APAR number: PQ47663 Description: Http session fixes. This includes all the fixes from PQ44646 The following fixes/enhancements have been added with this defect: - Session id generation is more random - Fixes null pointer exceptions in invalidation path - Fixes DB2 out of handles exceptions in invalidation path - Makes authorization association with session configurable using system property - Fixes creation of multiple session contexts for same webapp under stress start. Fixes from PQ44646 - fix for ClassCastException when removing objects from the Http session - added better cleanup of database resources when java exceptions occur during http session processing - better tolerance for ClassNotFoundExceptions with http session persistence (minimize impact to other operations) - fixed problems with invalid cache entries and IllegalStateExceptions when cleaning up the http session cache on the invalidator thread - fixed synchronization problem with calls to sync() when manual update is configured (lead to timing bugs and intermittant exceptions) Also, if possible, this efix, with 302.2, should accompany the following efixes: - plugin efix pq43061 (has session affinity and url rewritting fixes) This fix is not required if a http sprayer affinity mechanism like the IBM Network Dispatcher sticky port function is used. - engine efix pq41935 (has fix for servlet engine startup of session manager) Please also review the Http Session Best Practices Guide included in this package. How to apply: - create a directory to store the jar file (e.g. c:\WebSphere\AppServer\efix) - copy PQ47663-302-0406.jar to the directory - add the directory/jar file to the begining of the admin server's classpath in admin.config: com.ibm.ejs.sm.adminserver.classpath=C:/WebSphere/AppServer/efix/PQ47663-302-0406.jar;... - Stop and restart the Admin Server TO TURN OFF THE AUTHORIZATION ID ASSOCIATION WITH HTTPSESSION: On Command line arguments of Application Server instance, specify system property HttpSessionSecurity=false and apply the changes and then start the Server instance. For example, in Administrative Console, Select "Default Server",and in Command line arguments specify -DHttpSessionSecurity=false