IBM BPM - problem of maintaining the session in Chrome and Edge browsers

November 26, 2020 · 4 min read

Backend Engineer @ Sci Software

Recently I encountered a problem of excessive user session expiration in IBM BPM version 8.6.1.19003 in Chrome and Edge web browsers. The problem was particularly troublesome when Human Service was launched in an iframe and SSO SPNEGO was configured. Downloading the content (form) of the service ended with an error message: IBM Business Automation Workflow could not download data from the WWW session. It may have expired. (1dabd53a-4ba8-41db-871b-c236f784a418)

In the product logs (SystemOut.log file) the following entries could be found related to the user authentication attempt:

[11/26/20 13:29:48:311 CET] 000002c4 SpnegoHandler W com.ibm.ws.security.spnego.SpnegoHandler handleRequest CWSPN0021E: No delegated credentials were found for user: ttesteusz@example.com.
[11/26/20 13:29:48:332 CET] 000002c4 UserCore      I   CWLLG0468I: Checking information for user userId(false) = User.34403, userName(false) = ttesteusz@example.com, fullName(false) = Tadeusz Testeusz, provider(false) = CN=Tadeusz Testeusz,OU=Users,DC=example,DC=com, userState(false) = 0, lastStateModified(false) = null, state = RECORD_STATE_UP_TO_DATE, saveSyncId = null, changedProperties: [] for updates.
[11/26/20 13:29:48:339 CET] 000002c4 UserCore      I   CWLLG0468I: Checking information for user userId(false) = User.34403, userName(false) = ttesteusz@example.com, fullName(false) = Tadeusz Testeusz, provider(false) = CN=Tadeusz Testeusz,OU=Users,DC=example,DC=com, userState(false) = 0, lastStateModified(false) = null, state = RECORD_STATE_UP_TO_DATE, saveSyncId = null, changedProperties: [] for updates.
[11/26/20 13:29:48:353 CET] 000002c4 SecurityCore  I com.lombardisoftware.server.ejb.security.SecurityCore updateGroupMembership CWLLG1088I: Initializing session is done for user ttesteusz@example.com
[11/26/20 13:29:48:375 CET] 000002c4 ControllerSer I   CWLLG0006I: Initializing a new session.
[11/26/20 13:29:48:386 CET] 000002c4 LoggerScripta I   Uzytkownik: ttesteusz@example.com
[11/26/20 13:29:48:521 CET] 000001b9 SpnegoHandler W com.ibm.ws.security.spnego.SpnegoHandler handleRequest CWSPN0021E: No delegated credentials were found for user: ttesteusz@example.com.
[11/26/20 13:29:48:523 CET] 000001b9 ControllerSer I   CWLLG0006I: Initializing a new session.
[11/26/20 13:29:48:525 CET] 000001b9 UserCore      I   CWLLG0468I: Checking information for user userId(false) = User.34403, userName(false) = ttesteusz@example.com, fullName(false) = Tadeusz Testeusz, provider(false) = CN=Tadeusz Testeusz,OU=Users,DC=example,DC=com, userState(false) = 0, lastStateModified(false) = null, state = RECORD_STATE_UP_TO_DATE, saveSyncId = null, changedProperties: [] for updates.
[11/26/20 13:29:48:528 CET] 000001b9 TWComponentWe W com.lombardisoftware.component.common.web.TWComponentWebUIImpl getDataObject Id: p1
[11/26/20 13:29:48:528 CET] 000001b9 TWComponentWe W com.lombardisoftware.component.common.web.TWComponentWebUIImpl getDataObject HttpSession.getAttributeNames(): UPDATED_USER_MEMBERSHIPS, com.lombardisoftware.SESSION_UID_KEY, userPreference, com.lombardisoftware.SESSION_TZ_KEY, com.lombardisoftware.servlet.util.SessionState,
[11/26/20 13:29:48:546 CET] 000001b9 wle_portal    E   IBM Business Automation Workflow could not download data from the WWW session. It may have expired. (1dabd53a-4ba8-41db-871b-c236f784a418)
[11/26/20 13:29:48:546 CET] 000001b9 wle_portal    E   IBM Business Automation Workflow could not download data from the WWW session. It may have expired. 

We see two threads 000002c4 and 000001b9 (running one after the other - let's see the event logging times) performing an authentication action, one of which ends with an error.

After a laborious analysis, I found the cause. The problem lies in the modification of security in Chrome and Edge browsers for set cookies - it is about the additional SameSite attribute. The description of the policy related to this attribute can be found on the Chromium project pages: https://www.chromium.org/administrators/policy-list-3/cookie-legacy-samesite-policies .

WebSphere (version 8.5.5.16), nor the IBM BPM product application, support this additional attribute for session cookies and do not set it. It also turns out that by default, both browsers ignore such cookies. On the browser side, we observe that during the first request, the application server authenticated and in response expects the LtpaToken2, isBidi, BPMSSID and Teamworks cookies to be set on the browser side:

image2020-11-26_18-41-55

Unfortunately, during the next request, the cookies are not sent and we observe re-authentication, with a changed BPMSSID session identifier:

image2020-11-26_18-46-16

That's why the error appears.

For now, the solution is to change the browser parameters.

Google Chrome

Chrome version: 87.0.4280.66

We open the Chrome browser and perform the following steps:

We enter as the browsing address: chrome://flags
We search for the keyword "samesite". We set the found parameters to "Disabled" and reload the browser (the "Relaunch" button)
From then on, everything works OK

image2020-11-26_18-53-22

Microsoft Edge

Edge version: 86.0.622.69

Chrome and Edge browsers are derived from the same project, so we proceed analogously:

We enter as the browsing address: edge://flags
We search for the keyword samesite. We set the found parameters to "Disabled" and reload the browser (the "Restart" button)
From then on, everything works OK

image2020-11-26_18-56-32

WebSphere

I don't know yet how to proceed with WebSphere to add this attribute, but it's inevitable without installing some fixes. Articles I found:

Google Chrome​

Microsoft Edge​

WebSphere​

Google Chrome

Microsoft Edge

WebSphere