SAP Knowledge Base Article - Public

3234678 - INFO Session logout issues when login with invalid JSESSION and X-CSRF-Token pair

Symptom

You wish to find out more about the session logout issues which happen from time to time when login in to SAP SuccessFactors with an invalid JSESSION and X-CSRF-Token pair. 
Example for OData v2 below:

Request A

Valid JSESSION in cookie header

Invalid X-CSRF-Token in header

Valid Basic Authorization header

Request B

Valid JSESSION in cookie header

Valid X-CSRF-Token in header

Environment

SAP SuccessFactors API
SAP SuccessFactors OData API

Reproducing the Issue

If Request A coming first, the session will be logged out in some scenarios, and the subsequent Request 2 will fail. You may be confused that you have provided the correct JSESSION +  X-CSRF-Token pair in request, and yet the request does not fail. 

Additionally, please note OData v2 and OData v4 REST's behaviors are slightly different by design.

Cause

Intended design

Resolution

Odata V2 with Correct Authorization header:

JSESSION

X-CSRF-Token

Or X-AJAX-Token

With Correct Authorization header

Logout session happens?

Behavior

valid

invalid

Basic

External Oauth

JWT Token

Yes
  1. Will use the Authorization header to login and succeed
  2. Old session will be logout. 
  3. There will be a new JSESSION and X-CSRF-Token pair.
  4. Other requests with old JSESSION and X-CSRF-Token pair are invalid now. 
  5. If some requests login with old JSESSION and X-CSRF-Token pair, will fail. 

valid

invalid

Internal Oauth

No
  1. Will use the Authorization header to login and succeed
  2. Old session will not be logout.  
  3. There will be a new JSESSION and X-CSRF-Token pair.
  4. If some requests login with old JSESSION and X-CSRF-Token pair, will succeed. 

 

 

Odata V2 with Correct Authorization header:

JSESSION

X-CSRF-Token

Or X-AJAX-Token

With Wrong Authorization header

Logout session happens?

Behavior

valid

invalid

Basic

External Oauth

JWT Token

Yes
  1. Will use the Authorization header to login and fail.
  2. Old session will be logout. 
  3. Other requests with old JSESSION and X-CSRF-Token pair are invalid now. 
  4. If some requests login with old JSESSION and X-CSRF-Token pair, will fail. 

valid

invalid

Internal Oauth

No

  1. Will use the Authorization header to login and fail
  2. Old session will not be logout.  
  3. If some requests login with old JSESSION and X-CSRF-Token pair, will succeed. 

 

Odata V4/REST with correct Authorization header:

JSESSION

X-CSRF-Token

Or X-AJAX-Token

With Correct Authorization header

Logout session happens?

Behavior

Valid

No token

Basic

External Oauth

Internal Oauth

JWT Token

Yes
  1. Will use the Authorization header to login and succeed
  2. Old session will be logout.  
  3. There will be a new JSESSION and X-CSRF-Token pair.
  4. JSESSION and old X-CSRF-Token pair are invalid now. 
  5. If some requests login with old JSESSION and X-CSRF-Token pair, will fail. 

 

Odata V4/REST with wrong Authorization header:

JSESSION

X-CSRF-Token

Or X-AJAX-Token

With Wrong Authorization header

Logout session happens?

Behavior

Valid

No token

Basic

External Oauth

Internal Oauth

JWT Token

No
  1. Will use the Authorization header to login and fail
  2. Old session will not be logout.  
  3. If some requests login with old JSESSION and X-CSRF-Token pair, will succeed. 

 

Keywords

OData, v2, v2, API, OData v2, OData v4, Session logout issues, logout, login with invalid JSESSION and X-CSRF-Token pair, invalid JSESSION, JSESSION ID, X-CSRF-Token, X-CSRF, X-CSRF-Token pair , KBA , LOD-SF-INT-ODATA , OData API Framework , LOD-SF-INT , Integrations , Product Enhancement

Product

SAP SuccessFactors HXM Core all versions ; SAP SuccessFactors HXM Suite all versions