Fixes are available
8.5.5.6: WebSphere Application Server V8.5.5 Fix Pack 6
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as program error.
Error description
Several of our customers recently reported a problem in WebSphere framework that is related to Set-Cookie: JSESSIONID headers. Under some conditions an HTTP response from WebSphere Application Server can have more than one JSESSIONID session affinity cookie, here is an example of the response with HTTP response headers that the front-end client received from WebSphere Application Server: ------------------------------------------------------ HTTP/1.1 200 OK X-Powered-By: Servlet/3.0 Content-Type: text/html;charset=ISO-8859-1 Content-Language: de-DE Content-Length: 170 Set-Cookie: JSESSIONID=0000pPttvdZT9VFK4pAbB37MPlH:-1; Path=/; HttpOnly Set-Cookie: JSESSIONID=0000HY7iSBIZu5A1hMwlHl5ex_P:-1; Path=/; HttpOnly Date: Fri, 24 Oct 2014 11:53:40 GMT There are several circumstances when the above problem can happen, for example: -------------------------------- The application code creates a session, then invalidates it and then creates a new session in the same servlet's service() method. This leads to two Set-Cookie: JSESSIONID headers in the response that is not compliant to the RFC 6265. In the RFC 6265 is also stated: -------------------------------------- "Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name". RFC 6265 - HTTP State Management Mechanism: http://tools.ietf.org/html/rfc6265 This problem was reported in V8.0 and V8.5 Fix Packs.
Local fix
N/A.
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server Full Profile Versions 8.0 and * * 8.5.5. * **************************************************************** * PROBLEM DESCRIPTION: When sending out a response the * * Channel allows multiple Set-Cookie * * headers with the same name to be sent. * **************************************************************** * RECOMMENDATION: * **************************************************************** When sending out a response the Channel allows multiple Set-Cookie headers with the same name to be sent, this behavior can result in problems at the User Agent side of the connection. The channel is working according to the RFC2109 which allows multiple Set-Cookie headers to be sent by the server in the same response. However the newer RFC6265 states: "Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name." The duplicate Set-Cookies are shown in the traces as follows: [12/15/14 11:53:07:242 EST] 00000104 CookieUtils 3 Created v0 Set-Cookie: [JSESSIONID=Ldsfh676sdIhdhd757kNhs757Jk; Path=/; HttpOnly] [12/15/14 11:53:07:242 EST] 00000104 BNFHeadersImp 3 appendHeader(h,s): Set-Cookie [12/15/14 11:53:07:242 EST] 00000104 BNFHeadersImp 1 Adding header [Set-Cookie] with value [JSESSIONID=Ldsfh676sdIhdhd757kNhs757Jk; Path=/; HttpOnly] [12/15/14 11:53:07:242 EST] 00000104 CookieUtils 3 Created v0 Set-Cookie: [JSESSIONID=897437234ghkagkjghaf6842; Path=/; HttpOnly] [12/15/14 11:53:07:242 EST] 00000104 BNFHeadersImp 3 appendHeader(h,s): Set-Cookie [12/15/14 11:53:07:242 EST] 00000104 BNFHeadersImp 1 Adding header [Set-Cookie] with value [JSESSIONID=897437234ghkagkjghaf6842; Path=/; HttpOnly]
Problem conclusion
The HTTP Channel will now prevent sending multiple Set-Cookie headers with the same name. A new custom property was added to the HTTP Channel to enable this new behavior. The property name is: "DoNotAllowDuplicateSetCookies" with a possible value of "true" or "false", with the default being "false". An HTTP Channel custom property can be set like this: http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm. websphere.nd.doc/ae/rrun_chain_httpcustom.html?cp=SSAW57_8.5.5%2 F1-18-6-409&lang=en Please note: the instructions are for v8.5.5, but the same instructions apply to all versions of WebSphere Application Server Full Profile The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.6. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI31734
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2014-12-17
Closed date
2014-12-29
Last modified date
2016-03-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R800 PSY
UP
R850 PSY
UP
Document Information
Modified date:
28 April 2022