PK80439: WHEN HTTP SESSION MANAGER IS CONFIGURED FOR DB PERSISTENCE, THE LENGTH OF THE CREATED SESSION ID COULD BE LONGER THAN EXPECTED.

Fixes are available

APAR status

Closed as program error.

Error description

When http session manager is configured for db persistence under
certain circumstances the length of the session id that is
created could be longer than what is expected.  The session ids
that are newly generated by WebSphere Application Server are of
a predetermined length.  However, when an incoming request comes
in with a session id whose prefix is identical to a pre-existing
session id, then the longer incoming id will be used to return a
new session.  The same behaviour could occur if the web
container custom property HttpSessionidReuse enabled

Local fix

Set the custom property SessionIdentifierMaxLength greater than
the length of the created session id.

Problem summary

****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server Version    *
*                  6.1.0 users who have configured http        *
*                  session for database persistence and have   *
*                  incoming requests that contain a session    *
*                  id longer than the expected length.         *
****************************************************************
* PROBLEM DESCRIPTION: Incoming session ids longer than the    *
*                      pre-determined length used by the       *
*                      session manager can result in SQL302    *
*                      errors in the database and creation     *
*                      of new sessions with ids longer than    *
*                      23 characters.                          *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The session ids that are newly generated by WebSphere
Application Server are of a predetermined length, which is 23
characters by default, or a different value if the web
container custom property HttpSessionIdLength is used.
However, when an incoming request comes in with a length
longer than expected session id length, and whose prefix is
identical to a pre-existing session id, then the longer
incoming id will be used to return a new session. If the
incoming id's length is sufficiently large enough then it can
exceed the size of the session table column used in database
persistence generating a SQL0302 error.

Problem conclusion

Code changed were made so that the session manager will
include additional checking to ensure that the incoming
session id meets the requirements expected by the session
manager, similar to what it would be if the session manager
generated the id. As the session id will be of the expected
length downstream processing errors at the database end will
be prevented. Please note that the behavior corrected by this
APAR are activated only if the web container custom property
ForceSessionIdLengthCheck is turned on by setting it to a true
value.

This APAR requires changes to documentation.

NOTE: Periodically, we refresh the documentation on our Web
site, so the changes might have been made before you read this
text. To access the latest on-line documentation, go to the
product library page at:
http://www.ibm.com/software/webservers/appserv/library

Changes to the WebSphere Application Server Version 6.1
Information Center will be made available in June, 2009.

The following information will be added to the WebSphere
Application Server Version 6.1 Information Center topic "Web
container custom properties":

Enforcing the length limit of a session ID to 23 characters
Newly generated session IDs are, by default, 23 characters in
length, unless you use the httpSessionIdLength custom property
to specify a different maximum length for your session IDs.
When an incoming request has an session ID that is longer than
the expected session ID length, and whose prefix is identical
to a pre-existing session ID, the longer ID is used to return
a new session. If the length of the session ID on the incoming
request is significantly larger then the maximum length
specified for your system, such that it exceeds the width of
the ID column in the the session table column that is used in
database persistence, an SQL0302 error occurs.
To prevent the occurrence of these SQL0302 errors, you can add
the ForceSessionIdLengthCheck custom property to your Web
container custom properties and set it to true. When this
custom property is set to true, the length of a session ID
cannot exceed 23 characters. If an incoming request has a
session ID that is longer than 23 characters, the first 23
characters are used to return a new session.
If the ForceSessionIdLengthCheck custom property is not
defined for a Web container, or is set to false, the maximum
length of a session ID is either 23 characters or the length
specified for the httpSessionIdLength custom property.

Name  ForceSessionIdLengthCheck
Value  true

APAR PK80439 is currently targeted for inclusion in Service
Level (Fix Pack) 6.1.0.27 of WebSphere Application Server V6.1
for z/OS.

Please refer to URL:
//www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
for Fix Pack availability.

Temporary fix

Comments

APAR Information

APAR number
PK80439
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
610
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-02-11
Closed date
2009-04-22
Last modified date
2009-10-03

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

PK90274

Fix information

Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500

Applicable component levels

R610 PSY UK49671
UP09/09/21 P F909

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 December 2021

Tips

PK80439: WHEN HTTP SESSION MANAGER IS CONFIGURED FOR DB PERSISTENCE, THE LENGTH OF THE CREATED SESSION ID COULD BE LONGER THAN EXPECTED.

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R610 PSY UK49671

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?