JSESSIONID Is Reused Between Different Applications in WebLogic Server (Doc ID 979978.1)

Last updated on MAY 15, 2017

Applies to:

Oracle WebLogic Server - Version 10.3 and later
Information in this document applies to any platform.
***Checked for relevance on 1-Dec-2015***

Symptoms

The customer has two applications, say A and B, deployed in a single WebLogic Server domain. Application A starts and uses a HttpSesssion. One of the servlets in application A obtains a RequestDispatcher and forwards a request it has received to a servlet in the different web application (B). As A and B are different web applications they should not share the same session scope, however they are seeing that the JESSIONID in application B is re-using the same JSESSIONID value as the session that was created by application A.

This is causing failure to logic in the Forms application (which looks for the existence of an HttpSession to differentiate between requests that need initialization (which creates HTTP session values to be used by future requests) and ones that are continuation of the same logical "Forms" session (expected to re-use session values already set).

The existence of the unexpected JSESSIONID appears to cause the logic in the forms session to fail to initialize (or fools multiple "forms sessions" to overwrite session values on which previous forms sessions are depending) which results in errors. For example, the error message seen by end-user (browser) when this issue occurs might be:

The very same application logic worked under Application Server 10.1.3.x where OC4J was the J2EE container.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms