Why does websphere Liberty Profile delete LtpaToken2 cookie

1
votes

There are two app servers: http://localhost:9080/appA and http://localhost:9081/appB

appA is hosted on Websphere and it is out of my control. It sets JSESSIONID and LtpaToken2 with path "/"

appB is on Liberty Profile which I have full control. I do not use session or single sign on. I have one simple REST server which echo back the user input. There's no cookie returned.

I open appA in the browser, logs in, see the cookies (JSESSIONID and LtpaToken2). Open another tab going to appB, then right away I see LtpaToken2 cookie is gone, JSESSIONID is still there. Going back to appA tab, navigate to another page, the user is kicked out.

What could possibly make LtpaToken2 gone from Liberty Profile?

1
websphere-liberty
Including the verbatim HTTP headers would help - covener

1 Answers

1
votes

What errors/messages do you see in the logs?

Assuming that ltpa keys are not exchanged between full profile (WAS) and liberty profile, when the token is presented to liberty and it has to authenticate (when accessing a protected servlet) it will fail and remove the cookie.

One other possibility is if the session that comes into liberty is not valid for some reason, then a logout is executed. Are the sessions shared here or a new session is supposed to be created for each app?

One solution is to have customized ltpa cookie names in both WAS and Liberty so one does not mess with the others cookies.

However, if they need to participate in SSO, then the LTPA keys need to be exchanged.