiddler logs attached for reference.
I have checked the attached Fiddler trace, and I do see the log off taking place correctly, however, when the second user logs in, I see there is the same JSESSIONID cookie maintained:JSESSIONID=4A2B2BF9D0A5AD00CA9390A311561B19JSESSIONID=4A2B2BF9D0A5AD00CA9390A311561B19
This is a Java cookie generated by the backend web server for session management which can explain the behavior you are seeing depending on the backend cache settings, and it should be removed when the session is closed on the backend, besides you logoff on SM side.
You may want to review your log out page to see how it is closing the session on the backend, and when calling the index JSP page for logout, it may contain code to invalidate the session or a page session=false to ensure it is being emptied as well.
I hope this helps.
Thank you Albert for the analysis!
But, for the same application when we are using apache as reverse proxy, the user view issue is not faced.
Is there any possibility that SPS is caching the JSESSIONID cookie for user A and not replacing it with JSESSIONID cookie for user B, because this is not happening in case of apache?
As soon as the user B will click on some tab or refresh the page, the view will be changed for User B.
In server.conf, do you have "enablecachepostdata" set to no (default value)? If you happen to set it to yes, try set to no.
#This parameter is applicable to the caching of POST data. #"no"--- Default Value. Post data ia not cached by SPS. #"yes"--- POST data Caching enabled enablecachepostdata="no"
Yes, this value is set to "yes" in our case. But, it was changed to yes on suggestion of CA support in order to improve the performance of SPS.
Please suggest if setting it no will impact the performance of SPS in any way?
The objective of setting enablecachepostdata="no" is to isolate if this parameter causing the issue. You can change it back to yes after the testing.
We could also look at a Session Linking Solution which links SMSESSION to a Foreign Session (e.g. JSESSIONID).