Background: From my perspective one of the most commonly encountered Enterprise Portal issues seems to be that which involve session management. Now the term "session management" covers a wide range of different angles across a wide spectrum. Session management issues can involve the retention of Portal sessions, a faulty logoff mechanism or inadequate browser cookie handling.
Overview: From a high level perspective any session management issue that we may encounter, follows the underlying concept depicted in the image below.
Some Common Issues (Across Multiple Scenarios):
- Session Retention - User A logs out and User B is presented with User A's session upon logging in.
- RFC sessions are not terminated in the back-end even after the logoff is called within the Portal.
- The browser session does not get terminated when the user clicks "logoff" in the Portal.
- The application does not invalid the existing, authenticated session on the server upon user logout.
- Cookies may appear to get "cleaned" but when the user returns to the logon page the previous application session is still active.
Important Point To Remember:
When session expires or logoff is invoked or browser is closed, no matter what, the connection is not terminated but returned to the pool and kept open as defined in the Connection Lifetime property. In short, the connection stays open for the predefined amount of time by design and this is not an unexpected behavior. It remains in the pool, it is no longer used by another service e.g. the UWL and it is available for other clients.
How To Analyze a session issue:
Now taking what I have written above into account we know that the connection itself is not terminated but rather returned to the connection pool (The connection lifetime pool can be reset to a different value). So if you encounter a session issue the first thing to check is SM04 (transaction)
- When you use transaction SM04 to check sessions what are you seeing? In many cases when the portal is closed (via logoff) a reference is stored. From using the SM04 transaction it may appear that the sessions remain open but infact they will only be references. But you are seeing the transaction field remain filled?
- Are you closing the browser after user logoff? When a user logs off from your company Portal by choosing the Log Off button, a logoff action should be triggered on the SAP Portal Side (Portal & Connected back-end systems). Although the SAP Netweaver Portal comes with an out-of-the-box mechanism that terminates a session when the user closes the browser or navigates out of the SAP iFrame the mechanism itself does not handle logoff. Instead your company Portal must raise the terminating event when logging off from the SAP Portal.
Session Release Agent (SRA) & Distributed Session Manager (DSM) Terminator
When executing the ITS services that access a component system (R/3) in the portal, there is the question how to close the sessions in the component system when the user closes the browser (the HTTP protocol is considered to be stateless). When the user closes the browser window or navigates to another position, the browser sends a mass request to a dedicated portal component to end one or more open sessions (by default DSM.Terminator). This component distributes the corresponding termination commands to the component systems. The Termination command then closes the server session.
To close the sessions, a small additional window is generated in the browser outside the visible screen area. This window is automatically closed after two seconds if the Transmission command has been processed. Since ITS-based services cannot be used directly in session management, the Automatic Server Session Termination works with a wrapper technique. A main page consists of:
- An iFrame that displays the content coming from the ITS
- A special script called the Distributed Session Manager (DSM) that is responsible for handling the session management on the page
As stated above your company Portal must raise the terminating event when logging off from the SAP Portal. To setup such a configuration the following appendix can be followed, referenced or used as guidance.
Now the appendix outlined above deals with the actual "Logoff" command button option. Here we can find an overview on logging both on/off into Portal sessions and also some information on factors that prevent session termination via the browsers "X" option.
Logging ON/OFF The Portal
Logging ON/OFF The Portal (ii)
In the logoff section outlined in the first link above we see the following "Do not simply close your browser. Closing the browser leaves your portal session still working, until it times out. When working in a browser that supports multiple tabs, such as Internet Explorer 7 or Mozilla Firefox, if you close a tab in which a portal is running, the portal session is saved. If you then open the portal in a new tab, you are already logged on and need to first log off if you wish to log on with different credentials."
In my next blog posting in this series I will outline the full set of relevant solution documentation for session issues & the Enterprise Portal.
Note: This blog posting is part 2/3 in a series involving Portal sessions, Checkout the first part below:
Part 3 coming soon.....