UnauthorizedSessionRequestException: SESN0008E If user leaves application inactive in browser for some time

Question

I keep getting following error in my JSF application when I leave app sitting in browser for some time, then try using it again;

com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user:localRealm/uid=testUser,ou=People,o=internet.

My Liberty settings.xml file has following settings that could be related:

<ltpa expiration="1200" />
<webAppSecurity logoutOnHttpSessionExpire="true" singleSignonEnabled="true" />

My web.xml has

<session-config>
    <session-timeout>60</session-timeout>
</session-config>

What is causing this error and how to resolve it?

Answer 1

I figured it out.

SESN0008E happens when LTPA token expires before than user session (HttpSession in your app) expires.

In JSF, we normally have Http session expiration time set in web.xml file like:

<session-config>
    <session-timeout>60</session-timeout>
</session-config>

This means user session (HttpSession) will expire in 60 minutes.

For Liberty (Websphere or Openliberty), we typically set LTPA token expiration in server.xml file like:

<ltpa expiration="120" />

This means that Libety LTPA token will expire in 120 minutes.

REPRODUCTION STEPS

1. Set above ltpa expiration="1" to set it to 1 minute
2. set above session-timeout to 5 minutes. (This will make your ltpa token expire before your Http session expires.)
3. Start your app and login in
4. do something in it, like search or whatever you do then wait just above your ltpa expiration time of 1 minute. Basically, make it inactive to 1+ minutes but less than 5 minutes
5. Now try doing something again like search or whatever your app does and it should result with SESN0008E exception (• UnauthorizedSessionRequestException).

SOLUTION

• Leave above settings as they are
• In server.xml add <httpSession invalidateOnUnauthorizedSessionRequestException="true"/>
• Repeat same steps as in REPRODUCTION STEPS and your application will no longer throw SESN0008E but will instead take you back to login screen where you can login and continue your work

MORE INFORMATION

• https://www.ibm.com/support/pages/logging-out-results-websphere-application-server-error-message this

• https://www.ibm.com/docs/en/ftmfm/3.2.3?topic=center-ltpa-timeout-session-management

• https://knowledge.broadcom.com/external/article/31342/session-killed-by-agent-heartbeat.html

• https://jazz.net/help-dev/rational-insight/index.jsp?topic=%2Fcom.ibm.jazz.install.doc%2Ftopics%2Ft_s_server_installation_setup_WAS.html

• https://erikwramner.wordpress.com/2016/03/06/handle-unauthorizedsessionrequestexception-was-8-5-5/

• https://github.com/OpenLiberty/open-liberty/issues/10696

• https://www.ibm.com/docs/en/was-nd/9.0.5?topic=tracking-session-management-custom-properties#invalidateonunauthorizedsessionrequestexception

• https://www.ibm.com/docs/en/was-liberty/base?topic=configuration-httpsession

• https://mobilefirstplatform.ibmcloud.com/tutorials/it/foundation/8.0/product-overview/release-notes/known-issues-limitations/