How can I avoid SESN0008E errors after the LTPA token expires?
If a user works continuously, without logging out or leaving the session inactive long enough to trigger the inactive session timeout, the LTPA token will eventually expire (by default, after 2 hours). The next request by the user would be with an expired LTPA token and with a JSESSIONID associated with the previously-logged-in user.
When the server receives a request with an expired LtpaToken2, it considers the user to be anonymous / unauthenticated. If the server receives a request from an anonymous user with the JSESSIONID of a previously-logged-in user, and if security integration is enabled (it is enabled, by default, in the latest versions of WAS), then WebSphere Application Server will throw an error/exception like:
Error 500: com.ibm.websphere.servlet.UnauthorizedSessionRequestException: SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user: defaultWIMFileBasedRealm/uid=wpadmin,o=defaultWIMFileBasedRealm
How can such an error be avoided?
Setting the session management custom property InvalidateOnUnauthorizedSessionRequestException=true per:
lets you avoid the error. However, you should consider your session management requirements before setting this. By destroying the session, you could break such functionality as session persistence:
http://www-01.ibm.com/support/knowledgecenter/SSHRKX_8.5.0/mp/admin-system/adcfgpss_adm_define.dita
You may also choose to extend the LTPA expiration (e.g. to span users' shifts) to avoid this error. Extending LTPA expiration alone only delays the error. Consider your security requirements when deciding how long LTPA tokens should be valid.