ISE 1.1 - switch ignores "Session-Timeout"

Similar Messages

• AppFabric 1.1 with Windows 7 losing or abandone sessions and ignore the timeout settings

  Hi,
  We have a enterprise financial web solution using aspx and AppFabric 1.1 and we have an issue with Sessions as the get abandoned or appFabric is ignoring the timeout settings.
  I tried almost everything: use sql and xml configuration, deactivate firewalls, ensure all sessions are set to 20 minutes expirations. We have the appFabric settings on the web.config and our project is multilayer but sessions are mainly
  created/consumed at the web project level..
  We use AppFabric 1.1 with Sql Server 2008R2 over a Windows7 x64 environment.
  I also tried all the options using powerShell command: get-command -module DistributedCacheAdministration, I increased the TTL to 38 mins but still nothing makes any difference. Sessions are lost between ~~ 5 to 10 minutes no matter if
  you are playing with the solution or you left aside..
  Please help. I really appreciate any suggestion, idea, recommendation..
  Hernan Bogantes
  Florida.

  Note the provider type in AF 1.1 is 
  type="Microsoft.Web.DistributedCache.DistributedCacheSessionStateStoreProvider,Microsoft.Web.DistributedCache"
  which is different from the type in 1.0:
  type="Microsoft.ApplicationServer.Caching.DataCacheSessionStoreProvider"
  https://msdn.microsoft.com/en-us/library/hh361709(v=azure.10).aspx

• ISE 1.2 Guest Access session expired

  We have set up the ISEs to allow wired guest users to logon with CWA but every time we get
  "Your session has expired. Sign on again".
  We successfully get to the portal and can logon, change password, accept conditions but then we just get the session expired page.
  From the switch (some data redacted fro privacy):
  sw01#sh auth ses int f0/1
              Interface:  FastEthernet0/1
            MAC Address:  0021.xxda.xx28
             IP Address:  xxx.xx.40.45
              User-Name:  00-21-xx-DA-xx-28
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-domain
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  901
                ACS ACL:  xACSACLx-IP_GuestWired_ISE_Portal_Access-53182da8
       URL Redirect ACL:  dot1x_WEBAUTH-REDIRECT
           URL Redirect:  https://guest.ourdomain.com:8443/guestportal/gateway?sessionId=AC1262FB000000FA0FCEFDB8&portal=TT_GuestPortal&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1262FB000000FA0FCEFDB8
        Acct Session ID:  0x000001CF
                 Handle:  0x370000FB
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  The ISE reports a failed login
  Event
  5418 Guest Authentication Failed
  Failure Reason
  86017
  Now the reason appears to be that the guest portal being accesed is on an ISE in our DMZ but the RADIUS/MAB authentication is done by our internal ISEs (all ISEs are part of the same cluster however).  This is because the NAD is a switch and its management interface is on the inside of the network while  the guest VLAN is in a DMZ.  If we authenticate the RADIUS and guest on the same ISE (by breaking routing/security) then the access is granted and it all works corrcetly.
  We are summarising that the session ID sent by the RADIUS ISE server is not avaialble to the Guest Portal ISE server so the session ID does not exist in the session cache.
  So does the  guest portal ISE server have to be the same ISE server that does the RADIUS/MAB session generation?  There is no obvious way to tie a FQDN (e.g. guest.ourdomain.com) to the ISE used by the NAD.
  Should the session ID not be shared across all enforcement nodes?
  Any other ideas or thoughts?
  Chris Davis

  Thanks Jan, do you know if this is by design, even across nodes in node groups?  I'm guessing that Bug CSCul10677 is the same issue.
  Thing is, it rather makes the CWA static IP/Hostname option redundant/useless in a resilient configuration.  It also means that the NAD must use the guest network for dot1x traffic or that the guest nework must be able to route over/into the internal network neither of which appear to be ideal from a security perspective...

• Dot1x session timeout issue

  Hi
  currently we have an issue with our new dot1x authenticated WLAN. The clients get disconnected when the session timeout expires. As I have discussed with TAC the session timeout forces the client to reauth against RADIUS but should not disassoc him (for non-dot1x-SSIDs it will actually disassoc you by design)
  Each time a client is ejected the following message is produced:
  May 10 09:59:20 xxx *Dot1x_NW_MsgTask_0: May 10 09:59:21.014: %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:848 Received EAPOL-key M2 msg has invalid information when mobile is in START  state - invalid secure bit; KeyLen 24, Key type 1, client xxx
  A workaround is either to:
  a) Disable session timout (but we need to check for revoked certs)
  b) Switch from WPA2 to WPA(1)
  So far I've tested with:
  - Win7 and Centrino 6205 (newest driver)
  - Same laptop and some random Realtek USB-Stick
  - Same laptop complete new and blank Windows install (without McAfee HIPS & AV) and both NICs
  - Also an ancient LAP1231, currently this is a 3502
  The interesting part is that we don't seem to have any issues with Ubuntu and Android clients and also an iPad seems to work fine. We are currently running 7.0.240.0, but I also tested with 7.4.103.6 (dev release). The ACS is runnign 5.2 and acknowledges the client fine during reassoc, but for some reason the controller disconnects him.
  There are no strange messages in the Windows event log. Do you have any idea what is causing this? A collegue of mine is facing the same issue at a differen company. TAC seems to be stumped, unfortunatly.

  After some months of playing with TAC we found the issue: It was wrong of TAC to suggest inceasing the EAPOL-Key Timeout. Actually you have to lower this timeout, because it initiates the retransmission of the EAPOL-key request.
  It looks like Win7 changed the behavior somehow (Win XP works fine) and has a more aggressive timeout. Also the first try always fails for some reason still unknown. When the timeout is to large Win 7 diassocs before the controller has a chance to retransmit. I have lowerd the value to 400ms and increased the repeat count which keeps the clients stable again.
  Case is still going on to find out why the first try to reauth fails, something with invalid MIC in M2? My current EAP settings are:
  EAP-Identity-Request Timeout (seconds)........... 5
  EAP-Identity-Request Max Retries................. 3
  EAP Key-Index for Dynamic WEP.................... 0
  EAP Max-Login Ignore Identity Response........... enable
  EAP-Request Timeout (seconds).................... 5
  EAP-Request Max Retries.......................... 3
  EAPOL-Key Timeout (milliseconds)................. 400
  EAPOL-Key Max Retries............................ 4
  EAP-Broadcast Key Interval....................... 3600
  This also got me thinking about the other timeouts and I decreased those as will. Take the EAP-Identity-Request Timout. If you set it to 30 seconds and the first packet ist lost somehow than the client needs to wait 30 seconds for auth, that does not make sense.
  https://supportforums.cisco.com/docs/DOC-12110

• Re: [iPlanet-JATO] Re: session timeout when not submitting to a handler

  Mark--
  I know what's happening here, but am curious about your approach. You said
  in an earlier email that you were generating links directly to JSPs, but
  from what you are describing, you are generating JATO-style links to access
  JATO pages. Nothing wrong with that, but there is a signficant difference.
  Actually, it just occurred to me, I'm wondering what your URLs look like.
  The way the request dispatching works in JATO is it ignores anything after
  an initial "." in the final part of the URL path. For example, a request
  for "/myapp/module1/MyPage.jsp" doesn't actually try to hit the JSP, instead
  it tries to hit the JATO page "/myapp/module1/MyPage".
  The end result is that you may think you are accessing a JSP directly, but
  are instead accessing a JATO page. The reason the request dispatching works
  this way is because it is illegal to access JATO JSPs directly, and there is
  actually a (disabled) JATO feature that piggybacks on the use of the
  dot-delimited URL.
  So, now I need to understand your intent. I wasn't really sure why you were
  generating direct JSP/page links to begin with. This works against the Type
  II architecture JATO uses, in which all JATO requests go back to the
  controller servlet.
  If you are trying to design something like a menu page, you may have thought
  that it was burdensome to create a number of HREF children, plus implement
  event handlers for each of them. This definitely would be burdensome beyond
  just a handful of links, but this is why JATO provides other mechanisms for
  doing what I'll call here "polymorphic HREFs".
  Assuming this menu page scenario, the easiest thing to do is to simply use
  one HREF child on the page, and add a value to it each time it is rendered
  that distinguishes it from the other instances on the page. In your event
  handler for the HREF, you simply check this value and use it to decide which
  page to forward to. You can add a value to an HREF or Button by using the
  "addExtraValue()" method. Or, if you are using JATO 1.2, you can add extra
  query string NVPs right in the JSP document using the "queryParams"
  attribute of the <jato:href> tag. Thus, your one HREFchild and event
  handler become "polymorphic" because what they do depends on the context in
  which they are invoked.
  Now, I still don't have confirmation that this is what you were trying to
  do, so until I do, let me explain the exception you're seeing. JATO assumes
  that when a request comes in for a page that includes the pageAttributes
  NVP, it is a request coming from a previously generated JATO page. Because
  of the way JATO works, this means that the request dispatching code should
  send the request back to the originally rendered page. For example, if Page
  A renders an HREF, which the user then activates, JATO sends the request
  back to Page A for handling. All of the HREFs and forms generated during
  rendering of Page A actually refer back to Page A, regardless of where those
  links or buttons actually pass the request in their event handlers/Command
  objects.
  So, what's happening when you include the pageAttributes in your HREFs is
  that JATO is assuming that a request is being sent to the target page, with
  the assumption that the target page has a mechanism in place to handle the
  request. This assumption relies on the specification of the "originator" of
  the request being specified in the request. For links/HREFs, the name and
  value of the HREF is sent along with the request. For forms, the name and
  value of the button that was pressed are sent in the request. JATO uses the
  presence of these name/value pairs to decide which event handler, or which
  Command object, to invoke to handle the request.
  The exception you are receiving is saying that there was no object on the
  target page that indicated it could handle the request. This is to be
  expected, since you have not specified a query parameter that indicates
  which CommandField child is responsible the request. However, this is where
  I see the disconnect, because that is not what I believe you were trying to
  do (as explained above).
  So now, given all the information above, can you tell me what you're trying
  to accomplish, and whether or not the info I've given you has helped you to
  design a mechanism more in line with a JATO approach? If not, given that I
  understand what you're trying to do, I can offer a more concrete solution.
  Todd
  ----- Original Message -----
  From: <Mark_Dubinsky@p...>
  Sent: Monday, November 05, 2001 2:54 PM
  Subject: [iPlanet-JATO] Re: session timeout when not submitting to a handler
  This is the exception we get:
  (And BTW, leaving a blank value for the pageAttributes doesn't help)
  [05/Nov/2001 17:49:18:4] error: <portalServlet.processRequest>
  javax.servlet.ServletException: The request was not be handled by the
  specified handler
  at java.lang.Throwable.fillInStackTrace(Native Method)
  at java.lang.Throwable.fillInStackTrace(Compiled Code)
  at java.lang.Throwable.<init>(Compiled Code)
  at java.lang.Exception.<init>(Compiled Code)
  at
  javax.servlet.ServletException.<init>(ServletException.java:107)
  at
  com.putnaminvestments.common.jato.ApplicationServletBase.dispatchRequ
  est(Compiled Code)
  at
  com.putnaminvestments.common.jato.ApplicationServletBase.processReque
  st(Compiled Code)
  at
  com.putnaminvestments.bp.portal.portalServlet.processRequest(Compiled
  Code)
  at
  com.putnaminvestments.common.jato.ApplicationServletBase.doPost(Compi
  led Code)
  at
  com.putnaminvestments.common.jato.ApplicationServletBase.doGet(Compil
  ed Code)
  at javax.servlet.http.HttpServlet.service(Compiled Code)
  at com.putnaminvestments.bp.bpServletBase.service(Compiled
  Code)
  at javax.servlet.http.HttpServlet.service(Compiled Code)
  at
  com.netscape.server.servlet.servletrunner.ServletInfo.service(Compile
  d Code)
  at
  com.netscape.server.servlet.servletrunner.ServletRunner.execute(Compi
  led Code)
  at com.kivasoft.applogic.AppLogic.execute(Compiled Code)
  at com.kivasoft.applogic.AppLogic.execute(Compiled Code)
  at com.kivasoft.thread.ThreadBasic.run(Native Method)
  at com.kivasoft.thread.ThreadBasic.run(Native Method)
  at com.kivasoft.thread.ThreadBasic.run(Native Method)
  at com.kivasoft.thread.ThreadBasic.run(Native Method)
  at com.kivasoft.thread.ThreadBasic.run(Compiled Code)
  at java.lang.Thread.run(Compiled Code)
  --- In iPlanet-JATO@y..., "Todd Fast" <Todd.Fast@S...> wrote:
  Mark--
  Initially we tried to add the pageAttributes NVP as well, but that
  was
  causing an exception, so we stopped doing that.That's odd--what was the exception?
  Our problem now is that when the SessionTimes out it does not go
  to
  onSessionTimeout method as in processRequestMethod of the
  ApplicationServletBase it looks for pageAttributes. If it is notnull
  then only onSessionTimeOut method is called.This is sadly the only technique for determining if a session hastimed out
  and a new one been created, versus the initial creation of thesession.
  Is there any work around for this? Maybe you can suggest how topass
  the pageAttributes without causing the initial exception?Definitely--let me know what the exception was and I'll be able tosuggest
  something. However, it shouldn't really be any harder thanappending a
  "jato.pageAttributes=" empty NVP on the HREF.
  Todd
  Todd Fast
  Senior Engineer
  Sun/Netscape Alliance
  todd.fast@s...
  For more information about JATO, please visit:
  http://developer.iplanet.com/tech/appserver/framework/index.jsp

  OK, here's what I'm trying to do: We have, like you said, a menu
  page. The pages that it goes to and the number of links are all
  variable and read from the database. In NetD we were able to create
  URLs in the form
  pgXYZ?SPIDERSESSION=abcd
  so this is what I'm trying to replicate here. So the URL that works
  is
  pgContactUs?GXHC_GX_jst=fc7b7e61662d6164&GXHC_gx_session_id_=cc9c6dfa5
  601afa7
  which I interpreted to be the equivalent of the old Netd way. Our
  javascript also loads other frames of the page in the same manner.
  And I believe the URL-rewritten frame sources of a frameset look like
  this too.
  This all worked except for the timeout problem. In theory we could
  rewrite all URLs to go to a handler, but that would be...
  inconvenient.

• Session Timeout Thoughts

  I saw a post from awhile ago that you can't change the session timeout in iTunes U. Is this still true?
  Our users are having timeout issues and we have an unfortunately lengthy login process to get back into iTunes U so I had some thoughts on the Site Login URL.
  We use a portal to authenticate our users who then click an SSO link to take them to a jump page that assembles their credentials and generates an SSO link into iTunes U. I'd really like to avoid having to go back through the portal to get users back into iTunes.
  What if, instead of passing just the destination back to the site login URL, iTunes U passed a full SSO link. This way, I can just point my site login URL to the jump page. The jump page can then parse the SSO link to verify the user's credentials and just create a new SSO link right back into iTunes U, almost transparently to the users.
  Are there any better options to solve this problem? I know this would require some modification on the iTunes U side, but it seems like it'd solve some problems.
  Thanks
  Jason

  Hi Jason,
  I don't think I did a good job at explaining what I'm trying to get at. Sorry, let me try another way.
  The problem is not one of security necessarily. If you get a signature back from Apple, sure, your jump site can verify that Apple sent you warnings about sessions that are about to timeout. The problem is that Apple cannot distinguish our local users from the identity and credentials we send. It might seem that way in specific instances (because some sites have an elaborate identity/credentialling scheme), but it is not true in the general case. It is entirely possible that scores of people can share exactly the same identity/credential info ... that is totally legal in the iTunes U world (and why I urge people not to think of "users" and "accounts" whenever they think iTunes U). For example, lessay I have a site that has a very simple credentialling scheme, say ...
  Administrator@urn:mace:itunesu.com:sites:uic.edu
  Instructor@urn:mace:itunesu.com:sites:uic.edu
  Student@urn:mace:itunesu.com:sites:uic.edu
  Authenticated@urn:mace:itunesu.com:sites:uic.edu
  Unauthenticated@urn:mace:itunesu.com:sites:uic.edu
  All@urn:mace:itunesu.com:sites:uic.edu
  Further, let's say that I "anonymize" my users by sending no identity info to Apple. So if Apple sends my jump site the following:
  credentials=Student@urn:mace:itunesu.com:sites:uic.edu
  identity=
  time=123456789
  signature=stringwith_bunch_ofhex
  which one of my local users does that belong to? ... whose session should I recredential? Sure, you can make a complex credentialling scheme that narrows usage down to the specific person ... but I would urge you to think of credentials as a kind of "hall pass" ... a token that lets you into a specific place within iTunes U ... and not as a way to identify someone. Remember that Apple has to use a system that applies in the general case and what I have above is totally legal. If I want, I can obfuscate my users to be certain that only -I- know who's accessing iTunes U.
  Recall, too, the way that iTunes U is setup. Your transfer CGI sends a URL to Apple and Apple sends you back loads of HTML/JavaScript/CSS in return. Your transfer CGI passes all of it back to the end user. The heart of the HTML Apple sends is this itmss: redirect:
  itmss://deimos.apple.com/WebObjects/Core.woa/BrowsePrivately/uic.edu?
  credentialKey=1474615910&identity=2253747564656e7422203c5374756
  4656e74407569632e6564753e202853747564656e7429205b305d&time=
  1203747692&signature=32d169daa7a282f8c7efa7d4f7f7fb0dceaac507c26
  f205123473f09d6b9ef50&x=true&ignore.mscache=8974210
  That is how Apple talks to your end users. The session is private ... between Apple and your end users. The only way for you to know which session belongs to which local user is for Apple to send you that itmss link and say, in effect, "the session associated with this link is about to time out". Your jump site would have to maintain a connection between itmss links, your local users, and the credentials associated with both. But if your site is -already- caching local user/credential info, there is no need for Apple to send your creds/identity back to you.
  As ever, if my understanding is itself cloudy, I bow to Duncan. He knows all and I am happy to be corrected. Like you guys, I am here to learn.

• Session timeout and Custon login module

  Hi,
  Dev Platform: Jdev 10.1.3.4.0, Oracle 10.2.4
  I'm trying to trap the session timeout and display a page. I'm using the code below from Frank Nimphius. I've also provided a console log of what is happening when the application times out. Instead of the filter being called the system is calling the dblogin module and attempting to login the anonymous user. I renamed the anonymous user and I just see log entries where the system attempted to find the anonymous user.
  If I use the application to logout I get a Logout page with a button to confirm the logout. When I press the button the session is invalidated and the filter code brings up my "Session Timeout" notification page. This isn't what will happen in the end but I just wanted to tell you that the filter does work in certain instances.
  How can I make the system not attempt to login the anonymous user and have the filter code run?
  TIA, Dave
  package isdbs.view.security;
  import java.io.IOException;
  import javax.servlet.Filter;
  import javax.servlet.FilterChain;
  import javax.servlet.FilterConfig;
  import javax.servlet.ServletException;
  import javax.servlet.ServletRequest;
  import javax.servlet.ServletResponse;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  public class ApplicationSessionExpiryFilter implements Filter {
      private FilterConfig _filterConfig = null;
      public void init(FilterConfig filterConfig) throws ServletException {
          _filterConfig = filterConfig;
      public void destroy() {
          _filterConfig = null;
      public void doFilter(ServletRequest request, ServletResponse response,
                           FilterChain chain) throws IOException, ServletException {
          String requestedSession =   ((HttpServletRequest)request).getRequestedSessionId();
          String currentWebSession =  ((HttpServletRequest)request).getSession().getId();
          boolean sessionOk = currentWebSession.equalsIgnoreCase(requestedSession);
          // if the requested session is null then this is the first application
          // request and "false" is acceptable
          if (!sessionOk && requestedSession != null){
              // the session has expired or renewed. Redirect request
              ((HttpServletResponse) response).sendRedirect(_filterConfig.getInitParameter("SessionTimeoutRedirect"));
          else{
              chain.doFilter(request, response);
  }Mar 30, 2009 9:38:04 AM oracle.security.jazn.oc4j.RealmUserAdaptor isMemberOf
  FINE: JAAS-OC4J: Membership check for group: ISDBS_USER failed for user: anonymous
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option debug = true
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option log level = log all
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option logger class = null
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option data_source_name = jdbc/elearnDS
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option user table = TBL_LOGIN
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option roles table = XREF_LOGIN_ROLE
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option username column = LOGIN_NM
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option password column = PASSWORD
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option roles column = ROLE_NM
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option user pk column = LOGIN_NM
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option roles fk column = LOGIN_NM
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option password encoding class = oracle.sample.dbloginmodule.util.DBLoginModuleClearTextEncoder
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option realm_column = null
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] option application_realm = null
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] login called on DBTableLoginModule
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] Calling callbackhandler ...
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] Username returned by callback = null
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] User query string: select LOGIN_NM,PASSWORD, LOGIN_ATTEMPTS, ACTIVE_IND from TBL_LOGIN where lower(LOGIN_NM)= lower((?))
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] Logon Successful = false
  09/03/30 09:38:04 [DBTableOraDatasourceLoginModule] Abort called on LoginModule
  Mar 30, 2009 9:38:04 AM oracle.security.jazn.oc4j.OC4JUtil doJAASLogin
  WARNING: Login Failure: all modules ignored
  javax.security.auth.login.LoginException: Login Failure: all modules ignored
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:921)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at oracle.security.jazn.oc4j.OC4JUtil.doJAASLogin(OC4JUtil.java:241)
       at oracle.security.jazn.oc4j.GenericUser$1.run(JAZNUserManager.java:818)
       at oracle.security.jazn.oc4j.OC4JUtil.doWithJAZNClsLdr(OC4JUtil.java:173)
       at oracle.security.jazn.oc4j.GenericUser.authenticate(JAZNUserManager.java:814)
       at oracle.security.jazn.oc4j.FilterUser.authenticate(JAZNUserManager.java:1143)
       at com.evermind.server.http.EvermindHttpServletRequest.checkAndSetRemoteUser(EvermindHttpServletRequest.java:3760)
       at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:706)
       at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453)
       at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:221)
       at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:122)
       at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:111)
       at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
       at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
       at java.lang.Thread.run(Thread.java:595)
  Mar 30, 2009 9:38:04 AM oracle.security.jazn.oc4j.GenericUser authenticate
  FINE: JAAS-OC4J: Authentication failure for user: null
  Mar 30, 2009 9:38:04 AM oracle.security.jazn.oc4j.RealmUserAdaptor isMemberOf
  FINE: JAAS-OC4J: Membership check for group: ISDBS_USER failed for user: anonymous

  I added an HttpSessionListener upon login here's what I get:
  09/03/31 08:21:25 Inside sessionCreated
  09/03/31 08:21:25 Before New session createb = 0
  09/03/31 08:21:25 Created session id: 854b4b95cf28ceb065d0489a31ee79c19feabb80716f6d828b77fc7044b210bf
  09/03/31 08:21:25 After New session count = 1
  At session timeout here's what I get:
  09/03/31 08:23:27 Count before destroyed = 1
  09/03/31 08:23:27 Destroyed session id: 854b4b95cf28ceb065d0489a31ee79c19feabb80716f6d828b77fc7044b210bf
  09/03/31 08:23:27 Count after destroyed = 0
  09/03/31 08:23:27 Inside sessionCreated
  09/03/31 08:23:27 Before New session createb = 0
  09/03/31 08:23:27 Created session id: 854b4b95cf28ceb065d0489a31ee79c19feabb80716f6d828b77fc7044b210bf
  09/03/31 08:23:27 After New session count = 1
  Notice that the session Id in each case is IDENTICAL. That is why the Filter code isn't doing what it is intended to do. Whay is the same session ID being created after it is destroyed? Is there a configuration parameter that controls it?
  Thanks,
  Dave

• Session Timeouts issue massively frustrating

  I am getting session timeouts when logged into my netmail & trying to compose emails. It happens constantly, sometimes immediately after logging in, sometimes 5 minutes into a session, sometimes 2 minutes into a session. It is completely random timing-wise. It kicks me all the way back out to the login and I've lost whatever I've done since the last "save to draft".
  It is extremely frustrating as you can't even get a simple 10-15 line email drafted without losing work and having to log back in.
  This issue appears to be intermittent as I've had this problem off and on for months now. It will happen for a while, then stop, then start happening again.
  As a software developer by trade, I suspect someone is occassionally re-introducing the bug by using an old peice of code as a baseline, which then eventually gets fixed, only to have that same developer re-introduce the bug again later. I noticed this issue beginning when Verizon switched over to this newer netmail system from the old one (maybe a year or so ago?).
  I'm running on IE 7, in an environment where my browser and/or network does not change so the intermittent issues can't be blamed on my environment.

  Workflow #2:
  Login to my account
  Click view all email
  Open Drafts Folder
  Open draft email response
  Select "Send" to send email (total in session time of 30 seconds)
  On screen reload, where I would expect to see some sort of indication that my email was successfully sent, instead the system throws session time out message and kicks me out.
  I have no idea if my email was successfully sent or not.
  Workflow #3:
  Login to my account
  Click view all email
  Attempted to open the first new email in my inbox (total time in session <15 seconds)
  System throws session timeout error and kicks me out to the main login.
  There is obviously something going on with your session holding code. The session variable is not being passed correctly or something but it's very, very frustrating to spend 30-45 minutes trying to type out a couple of lines, particularly when you have multiple important activities going on that you need to respond too via email.

• Apex Version 4.2: Why doesn't the session timeout parameter settings work?

  Prior to an upgrade to Apex Version 4.2.0.00.27, we ran Apex Version 4.1 in our environment. This is on a platform using Oracle Database Enterprise Edition 11g R2 on Windows Server 2008. The session timeout parameters (set for a single application using "Shared Components" -> "Security Attributes") were set to the following:
  Maximum Session Time: 1 day
  Maximum Session Idle Time: 8 hours
  This worked with no problems in Apex 4.1; our user would leave a data entry form open for several hours, complete the data entry then submit the page. Now, with the upgrade to Apex 4.2, doing the same thing causes the system to redirect to the login page and aborting any edits or new data entered into the form previously.
  I have tried to set both session parameters to ZERO (0) which is what the documentation explains is the equivallent to "no timeout" but that didn't work as well.
  I have reset the session control parameters to what they were before the upgrade and my session times out before the time values I set. (on the version 4.2 upgraded instance).
  Why was the session timeout parameters I set ignored by the system? Can anyone else out there confirm/repeat the problem I observed?

  Hi Richard,
  You probable have it ok, but the time should be in seconds.
  Kees

• "Ignore Sessions During Shutdown" and "Graceful Shutdown Sequence"

  Hi
  I have J2EE application consisting of WEB and EJB layers deployed on WL 8.1
  I start the Graceful Shutdown Sequence with Ignore Sessions During Shutdown option set. sessionDestroyed() method of registered HttpSessionListener is fired but at this moment JNDI tree is already empty, EJB module undeployed and the listener is not able to get to application's EJBs.
  In the documentation (http://e-docs.bea.com/wls/docs81/adminguide/overview_lifecycle.html#1045901) Ignore Sessions During Shutdown option is explained as follows:
  "If you enable this option WebLogic Server will drop all HTTP sessions immediately, rather than waiting for them to complete or timeout."
  What does "drop" mean here? Is this some exception to Graceful Shutdown Sequence and the following excerpt from the documentation? : "During a graceful shutdown, subsystems complete in-flight work and suspend themselves in a specific sequence and in a synchronized fashion, so that back-end subsystems like JDBC connection pools are available when front-end subsystems are suspending themselves."
  Regards

  Hi,
  You can use tcodes
  SMQR --> To register a queue
  SMQS --> To register a destination in Queue Schedular
  SMQ1 --> OutBound Queue Details
  SMQ2 --> Inbound Queue Details
  SXMB_ADMIN --> Manage Queue to register,deregister and activate the queue.
  Check the link for more details : http://help.sap.com/saphelp_nw04/helpdata/en/59/d9fa40ee14f26fe10000000a1550b0/frameset.htm
  For step details for server start/stop you can search on google for more details. And for an idea check the section Managing the SAP Start-Up Service via the SAP MMC Snap-In in the link https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/3e3fad90-0201-0010-2f91-c8907db40bfe
  Thanks!
  Edited by: sudhir tiwari on Nov 12, 2008 12:00 PM

• Sso session timeout per partner application

  Hello,
  I was just wondering if it is possible to configure SSO session timeouts per partner application? I'm looking to log out users of a particular application after 15 minutes, but don't want this change to affect any of my other SSO enabled applications. Is this possible?
  Thanks,

  Hi,
  I do not think so, you can not specify specail parameter for one application in SSO.
  Why because SSO is one component (within your Infra) through which you logon different apps.
  Another solution may be it will expensive is that you 'll need to use different infra for this specific application.
  Regards,
  Hamdy

• Session Timeouts and SmbServer

  Hi,
  When having iFS mapped to a network drive (via SMB), the SMB server
  is unable to recover from a timeout of the LibrarySession. The network
  drive then seems to be empty and doing a refresh within explorer
  doesn't help either. The only thing that helps, is remapping the
  network drive.
  Within Node.log of iFS I see this stacktrace.
  7/10/02 9:02 AM SmbServer: oracle.ifs.common.IfsException
  oracle.ifs.common.IfsException: IFS-21000: Session is not connected or has timed-out
  at java.lang.Throwable.fillInStackTrace(Native Method)
  at java.lang.Throwable.fillInStackTrace(Compiled Code)
  at java.lang.Throwable.<init>(Compiled Code)
  at java.lang.Exception.<init>(Compiled Code)
  at oracle.ifs.common.IfsException.<init>(Compiled Code)
  at oracle.ifs.common.IfsException.<init>(Compiled Code)
  at oracle.ifs.common.IfsException.<init>(Compiled Code)
  at oracle.ifs.beans.LibraryObject.verifyConnected(Compiled Code)
  at oracle.ifs.beans.Folder.findPublicObjectByPath(Compiled Code)
  at oracle.ifs.beans.FolderPathResolver.findPublicObjectByPath(Compiled Code)
  at oracle.ifs.beans.FolderPathResolver.findPublicObjectByPath(Compiled Code)
  at oracle.ifs.protocols.smb.server.DbTree$DbQuery.<init>(Compiled Code)
  at oracle.ifs.protocols.smb.server.DbTree.getQuery(Compiled Code)
  at oracle.ifs.protocols.smb.server.ComTrans.trans2FindFirst(Compiled Code)
  at oracle.ifs.protocols.smb.server.ComTrans.replyTransaction2(Compiled Code)
  at oracle.ifs.protocols.smb.server.ComTrans.process(Compiled Code)
  at oracle.ifs.protocols.smb.server.ComSmb.handleSmbMessage(Compiled Code)
  at oracle.ifs.protocols.smb.server.SmbThread.handleNbMessage(Compiled Code)
  at oracle.ifs.protocols.smb.server.SmbThread.readPackets(Compiled Code)
  at oracle.ifs.protocols.smb.server.SmbThread.run(Compiled Code)
  This behavior actually causes us big problems when editing files via MS Office.
  Fortunately Office is able to still save it's data using some generated filename.
  (At least until now I could not create any data loss)
  But then you have to close it, remap then network drive, rename the file and then
  reopen the file. This is big trouble to users, which are not familiar with mapping
  network drives and renaming files with extensions.
  Is there a way to make the SmbServer keep the LibrarySession alive, as long as
  the network drive is mapped ?
  Regards,
  Jens Lorenz

  Workflow #2:
  Login to my account
  Click view all email
  Open Drafts Folder
  Open draft email response
  Select "Send" to send email (total in session time of 30 seconds)
  On screen reload, where I would expect to see some sort of indication that my email was successfully sent, instead the system throws session time out message and kicks me out.
  I have no idea if my email was successfully sent or not.
  Workflow #3:
  Login to my account
  Click view all email
  Attempted to open the first new email in my inbox (total time in session <15 seconds)
  System throws session timeout error and kicks me out to the main login.
  There is obviously something going on with your session holding code. The session variable is not being passed correctly or something but it's very, very frustrating to spend 30-45 minutes trying to type out a couple of lines, particularly when you have multiple important activities going on that you need to respond too via email.

• Session Timeout Alert text is not getting displayed on web ui.

  Hello,
  In "Session Timeout Alert" pop up we are facing one issue. The pop up is getting displayed as per the value in rdisp/plugin_auto_logout parameter i.e. 1800. But the text is not getting displayed.
  I have implemented the SAP Note 1877120 also. Any inputs to resolve this issue.
  Thanks.

  Hi Sigrid,
  When we do pre activities related to OTR, need to save it in standard name space only ? could you guide me pls.
  in the below we have Alias and package are standard.
  1.) There are 4 texts which needs to be configured via SOTR_EDIT to get the translation according your languages implemented in your CRM.
  a.) Start doing it by opening transaction SOTR_EDIT.
  b.) Change to the language you would like to use.
  c.) As ALIAS enter first CRM_IC_CMP_FRAME/SESSION_PING_TITLE. Click on Create and confirm the following dialogues.
  d.) Enter CRM_IC_CMP_FRAME as package and the object type as WAPP.
  e.) Finally enter the translation according your language from the english version (length of text: 25):
  "Session Timeout Alert !"
  f.) Save you changes
  Repeat the steps a.) to f.) with the following aliases and options:
  Jimmi

• How to Sync the session timeout of Portal with CMS Server

  Hi Experts,
  We have a custom application build on our portal which will launch the reports of InfoView. It works fine untill the portal session timeout. Whenever the session timeout occurs and reloads it I am unable to launch the reports and getting the below exception.
  com.crystaldecisions.sdk.exception.SDKException$OCAFramework: Unable to reconnect to the CMS server_ip:6400. The session has been logged off or has expired. (FWM 01002)
  Portal is configured with SSO. Please adviese how to set the settings of session timeout in such way that Portal sync  session timeout with CMS server.
  Thanks in Advance,
  Chinaa.

  Hi ,
  There is no such option to sync Portal timout with CMS server.
  To resolve your problem you have only option to set your CMS server timout to MAX value.
  Thanks
  Anil

• How to configure a session timeout for DynPro applications?

  Hello,
  1. Where can I configure the session timeout of the DynPro applications?
  2. Can I configure a session timeout per application and how do I do that?

  Hello Heidi,
  I am not familiar with this property:
  1. Where can I configure it?
  2. Does it apply to every application at the portal?
  3. What if I would like to configure just one application?
  By the way, I have noticed that the DynPro application has an expirationTime property. The documentation says this:
  Specifies the lifetime in seconds of a Web application on the server before the Web application is terminated by the server. The value of the DefaultExpirationTime parameter of the system configuration is used as the default value.
  My question is if someone tried to use this property?
  Message was edited by: Roy Cohen