HP HPE iLO 5 User Manual page 32

During login, the login page builds a browser session cookie that links the window to the appropriate
session in the iLO firmware. The firmware tracks browser logins as separate sessions listed on the
Session List page.
For example, when User1 logs in, the web server builds the initial frames view, with User1 listed as the
active user, menu items in the navigation pane, and page data in the right pane. When User1 clicks from
link to link, only the menu items and page data are updated.
While User1 is logged in, if User2 opens a browser window on the same client and logs in, the second
login overwrites the cookie generated in the User1 session. Assuming that User2 is a different user
account, a different current frame is built, and a new session is granted. The second session appears on
the Session List page as User2.
The second login has effectively orphaned the first session by overriding the cookie generated during the
User1 login. This behavior is the same as closing the User1 browser without clicking the Log Out button.
The User1 orphaned session is reclaimed when the session timeout expires.
Because the current user frame is not refreshed unless the browser is forced to refresh the entire page,
User1 can continue navigating by using the browser window. However, the browser is now operating by
using the User2 session cookie settings, even though it might not be readily apparent.
If User1 continues to navigate in this mode (User1 and User2 sharing a process because User2 logged in
and reset the session cookie), the following might occur:
• User1 session behaves consistently with the privileges assigned to User2.
• User1 activity keeps User2 session alive, but User1 session can time out unexpectedly.
• Logging out of either window causes both sessions to end. The next activity in the other window can
redirect the user to the login page as if a session timeout or premature timeout occurred.
• Clicking Log Out from the second session (User2) results in the following warning message:
Logging out: unknown page to display before redirecting the user to the login page.
• If User2 logs out and then logs back in as User3, User1 assumes the User3 session.
• If User1 is at login, and User2 is logged in, User1 can alter the URL to redirect to the index page. It
appears as if User1 has accessed iLO without logging in.
These behaviors continue as long as the duplicate windows are open. All activities are attributed to the
same user, using the last session cookie set.
Displaying the current session cookie
After logging in, you can force the browser to display the current session cookie by entering the following
in the URL navigation bar:
javascript:alert(document.cookie)
The first field visible is the session ID. If the session ID is the same among the different browser windows,
these windows are sharing iLO session.
You can force the browser to refresh and reveal your true identity by pressing F5, selecting View >
Refresh, or clicking the Refresh button.
Best practices for preventing cookie-related issues
• Start a new browser for each login by double-clicking the browser icon or shortcut.
• To close an iLO session before you close the browser window, click the Log Out button.
32 Using the iLO web interface