SAP Knowledge Base Article - Preview

1927293 - "The received security session id related cookie is not valid"

Symptom

  • User is unable to logon portal
  • When logging on to the system, you receive error 403 - "Session fixation attack detected".
  • "Parallel requests" performing authentication to the server, a web client unexpectedly receives new session identifier (JSESSIONID) and does not have access to the information stored previously in the session. (e.g. one user uses different tabs of a browser)
  •  In defaultTrace, following exception could be found:
    #Error#com.sap.engine.services.servlets_jsp.Security#
    com.sap.ASJ.web.000781#BC-JAS-WEB#servlet_jsp#C0000A9E8A0D000F0000000000003B61#3790250000000003##com.sap.engine.services.servlets_jsp.Security#Guest#0##D541B2CB738011E2B74700000039D5AA#d541b2cb738011e2b74700000039d5aa#d541b2cb738011e2b74700000039d5aa#0#Thread[HTTP Worker [@1147054546],5,Dedicated_Application_Thread]#Plain##
    The received security session id related cookie is not valid. The current request will be isolated in a new session. There might be a few reasons causing this behavior: 1) Possible session fixation hacker's attack.  2) The received security session id cookie is already outdated. One possible solution is increasing the value of the 'SecuritySessionIdGracePeriod' servlet_jsp property. For more information read SAP Note 1464914. 3) No security session id cookie is sent (over http) because it is protected via custom configuration of the http service properties 'SecuritySessionIDHTTPSProtection' and 'SystemCookiesHTTPSProtection'. Revise the configuration of the http service properties or adapt the problematic scenario accordingly.#

Read more...

Environment

  • SAP NetWeaver 7.3
  • SAP enhancement package 1 for SAP NetWeaver 7.3
  • SAP NetWeaver 7.4
  • SAP NetWeaver Composition Environment 7.2

Product

SAP NetWeaver 7.3 ; SAP NetWeaver 7.4 ; SAP NetWeaver 7.5 ; SAP NetWeaver Composition Environment 7.2 ; SAP enhancement package 1 for SAP NetWeaver 7.3

Keywords

Parallel HTTP requests handling, changed session cookies, expired authentication tokens, Session fixation, session cookies, http, https , KBA , BC-JAS-WEB , Web Container, HTTP, JavaMail, Servlets , BC-JAS-SEC , Security, User Management , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.