JSESSIONID Is Reused Between Different Applications in WebLogic Server
Last updated on MAY 15, 2017
Applies to:Oracle WebLogic Server - Version 10.3 and later
Information in this document applies to any platform.
***Checked for relevance on 1-Dec-2015***
The customer has two applications, say A and B, deployed in a single WebLogic Server domain. Application A starts and uses a HttpSesssion. One of the servlets in application A obtains a RequestDispatcher and forwards a request it has received to a servlet in the different web application (B). As A and B are different web applications they should not share the same session scope, however they are seeing that the JESSIONID in application B is re-using the same JSESSIONID value as the session that was created by application A.
This is causing failure to logic in the Forms application (which looks for the existence of an HttpSession to differentiate between requests that need initialization (which creates HTTP session values to be used by future requests) and ones that are continuation of the same logical "Forms" session (expected to re-use session values already set).
The existence of the unexpected JSESSIONID appears to cause the logic in the forms session to fail to initialize (or fools multiple "forms sessions" to overwrite session values on which previous forms sessions are depending) which results in errors. For example, the error message seen by end-user (browser) when this issue occurs might be:
The very same application logic worked under Application Server 10.1.3.x where OC4J was the J2EE container.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms