PQ88519: getRefererURL method adds a domain info in WASReqURL cookie

 Fixes are available

5.1.0.5: WebSphere Application Server Express 5.1 Cumulative Fix 5
5.0.2.7: WebSphere Application Server Express 5.0.2 Cumulative Fix 7
5.1.1: WebSphere Application Server Version 5.1 Fix Pack 1 (Version 5.1.1)
PQ91656; 5.0.2.6: Registry does not receive valid password
5.0.2.12: WebSphere Application Server 5.0.2 Cumulative Fix 12
5.0.2.13: WebSphere Application Server 5.0.2 Cumulative Fix 13
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for AIX
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Solaris
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for HP-UX
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Windows
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Linux
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Windows
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Solaris
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for AIX
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Linux
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for HP-UX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for HP-UX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for AIX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Solaris
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Windows
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Linux
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for AIX
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for HP-UX
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Linux
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Windows
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Solaris
5.0.2.8: WebSphere Application Server V5.0.2 Cumulative Fix 8
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for HP-UX
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for AIX
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Solaris
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Windows
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Linux
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Windows
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Solaris
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for HP-UX
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Linux
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for AIX



APAR status
Closed as program error.

Error description
With the WAS 4.0.x WASReqURL cookie holds only the page
information and not the domain information. When using
getRefererURL
method, it adds the domain info to the WASReqURL cookie. When
accessing
other secured site on the same server, it sets the WASRewURL
with new
page but the old domain info remains as it is and letter when
the page
tries to redirects, it through 404 error message.
Local fix
WorkAround: Application invalidating WASReqURL cookie
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server who have        *
*                 enabled security and are implementing        *
*                 Custom Login via the deprecated class        *
*                 SSOAuthenticator.                            *
****************************************************************
* PROBLEM DESCRIPTION: The WASReqURL cookie was not            *
*                      automatically removed when using        *
*                      SSOAuthenticator.                       *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The WASReqURL cookie was not removed while using
SSOAuthenticator to perform custom login.  The reason for this
was no domain was specified on the cookie when it was created
but a domain was specified when destroying the cookie.  This
caused some browsers not to desctroy the cookie.
Problem conclusion
When destroying the WASReqURL cookie, the domain is no longer
set to match when it is created.
Temporary fix
code review
Comments
APAR information
APAR number PQ88519
Reported component name WEBSPHERE AE NT
Reported component ID 5630A2201
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2004-05-06
Closed date 2004-05-10
Last modified date 2004-05-10

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

SRLS

Fix information

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ88519
IBM Group: Software Group
Modified date: May 10, 2004