Wednesday, 15 October 2014

Cookies and PS_TOKEN and JD Edwards and trouble

 

We are getting many instances of “The JD Edwards EnterpriseOne token is invalid. Please sign in again”. What?  We’ve never had this before, we’ve just gone live.  What is going on?

It took some time, but we had the following to go on:

<PRE class="brush: powershell; auto-links: true; collapse: false; first-line: 1; gutter: true; html-script: false; light: false; ruler: false; smart-tabs: true; tab-size: 4; toolbar: true;">JAS JDE logs:
12 Oct 2014 11:29:52,146 [SEVERE] - [JAS] User nullSecurityToken is not Validated.Security Server return error status: 16/ Invalid Token
12 Oct 2014 11:30:03,956 [SEVERE] - [JAS] User nullSecurityToken is not Validated.Security Server return error status: 16/ Invalid Token</PRE>

And on the server (security server)

9420/5292 MAIN_THREAD Sun Oct 12 11:29:52.162000	PSAuthToken.cpp561 
ValidateAuthToken: Token length(0) invalid

9420/5292 MAIN_THREAD Sun Oct 12 11:29:52.163000 jdeksec.c4587
Failed to validate auth token: token library unable to validate token

9420/5292 MAIN_THREAD Sun Oct 12 11:29:52.163001 jdeksec.c1387
KSEC0000400 - Failed to authenticate user for token: eSecInvalidToken: The security token is invalid

 


clip_image001


After quite a bit of time, we found that the browser was sending a PeopleSoft cookie (PS_TOKEN) to the JD Edwards web server.  This then thought it was relevant for E1 authentication and passed this to the Security Server.  The cookie was not in a format that the security server recognised, so it saw it was rubbish and then the client could not log in from that browser.


Arrggghhh! the cookie was supposed to be expire after the PSFT session, but in many circumstances it was hanging about.  We wrote some jsp to delete the cookie, but ie needed a restart!  Good old Chrome just kept trucking – what a browser.


Cookie management was much better in Chrome than internet explorer, also the ability to manipulate cookies (which might be seen as a “not so good thing”).


Oh yeah, and the reason why we are starting to get this now is that the domain that the PSFT cookie was defined for was too broad, and matched the domain for our load balanced VIP, so the browser just sends the generic cookie to any site that matches the broad domain definition (which is rubbish too!).

No comments:

Extending JDE to generative AI