Shared instances, Cookie order, Displaying the current session cookie – HP Integrated Lights-Out 4 User Manual

Shared instances

When iLO opens another browser window (for example, the Remote Console or a help file), this
window shares the same connection to iLO and the session cookie.

The iLO web server makes URL decisions based on each request received. For example, if a request
does not have access rights, it is redirected to the login page, regardless of the original request.
Web server-based redirection, selecting File

→New→Window, or pressing Ctrl+N opens a duplicate

instance of the original browser.

Cookie order

During login, the login page builds a browser session cookie that links the window to the appropriate
session in the iLO firmware. The firmware tracks browser logins as separate sessions listed in the
Active Sessions section of the iLO Overview page.

For example, when User1 logs in, the web server builds the initial frames view, with User1 listed
in the top pane, menu items in the left pane, and page data in the lower right pane. When User1
clicks from link to link, only the menu items and page data are updated.

While User1 is logged in, if User2, opens a browser window on the same client and logs in, the
second login overwrites the cookie generated in the original User1 session. Assuming that User2
is a different user account, a different current frame is built, and a new session is granted. The
second session appears in the Active Sessions section of the iLO Overview page as User2.

The second login has effectively orphaned the first session by overriding the cookie generated
during the User1 login. This behavior is the same as closing the User1 browser without clicking
the Sign Out button. The User1 orphaned session is reclaimed when the session timeout expires.

Because the current user frame is not refreshed unless the browser is forced to refresh the entire
page, User1 can continue navigating by using the browser window. However, the browser is now
operating by using the User2 session cookie settings, even though it may not be readily apparent.

If User1 continues to navigate in this mode (User1 and User2 sharing the same process because
User2 logged in and reset the session cookie), the following can occur:

•

User1 session behaves consistently with the privileges assigned to User2.

•

User1 activity keeps User2 session alive, but User1 session can time out unexpectedly.

•

Logging out of either window causes both sessions to end. The next activity in the other window
can redirect the user to the login page as if a session timeout or premature timeout occurred.

•

Clicking Sign Out from the second session (User2) results in the following warning message:

Logging out: unknown page to display before redirecting the user to

the login page.

•

If User2 logs out and then logs back in as User3, User1 assumes the User3 session.

•

If User1 is at login, and User2 is logged in, User1 can alter the URL to redirect to the index
page. It appears as if User1 has accessed iLO without logging in.

These behaviors continue as long as the duplicate windows are open. All activities are attributed
to the same user, using the last session cookie set.

Displaying the current session cookie

After logging in, you can force the browser to display the current session cookie by entering the
following in the URL navigation bar:

javascript:alert(document.cookie)

The first field visible is the session ID. If the session ID is the same among the different browser
windows, these windows are sharing the same iLO session.

You can force the browser to refresh and reveal your true identity by pressing F5, selecting
View

→Refresh, or clicking the Refresh button.

Troubleshooting miscellaneous issues

319