Troubleshooting iLO 2 209
server based redirection, selecting
File>New>Window
or pressing the
Ctrl+N
keys, opens a duplicate
instance of the original browser.
Cookie order behavior
During login, the login page builds a browser session cookie that links the window to the appropriate
session in the firmware. The firmware tracks browser logins as separate sessions listed in the Active
Sessions section of the iLO 2 Status page.
For example, when User1 logs in, the Web server builds the initial frames view, with current user: User1
in the top pane, menu items in the left pane, and page data in the lower-right pane. As User1 clicks from
link to link, only the menu items and page data are updated.
While User1 is logged in, if another user, User2, opens another browser window on the same client and
logs in, the second login overwrites the cookie generated in the original User1 session. Assuming that
User2 is a different user account, a different current frame is built, and a new session is granted. The
second session is displayed in the Active Sessions section of the iLO 2 Status page as current user: User2.
The second login has effectively orphaned the first session (User1) by wiping out the cookie generated
during User1's login. This behavior is the same as closing User1's browser without clicking the Log Out
link. User1’s orphaned session is reclaimed when the session timeout expires.
Because the current user frame is not refreshed unless the browser is forced to refresh the entire page,
User1 can continue navigating using his or her browser window. However, the browser is now operating
using User2's session cookie settings, even though it is not readily apparent.
If User1 continues to navigate in this mode (User1 and User2 sharing the same process because User2
logged in and reset the session cookie), the following can occur:
•
User1's session behaves consistently with the privileges assigned to User2.
•
User1's activity keeps User2's session alive, but User1's session can time out unexpectedly.
•
Logging out of either window causes both window sessions to terminate. The next activity in the
other window can redirect the user to the login page as if a session timeout or premature timeout
occurred.
•
Clicking Log Out from the second session (User2) results in a
Logging out: unknown page
to display before redirecting the user to the login page.
•
If User2 logs out then logs back in as User3, User1 assumes User3's session.
•
If User1 is at login, and User2 is logged in, User1 can alter the URL to redirect to the index page. It
appears as if User1 has accessed iLO 2 without logging in.
These behaviors continue as long as the duplicate windows are open. All activities are attributed to the
same user, using the last session cookie set.
Displaying the current session cookie
After logging in, you can force the browser to display the current session cookie by entering
javascript:alert(document.cookie)
in the URL navigation bar. The first field visible is the
session ID. If the session ID is the same among the different browser windows, then these windows are
sharing the same iLO 2 session.
You can force the browser to refresh and reveal your true identity by pressing the
F5
key, selecting
View
>
Refresh,
or using the refresh button.