EP: Portal – Incorrect HTTP Session Used After Logon
The Enterprise Portal (EP) in itself serves as the conduit channel through which end-users gain access organizational business information, applications and data. Following the concept of being a centralized means of access, often the User Base of a Portal Landscape is broad, large and diversly situated.
How A Logon Becomes A Session
From an end users perspective utilizing the Enterprise Portal is often a straightforward process. We simply logon, fulfill our work obligations and logoff. As an end user we are only concerned with the graphical representation of the Portal that we are presented with through our monitors as oppossed to the underlying functionality that is taking place in the backdrop.
Once the content page has been loaded into the iFrame, the SessInfo object is transferred from the content page to the main page and is captured there by the Distributed Session Manager (DSM). The DSM stores the SessInfo object in its own storage. When the user leaves the browser, navigates to another page, or uses the Back button, the DSM is activated (by receiving the browser event onunload). The DSM then sends termination commands to all registered callback URLs, resulting in a termination of the ITS session on the server
What Handles A Session
A special script called the Distributed Session Manager (DSM) that is responsible for handling the session management on the page
- This component distributes the corresponding termination commands to the component systems. The Termination command then closes the server session.
Types Of Session(s)
- Connection Types: Connection types include that of RFC, GUI, Plugin (HTTP/SMTP).
RFC Connections: This particular connection type references users which are connected up to the system (Portal) via an RFC Connection. (See RFC’s using the SM04 transaction), a simplistic view on a RFC connection type user is someone who is utilizing the connection using external based RFC clients.
GUI Connections: As the title implies this particular connection types makes referneces to users who utilize access to the Portal via a GUI based connection platform.
Wrong HTTP Session Used: -> Wrong How Exactly A Session Is Managed
- User A Logs in
- User A performs some navigation through ESS/MSS Applications and lands on one single iView
- No further action is performed for a period of e.g. 3 minutes
- User A logs out and User B logs in
- User B seems to be using User A’s session
Session References Vs Session Retention
Let us begin by reaffirming the point that when a session expires or a logoff is invoked or browser is closed, no matter what, the connection is not terminated but returned to the pool and kept open as defined in the Connection Lifetime property. In short, the connection stays open for the predefined amount of time by design and this is not an unexpected behavior.
It remains in the pool, it is no longer used by another service e.g. the UWL and it is available for other clients. The connection lifetime pool can be reset to a different value.
If you check SM04 you can see the logoff references for the sessions that had been previously occuppied by the user.
If you face any session management issues such as “session retention” or backend sessions remaining open for end users I would recommend consulting the blog series I wrote on these topics which provide an informative overview on how to troubleshoot and resolve such an occurrence.
EP: Sessions Part 1 (RFC, GUI, HTTP Plugin) A Brief Overview
EP: Sessions Part 2 (RFC, GUI, HTTP Plugin) Common Grounds & Issues
EP: Sessions Part 3 Frequest Issues & Solutions
Effectively Logging Off
Logging ON/OFF The Portal
Logging ON/OFF The Portal (ii)
In the logoff section outlined in the first link above we see the following “Do not simply close your browser. Closing the browser leaves your portal session still working, until it times out. When working in a browser that supports multiple tabs, such as Internet Explorer 7 or Mozilla Firefox, if you close a tab in which a portal is running, the portal session is saved. If you then open the portal in a new tab, you are already logged on and need to first log off if you wish to log on with different credentials.”