Background: This final piece of my session blog series will outline in summary some of the most commonly reported session issues with the Enterprise Portal and also provide an overview on the resolution documentation and steps which exist to resolve such occurences.
Some Common Issues (Across Multiple Scenarios):
- Session Retention – User A logs out and User B is presented with User A’s session upon logging in.
- RFC sessions are not terminated in the back-end even after the logoff is called within the Portal.
- The browser session does not get terminated when the user clicks “logoff” in the Portal.
- The application does not invalid the existing, authenticated session on the server upon user logout.
- Cookies may appear to get “cleaned” but when the user returns to the logon page the previous application session is still active.
One user logs out, another logs in and its the same session what do we do?
Let us revert back to the points we discussed in the earlier blog postings and what we mentioned about sessions and how they are handled. Let us begin by reaffirming the point that when a session expires or a logoff is invoked or browser is closed, no matter what, the connection is not terminated but returned to the pool and kept open as defined in the Connection Lifetime property. In short, the connection stays open for the predefined amount of time by design and this is not an unexpected behavior. It remains in the pool, it is no longer used by another service e.g. the UWL and it is available for other clients. The connection lifetime pool can be reset to a different value.
With any issue regarding sessions you should firstly try and simplify it. Beginning with a simple analysis approach i.e. check if the issue occurs for all users (various roles) and within all web browser platforms, is this a recent issue? Has something played a role in this issue arising?
When you use transaction SM04 to check sessions what are you seeing? In many cases when the portal is closed (via logoff) a reference is stored. From using the SM04 transaction it may appear that the sessions remain open but infact they will only be references. But you are seeing the transaction field remaining filled?
Note Fixes…Plentiful and effective.
Some of the most commonly reported session issues are resolved via the following notes:
- SAP Note: 1903478 – Session remains open after the logoff on enterprise portal from enterprise portal.
- SAP Note: 1660720 – Session remains open after the logoff on enterprise portal.
- SAP Note: 1717945 – Portal Logoff Does Not Logoff the Backend When Using HTTP Session Management.
WIKI describes the SM04 transaction screen and the retention of RFC Connections
RFC Connections remain in SM04
SM04 viewing, does it indicate more than a reference? Is the session incorrectly kept open?
- SAP Note: 1261669 – RFC connections are not closed
- SAP Note: 1322944 – ABAP: HTTP security session management
Backend sessions are the culprit
When a user logs off from your company portal by choosing the Log Off button, a logoff action should be triggered on the SAP portal side (portal and connected back-end systems). Although SAP NetWeaver Portal comes with an out-of-the-box mechanism that terminates a session when the user closes the browser or navigates out of the SAP iFrame, the mechanism does not handle logoff. Instead, your company portal must raise the terminating event when logging off from the SAP portal.