The unfortunate cookie
Sometimes we take things so much for granted that we never stop to consider whether things might be different in reality. Take server cookies for instance. One would think that server cookies wouldnt be affected by your browser settings. Well this isnt true for the WebAS.Server cookies are lost when one blocks cookies on the client side.
Eason Huang reported this in the BSP forum (URL: [ Server Side Cookie ] Browser blocked all cookie.). I honestly didnt believe him when I first read his post. So I tried it for myself and it was indeed the case that the session_id was lost between pages when client side cookies were blocked.
So I decided to open an OSS message for it. Ill give a small recap of the result since all this happened during the Christmas holidays and you might have missed this forum thread.
First of all make sure that youve applied both notes 762645 and 507621. Since the latter concerns Web AS 6.10 I consider that this is probably obsolete since all of you have probably at least 6.20. The other note is already covered if you have levels 620SP44 or 640SP09.
Now for the problem itself. This is in short what the OSS people say about it.
The cookies on the server side must somehow be associated with a specific client/application/session. The session id is used to determine this specific context. On a Normal Web AS with several clients the cookies have to identify themselves somehow. For the moment Web AS uses the client side cookies mechanism. The session id will be different every time when the client cookies are blocked. This issue will be solved with SP49 for 6.20 and in SP11 for 6.40.
Meanwhile, one can have a workaround by setting session_id = ‘static or session_id = sy-uname. Personally I would use the latter since there is less chance that someone is logged in with multiple sessions on the same application.