UnauthorizedSessionRequestException on WebSphere 8.5.5 with a vaadin web application when LTPA token expires

Question

In our vaadin web application we get an UnauthorizedSessionRequestException when the LTPA token expires. The application is not responding anymore after that. The LTPA token expires even if the session is not inactive and the user does seomething. The LTPA token timeout on our production server is set to 120 Minutes. But I can test it on my local machine also with a timeout of 1 Minute in my Web Sphere Liberty Profile to comprehend the problem.

This is the stack trace of the exception in german:

[ERROR   ] SESN0008E: Ein als anonymous authentifizierter Benutzer hat versucht, auf eine Sitzung zuzugreifen, deren Eigner user:BasicRegistry/ksc ist.
[ERROR   ] SRVE0777E: Es wurde eine Ausnahme von der Anwendungsklasse 'com.vaadin.server.VaadinServlet.service:240' ausgelöst.
javax.servlet.ServletException: com.vaadin.server.ServiceException: com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException: SESN0008E: Ein als anonymous authentifizierter Benutzer hat versucht, auf eine Sitzung zuzugreifen, deren Eigner user:BasicRegistry/ksc ist.
    at com.vaadin.server.VaadinServlet.service(VaadinServlet.java:240)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1240)
    at [internal classes]

In english

A user authenticated as anonymous has attempted to access a session owned by user

Answer 1

The LTPA token works quite differently from a session.

When a LTPA token gets created it will be valid for a certain time, set in the LTPA token timeout (in your case 120 minutes). While a session timeout gets prolonged on every request you make the server, the LTPA token timeout does not. The token will keep its original timeout time even when subsequent requests are made to the server.

There is another setting controlling when a LTPA token should be extended. This setting is called cacheCushionMax and its default value is three minutes. What this means is that the LTPA token will only get refreshed on a request if there is less time left than this value. If there is more than three minutes to go before the LTPA token expires, it will keep its old timeout time.

To change this value:

1. navigate to the custom properties section of the Java Virtual Machine (must be repeated for each server in a cluster)
2. Create (or edit if it exists) a property named com.ibm.ws.security.cacheCushionMax with the value you would like (in minutes). The cacheCushionMax value cannot be larger than 1/5 of the LTPA timeout value.

The best resource I have found about this is on an IBM support page. It is old but still valid. What I have written is also explained in more detailed scenarios, look especially under the section "Minimum effective expiration possible"

Answer 2

looks for me as if the URI is not protected within WebSphere. There had been some changes on the WebSphere defaults. I expect the configuration tells WebSphere to establish a security context as soon as an LTPAToken is available, even on unprotected URL's. In this case unprotected URL's will get the security context as if they would have been using a security_constraint defined in Web.xml. If now the LTPA token is invalidated and the HTTPSession is still valid (remember HTTPSession is activity based vs LTPA token fixed time) WebSphere does now see a violation in accessing the Session. This had been added to prevent session highjacking attacks. You can disable this function and there are some custom properties on the HTTP container. I would not recommend to turn it off, but more rethink if your application should be accessible for authenticated and non authenticated users using the same context/servlet path