Support Article

Issue while accessing two Pega SSO environments

SA-9623

Summary



When loading two applications sequentially in Internet Explorer in a siteminder-protected environment. If the first application is PRPC, coming back to that application causes busy indicator to be displayed and does not clear.

Error Messages



Not Applicable

Steps to Reproduce



1. Open any two siteminder protected applications on Internet Explorer, the first one being PRPC.
2. Switch applications to observe the busy indicator.


Root Cause



There are two application involved here and both are accessed from the same domain:

https://<hostName.net>/prweb
https://<hostName.net>/pdda


Each application is on a seperate WebLogic cluster. The web servers are accessed via the same host name <hostName.net> with a plugin that directs the traffic to the proper WebLogic cluster based on context root. 

The core problem is that both applications are using the same WebLogic session cookie: JSESSIONID.

When connecting to PRPC the JSESSIONID is set to:

Set-Cookie: JSESSIONID=vHvHVszNl5QYyQnGTHn1Jbf1Gy2fYLhZcm5ZTJC2mMpzR82GQTgx!697134936; path=/; HttpOnly

At this point the browser has registered JSESSIONID to all paths of <hostName.net>

They do some work then connect to PDDA and the JSESSIONID is set to:

Set-Cookie: JSESSIONID=lLK2n3XkHv9pW-i6Mu_4PaG9G3VQ5GD210RTBC4T0R1iW8jBysZV!1761913519; path=/; HttpOnly

At this point the browser has registered JSESSIONID to all path of <hostName.net>, overwriting the one set from PRPC.

Notice that each of the set-cookies for JSESSIONID have path set to "/". Also each of them has a server ID in the cookie value:

prweb: 697134936
pdda: 1761913519


When returning to PRPC window the JSESSIONID set for PDDA is sent in the request to PRPC. This  results in an error becuase plugin at the web server level did not understand how to route a request to /prweb with a server id of 1761913519. So the plugin simply loadbalanced to a prweb server.  It's clear that it did this based on the response that set a new JSESSIONID with a different server ID.

Set-Cookie: JSESSIONID=YWS2n7CQS7UQQfporc1_I6gLkoWBvoUxrQDhYzzptzKzF8PhfHUQ!358146119; path=/; HttpOnly


Resolution



Below are the solutions:
  • Change the JSESSIONID cookie name of both prweb and PDDA (for example, JSESSIONIDPRPC / JSESSIONIDPDDA)
  • Change the JSESSIONID of both prweb and PDDA to include the content root in the path attribute of the cookie:
prweb:  path=/prweb
pdda: path=/pdda
  • Options 1 and 2 together will give the best overall seperation of session cookies for both application. You ca not just change one application, both must be modified. 

Published June 12, 2015 - Updated October 8, 2020

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.