cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Business Objects sessions bleeding together with OpenDoc reports

Go to solution
Former Member

on ‎12-18-2009 2:17 AM

0 Kudos

I have a custom application that logs a user into Business Objects, and calls OpenDoc using the generated loginToken. I store the Business Objects session in the application session. If you log into the application as one user and open a report with the following query:

<br><br>

SELECT
  mtf.id
FROM
  mtf,
  facilities,
  users
WHERE
  facilities.id = mtf.id
  AND facilities.id = users.facility_id 
  AND users.login_name = @Variable('BOUSER')

<br><br>

The query runs correctly and returns the correct result. If you log out of the application without closing the browser window, log in as a different user and run the same report you get the result the first user got, as if the @Variable('BOUSER') was returning the first username.

<br><br>

Each user is logged into Business Objects with their own username, I have verified this in the code. I aslo verified that When the first user logs out of the application the Business Objects session is destroyed, and a new one created for the second user. Looking at the HTTP headers I have seen that when the first user logs in and opens a report the following cookie gets set:

<br><br>

HTTP/1.1 200 OK

Set-Cookie:

InfoViewses=3%261%2C8P%264E%3D1704Jk1XlRb8I5GtMTG1%2C8P%26Tn%3D%7B3%26.1%3D%7B3%262%3D1608%2C03%26O%3DFavoritesFolder%2C0P%7D%2C2z%26.2%3D%7B3%262%3

D1609%2C03%26O%3DPersonalCategory%2C0P%7D%2C2z%26.3%3D%7B3%262%3D1610%2C03%26O%3DInbox%2C0P%7D%2C2z%26U%3D3%2C03%7D%2C%3Fz%264F%3D1607%2C8P%26S5%2C8

8%26Tm%3D3650%2C83%265U%3D1705JEngK4tWp4tT87D21704Jk1XlRb8I5GtMTG1%2C8P%2635%3Dtestuser1%2C8P%2663%3Dtoken%2C8P%26pa%2C8P%262r%3Ddev-bo.company.com%

3A6400%2C8P%263k%3D%40dev-bo.company.com%2C8P; Path=/; HttpOnly

<br><br>

The second user who logs in already has this set with the same value, including the testuser1 string which is the username of the first user. This is the only place I can see the username getting passed around.

<br><br>

This is how I log users in to Business Objects and get the logon Token:

<br><br>

IEnterpriseSession session = CrystalEnterprise.getSessionMgr().logon(username, defaultPassword, cmsHostName + ":" + cmsPort, authType);
String logonToken = session.getLogonTokenMgr().getDefaultToken();

<br><br>

This is how I launch the reports:

<br><br>

String url = serverUrl + "/OpenDocument/opendoc/openDocument.jsp?sIDType=CUID&sType=wid&sRefesh=Y&iDocID=" + reportCuid + "&token=" + logonToken;

<br><br>

This problem does not occur with logging in and out of infoview. I am using Business Objects XI 3.1 SP2

<br><br>

Thanks for your help

<br><br>

Tim

Edited by: twkatadin on Dec 18, 2009 3:17 AM

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

ted_ueda
Employee
Employee
‎12-18-2009 2:57 PM
0 Kudos

When you log into InfoView, it creates a string representing the serialization of the Enterprise Session, and passes it to the client web browser as a cookie.

When you log out of InfoView, then it deletes the cookie.

The cookie is used for session persistence, such that the Enterprise Session will carry over to the different web apps that comprise the InfoView portal.

The difference with invoking OpenDocument is that there's no mechanism for logging off the session within OpenDocument, and OpenDocument uses the same cookie (since OpenDocument is invoked from InfoView, it needs to know the Enterprise Session under with the requester is logged onto InfoView).

So one possible workaround is to not pass the DefaultToken - it's used for failover - but rather the WCA token (createWCAToken).

The WCA token is valid only for the lifetime duration of the EnterpriseSession that generated it. Since you're keeping around the Enterprise Session yourself, and you do log it off, the serialized session in the cookie should be invalidated on the subsequent call.

Sincerely,

Ted Ueda

Show replies
Show replies
Former Member
‎12-19-2009 12:42 AM
0 Kudos

Thanks for the reply Ted.

<br><br>

Unfortunately, that change doesn't work. If I explicitly call session.logoff() or getLogonTokenMgr().releaseToken(logonToken) before I log out of my application, the second user who logs in can not open reports. If I don't call these methods I get the same result as before, even with createWCAToken().

<br><br>

It seems the problem is that the InfoViewses cookie does not get deleted no matter what I do in the code, so even if I release the token, the cookie remains and OpenDoc won't try to set a new one, it just thinks my session expired. I can't remove this cookie since it is set by our BO server, which is different from our application server.

<br><br>

Any other ideas?

<br><br>

Tim

Edited by: twkatadin on Dec 19, 2009 1:42 AM

ted_ueda
Employee
Employee
‎12-20-2009 8:46 PM
0 Kudos

Other than putting a page in the controlling web app context specifically for removal of that cookie, I can't think of any.

Sincerely,

Ted Ueda

Answers (1)

Answers (1)

Former Member
‎12-21-2011 10:51 PM
0 Kudos

Hi twkatadin, did you finally resolve the issue?

I'm having the exact same issue, I tried using different things like the method to create a serialized session instead of a ticket but the error persisted.

Making some tests with Fiddler (httpwatch kind of program) I noticed the behavior that you describe. The old cookie doesn't get override with the new one, it seems that the old cookie is invalid for BO but internet explorer keep sending the old one, you can see that BO returns a new one but keep using the old.

I don't know what else to do.

Regards,

JAYP

Show replies
Show replies
former_member217070
Active Participant
‎12-22-2011 2:22 PM
0 Kudos

Hi, JAYP,

This was scheduled to be fixed in XI R3.1 SP5, but I haven't verified it.

[1384047 - OpenDoc Is Not Using the Correct Logon Token|https://bosap-support.wdf.sap.corp/sap/support/notes/1384047]

Regards,

Bryan

Former Member
‎04-11-2012 5:35 PM
0 Kudos

Can someone from SAP please confirm if this is really fixed in XI R3.1 SP5 before we install it on our 7 servers.

Thank you.

aasavaribhave
Advisor
Advisor
‎04-12-2012 1:18 PM
0 Kudos

It is fixed in XI 3.1 SP5. anyways, you can always apply it on sandbox, dev and test before installing it on prod.

Ask a Question