One or more of the following is occurring:
- Users are unable to logon to the Enterprise Portal. When logging in, the users receive the error 403 - "Session fixation attack detected".
- Parallel requests performing authentication to the server: a web client unexpectedly receives new session identifier (JSESSIONID) and does not have access to the information stored previously in the session. (e.g. one user uses different tabs of a browser).
- In the defaultTrace entries of the system, the following exception could be found:
com.sap.ASJ.web.000781#BC-JAS-WEB#servlet_jsp#C0000A9E8A0D000F0000000000003B61#3790250000000003##com.sap.engine.services.servlets_jsp.Security#Guest#0##D541B2CB738011E2B74700000039D5AA#d541b2cb738011e2b74700000039d5aa#d541b2cb738011e2b74700000039d5aa#0#Thread[HTTP Worker [@1147054546],5,Dedicated_Application_Thread]#Plain##
The received security session id related cookie is not valid. The current request will be isolated in a new session. There might be a few reasons causing this behavior: 1) Possible session fixation hacker's attack. 2) The received security session id cookie is already outdated. One possible solution is increasing the value of the 'SecuritySessionIdGracePeriod' servlet_jsp property. For more information read SAP Note 1464914. 3) No security session id cookie is sent (over http) because it is protected via custom configuration of the http service properties 'SecuritySessionIDHTTPSProtection' and 'SystemCookiesHTTPSProtection'. Revise the configuration of the http service properties or adapt the problematic scenario accordingly.
SAP NetWeaver Application Server Java
Parallel HTTP requests handling, changed session cookies, expired authentication tokens, Session fixation, session cookies, http, https, SessionIdRegenerationEnabled, JSESSIONMARKID , KBA , BC-JAS-WEB , Web Container, HTTP, JavaMail, Servlets , Problem
About this pageThis is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).
Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.