Troubleshooting Backend Session Termination Issues in SAP Enterprise Portal
You are using Application Integrator iViews to integrate backend applications on the portal. User1 logs on to the portal and accesses business applications through iViews. User1 logs off from the portal and does not close the browser window. Now User2 logs on to the portal and accesses the same application. User2 can see the details which should be available to User1 only.
Before creating an incident on the Service Market Place(SMP), perform the checks described below:
- Is the Pop-up Blocker for portal hostname enabled?
After you log on to the Portal, you are advised to disable the pop-up blocker for the portal hostname for proper functioning of session release.
Open the pop-up blocker settings in the browser and check it.
For more information about session release agents and pop-up blockers, refer to SAP Note 1331353.
- Are portal and backend applications aligned with the same-origin policy?
The protocol used by the portal and the backend applications should be the same. If the portal is accessed through http/s, all the backend servers also have to be configured using http/s.
Portal and backend applications should be in the same domain. If the portal is running on the "portal.domain.com" server, all the backend servers must run on a host in the same domain (e.g. somename.domain.com).
For more information about Session Release Agent common issues and troubleshooting refer to SAP Note 596698.
ABAP Security Sessions
This section is relevant if your backend is configured to work in ABAP security session mode (See SAP Note 1322944 - ABAP: HTTP security session management).
The subject matter of this section is explained in detail in the following KBA 1717945.
- Do the portal version and SP level match the recommended version and SP level as per SAP Note 1471069 Security Note - ABAP Security Sessions and SAML 2.0.?
- Is the 'ABAP Security Sessions Enabled' property checkbox selected in the portal system object, as per SAP Note 1471069?
If you are not using HTTP Security Session Management on the backend, this value must be cleared.
In the Portal, navigate to System Administration > System Configuration > System Landscape > Open System Object
- Using HttpWatch trace, verify that a USR_LOGOFF notification is sent to http://<host:port>/sap/public/bc/icf/logoff on logoff from the portal.
- Is the /sap/public/bc/icf/logoff service enabled on the backend?
In transaction SICF, select the following ICF services as shown below:
Special Technology-related Configurations
If you are using BSP applications, look at the PortalSessionID property.
In the Portal, navigate to Content Administration > Content Management > Portal Content > Browse into your BSP iView and open iView properties as shown below:
If the value of the PortalSessionID property is empty in the BSP iView, enter the following value: <ClientWindowID><IView.ID> (including the angle brackets).
If you are using SAPUI5 applications, look at the PortalSessionID property.
In the portal, navigate to Content Administration > Content Management > Portal Content > Browse into your UI5 iView and open iView properties.
If the value of the PortalSessionID property is empty in the UI5 iView, enter the following value: <IView.ID><User.UserID> (including the angle brackets).
Additionally, in the Portal Catalog, in the system configured for the SAPUI5 application, open the Properties editor and make sure the "ABAP HTTP Security Sessions Enabled" property checkbox is selected.
*The SAP note "1885476 - DSM support for UI5 application" describe the minimum patch level to have this feature available in the UI5 iviews.