cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

clearing jsessionid

Go to solution
Former Member

on ‎05-13-2010 6:51 PM

0 Kudos

hi experts

we have a c# application with RSA security as front end.

RSA sso is implemented on businessobjects and it is working.

But the issue is, if the user1 logons in application and creates a session in infoview.

But he didn't logout infoview. when another user2 logons in the application on same computer.

Businessobjects still keeps the old session.

There is no way to tell tomcat to uses the new session.

I can see in CMC, there is two session active (user1 & user2).

Is it possible to clear jsessionid session & cookies?

Thanks!

Prasath

Edited by: Prasath Mungundu on May 13, 2010 11:13 PM

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

ted_ueda
Employee
Employee
‎05-14-2010 2:48 PM
0 Kudos

The jsessionid is a HTTP Session token generated by the Java Web Application Server itself to manage HTTP Sessions - here Tomcat.

Trying to eliminate jsessionid isn't a secure way to do things.

It's SSO, so the session will remain live till the HTTP Session times out, if the user hasn't logged off explicitly.

Sincerely,

Ted Ueda

Show replies
Show replies
Former Member
‎05-14-2010 3:57 PM
0 Kudos

Hi Ted

We are using RSA SSO and enterprise authentication, SSO works on initial login.

But when a user logs out, and logs back in to SSO without closing the browser, InfoView still holds the pervious session.

Is there a way to identify and get rid of tomcat session when new InfoView user comes in via SSO?

Is there some way to detect when the current user has changed, and remove the session accordingly.?

I have same question post in below thread.

Thanks!

Prasath

ted_ueda
Employee
Employee
‎06-17-2010 6:52 PM
0 Kudos

I'm assuming this isn't an issue if the user closes the web browser window before logon, since then the client-side won't try to re-send the cookies.

Sincerely,

Ted Ueda

Answers (2)

Answers (2)

Former Member
‎06-23-2010 9:53 AM
0 Kudos

I have one more question. I the problematic application, the JSESSIONID-Parameter is included in the url-string. And that's why the application has the previous JESSESIONID/previous datas. Another Application don't have this problem, because there isn't the jsessionid-parameter inside the url-string.

So I know, that for these application were used different iViews. Or do you have an idea where I can define, that the jsessionid should not be part of the url?

Show replies
Show replies
Former Member
‎06-25-2010 3:21 PM
0 Kudos

SAP Support is looking at this issue now and will be providing a fix for it

Thanks!

Former Member
‎10-31-2013 2:29 PM
0 Kudos

Hi Prasath,

We are also having same issue, did you get a solution for this issue? (Not clearing sessions data).

Can you please share the solution/SAP note number to fix this issue.

Thanks,

Naveen

Former Member
‎06-15-2010 2:44 PM
0 Kudos

Hi,

I think I have a similar problem. I have a Webdynro applikation inside a intranet. If the User login over the intranet a sso-ticket will be created (MYSAPSSO2). If he logout, the sso-ticket will be deleted, but the jsessionid is still active, if I don't close the browser. If I close the browser, there is no problem.

So do I have to delete the jsessionid in my application java-code? Or is it a problem with the Internet Explorer?

Show replies
Show replies
Ask a Question