Unexpected Session Cloning at Login (Doc ID 1456394.1)

Last updated on SEPTEMBER 20, 2013

Applies to:

Oracle Weblogic Server - Version 10.3.5 and later
Information in this document applies to any platform.

Symptoms

Unexpected session cloning  at login is observed in WLS 10.3.5. The same issue is observed in 10.3.2 and a bug was filed for it (unpublished defect 9399618) which fixed the problem in 10.3.2. Now again a similar kind of problem is observed with WebLogic Server 10.3.5. As per the fixed bug list <Note 1302753.1> this issue is already fixed but the issue is still observed with the below test case.

When attempting to implement the below scenario, issue is seen.

The issue is reproduced following these steps:

  1. Authenticate in the application (form based authentication) using the application root URL( say, .../xxx)
  2. Navigate a bit to populate the session with attributes (Session ID is A)
  3. Recall the login screen URL by typing it directly in the browser address bar (.../xxx/login)
  4. Authenticate again (using the same or, even worse, a different user)
  5. The first executed java class tells that there is a new session (Session ID is B)
  6. Session ID B is not empty at all, it contains the session A attributes (same object instance IDs). The situation is there slightly different from the original issue in 10.3.2 where there are copies of the attributes (serialized/deserialized), where as in 10.3.5 they have the same object instances.
  7. As in some these session attributes keep a reference to the session itself, and as the attributes of session B have been created when session A was the current session, these attributes still reference the new invalid session A and when trying to use them getting the below exceptions:

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms