PQ87416: webservices client unable to handle more than one cookie with setmanagesession

APAR status
Closed as program error.

Error description
The issue here is that the client stub generated by our web
services tooling has code in it from the apache axis code base
that has a bug in it. Basically the web service client stub
allows the client code to require that "session" information
(for http this means cookies) be returned to the server. The
client achieves this by invoking "setMaintainSession()". The
issue is that when this parameter is set on the client stub, it
stores http headers in a hashtable. What this means is that if
there are two HTTP headers returned from the server with a
header name of "Set-Cookie" only the last one processed is
remembered by the client. This is an issue because WAS uses
separate cookies to maintain http session (JSESSIONID) and
security context (LTPAToken). So, we are unable to provide
support for returning both these cookies to a WAS server from
our web services clients. We need support for this for
performance reasons. We obviously will benefit from returning
the LTPAToken in situations where there is authentication at the
transport level. We will benefit from the JSESSIONID cookie when
we need afinity between the client and a particular server in a
farm of servers (for example when looking to use CMP
caching).

Customers see this happening using a JAVA client to access the
applications. They see it with both JAVA 1.3.1 and 1.4.1

Anyone using Maelstom will have the problem and it
also started when IBM added Axis from the Apache open source
code.
Local fix
There is no local fix/work around according to developer
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users of web    *
*                 services                                     *
****************************************************************
* PROBLEM DESCRIPTION: Webservices client unable to handle     *
*                      more than one cookie with               *
*                      setmanagesession                        *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The issue here is that the client stub generated by our web
services tooling has code in it from the apache axis code base
that has a bug in it. Basically the web service client stub
allows the client code to require that "session" information
(for http this means cookies) be returned to the server. The
client achieves this by invoking "setMaintainSession()". The
issue is that when this parameter is set on the client stub, it
stores http headers in a hashtable. What this means is that if
there are two HTTP headers returned from the server with a
header name of "Set-Cookie" only the last one processed is
remembered by the client. This is an issue because Application
Server uses separate cookies to maintain http session
(JSESSIONID) and security context (LTPAToken). So, we are
unable to provide support for returning both these cookies to
a WebSphere Application Server from our web services clients.
We need support for this for performance reasons. We obviously
will benefit from returning the LTPAToken in situations where
there is authentication at the transport level. We will benefit
from the JSESSIONID cookie when we need afinity between the
client and a particular server in a farm of servers (for
example when looking to use CMP caching).

Customers see this happening using a JAVA client to access the
applications. They see it with both JAVA 1.3.1 and 1.4.1

Anyone using Maelstom will have the problem and it
also started when IBM added Axis from the Apache open source
code.
Problem conclusion
Modified storing of HTTP headers to support more than one
set-cookie header.
Temporary fix Comments
APAR information
APAR number PQ87416
Reported component name WAS NETWRK DEPL
Reported component ID 5630A3601
Reported release 00W
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-04-12
Closed date 2004-05-26
Last modified date 2004-07-20

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
websrvce          

Publications Referenced

Fix information

Applicable component levels
R003 PSY    UP
R00A PSY    UP
R00H PSY    UP
R00I PSY    UP
R00P PSY    UP
R00S PSY    UP
R00W PSY    UP
R103 PSY    UP
R10A PSY    UP
R10H PSY    UP
R10I PSY    UP
R10P PSY    UP
R10S PSY    UP
R10W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 00W
Software edition:
Reference #: PQ87416
IBM Group: Software Group
Modified date: Jul 20, 2004