After 8.5 upgrade checkSession problem

IdentityIQ (IIQ) IIQ Discussion and Questions
1

After 8.5 upgrade checkSession problem

image
image841×439 71.7 KB

After updating to 8.5 we have a problem with a looping checkSession error after session-timeout . Has anyone had this issue?

The problem is that it seems to happen randomly, in my opinion.

4607789 The system has encountered a serious error while processing your request. Report the following incident code to your system administrator: 4607789 SailPointBundleLibrary.js:40:9056
Error: [$templateRequest:tpload] Failed to load template: util/modal-alert.html (HTTP status: undefined undefined)

d ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:38
j ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:40
i ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:40
k ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:40
$digest ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:40
$apply ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:40
g ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:39
r ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:40
onload ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:40
b ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:40
w ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:39
j ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:39
i ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:40
k ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:40
$digest ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:40
$apply ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:40
j ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:41
b ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:40
d ‘’/iiq_test/ui/js/bundles/SailPointBundleLibrary.js?fb6698fe9f4-20250709-205815:38
SailPointBundleLibrary.js:40:9056
XHRGET
‘’/iiq_test/ui/rest/checkSession
[HTTP/1.1 500 32ms]

2

Hi Adrian,

This is an issue while doing upgrade, as i have also faced it. You need to add the below system config xml from debug. Add the below entry and then try.

<entry key="noIdpSameSiteNone" value="true"/>
3

Unfortunately, the error is still occurring on my side.

4

Do you see the similar error in the logs or issue exactly same or do you see other behaviour??

5

Only behaviour is the spam in log
for now i use log4j2
Because my database can be full in 3-4h

logger.allExceptionMapper.name=sailpoint.rest.ui.jaxrs.AllExceptionMapper
logger.allExceptionMapper.level=off
logger.allExceptionMapper.additivity=false

[ERROR] 2025-12-09 22:10:24.400 [http-nio-8080-exec-1] sailpoint.rest.ui.jaxrs.AllExceptionMapper.logException:25 - Uncaught JAX-RS exception.
javax.ws.rs.NotFoundException: HTTP 404 Not Found
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:252) [jersey-server-2.35.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) [jersey-common-2.35.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) [jersey-common-2.35.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:292) [jersey-common-2.35.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:274) [jersey-common-2.35.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:244) [jersey-common-2.35.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) [jersey-common-2.35.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234) [jersey-server-2.35.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684) [jersey-server-2.35.jar:?]
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394) [jersey-container-servlet-core-2.35.jar:?]
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346) [jersey-container-servlet-core-2.35.jar:?]
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:366) [jersey-container-servlet-core-2.35.jar:?]
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:319) [jersey-container-servlet-core-2.35.jar:?]
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205) [jersey-container-servlet-core-2.35.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:197) [catalina.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142) [catalina.jar:9.0.112]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) [tomcat-websocket.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142) [catalina.jar:9.0.112]
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:129) [catalina.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142) [catalina.jar:9.0.112]
at sailpoint.web.SailPointResponseFilter.doFilter(SailPointResponseFilter.java:99) [classes/:8.5 Build fb6698fe9f4-20250709-205815]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142) [catalina.jar:9.0.112]
at sailpoint.rest.jaxrs.MethodOverrideFilter.doFilter(MethodOverrideFilter.java:90) [identityiq.jar:8.5 Build fb6698fe9f4-20250709-205815]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142) [catalina.jar:9.0.112]
at sailpoint.rest.RestCsrfValidationFilter.doFilter(RestCsrfValidationFilter.java:71) [identityiq.jar:8.5 Build fb6698fe9f4-20250709-205815]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142) [catalina.jar:9.0.112]
at sailpoint.rest.AuthenticationFilter.doFilter(AuthenticationFilter.java:109) [identityiq.jar:8.5 Build fb6698fe9f4-20250709-205815]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142) [catalina.jar:9.0.112]
at sailpoint.web.TraversalVulnerabilityFilter.doFilter(TraversalVulnerabilityFilter.java:69) [identityiq.jar:8.5 Build fb6698fe9f4-20250709-205815]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142) [catalina.jar:9.0.112]
at sailpoint.web.EntraProxyTeamsHeaderFilter.doFilter(EntraProxyTeamsHeaderFilter.java:105) [identityiq.jar:8.5 Build fb6698fe9f4-20250709-205815]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142) [catalina.jar:9.0.112]
at sailpoint.web.SailPointContextRequestFilter.doFilter(SailPointContextRequestFilter.java:68) [identityiq.jar:8.5 Build fb6698fe9f4-20250709-205815]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142) [catalina.jar:9.0.112]
at sailpoint.web.SailPointPollingRequestFilter.doFilter(SailPointPollingRequestFilter.java:158) [identityiq.jar:8.5 Build fb6698fe9f4-20250709-205815]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142) [catalina.jar:9.0.112]
at sailpoint.web.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:63) [identityiq.jar:8.5 Build fb6698fe9f4-20250709-205815]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142) [catalina.jar:9.0.112]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.3.39.jar:5.3.39]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) [spring-web-5.3.39.jar:5.3.39]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.112]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:142) [catalina.jar:9.0.112]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:166) [catalina.jar:9.0.112]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:88) [catalina.jar:9.0.112]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) [catalina.jar:9.0.112]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:9.0.112]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:83) [catalina.jar:9.0.112]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:643) [catalina.jar:9.0.112]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:72) [catalina.jar:9.0.112]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [catalina.jar:9.0.112]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:398) [tomcat-coyote.jar:9.0.112]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) [tomcat-coyote.jar:9.0.112]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:935) [tomcat-coyote.jar:9.0.112]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1831) [tomcat-coyote.jar:9.0.112]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) [tomcat-coyote.jar:9.0.112]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:973) [tomcat-util.jar:9.0.112]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:491) [tomcat-util.jar:9.0.112]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) [tomcat-util.jar:9.0.112]
at java.lang.Thread.run(Thread.java:840) [?:?]

6

Hi @adrion5 ,

We’re experiencing a similar issue, once the session expires, the /checkSession endpoint is triggered endlessly. More than 10k in just one minute.

{D8478730-38BF-4A88-98D7-D3CEB92E2697}
{D8478730-38BF-4A88-98D7-D3CEB92E2697}574×565 106 KB

7

Steps to reproduce the issue:

  1. Open two tabs in the same browser window, then open the second tab after 5 minutes.
  1. When the warning of session expiration in Tab1 pops up, extend the session before it expired
  2. Took no action in Tab 2, allowing it to expire naturally
8

When the session is not extended, it expires the session by calling /checkSession and 408 returned. No spamming of /checkSession occurred.

image
image930×640 52.5 KB

9

can you please add below entry also in systemconfiguration from debug and test it. It should fix .

<entry key="ui.sessionTimeoutCheckEnabled" value="false"/>

10

Some analysis:

  1. /checkSession should not be called if the session gets extended. It is a fake URL for the purpose of invalidating the session.

{E0AC3116-A145-4362-8802-D58C2278BEF3}
{E0AC3116-A145-4362-8802-D58C2278BEF3}757×248 44.1 KB

  1. The timeout of the window does not reset when user click “Ok” in the Session Expiration Warning popup.

  2. Since the session is extended and the window does not notice the timeout reset. The /checkSession URL gets triggered and send to the backend. That’s why error about 404 Not Found thrown in the log.

11

Temporary Fix:

  1. Add SailPoint.disableEarlyWarning to scriptData.xhtml
          ...

          SailPoint.disableEarlyWarning = true;
        </script>
      </ui:fragment>
    </ui:composition>
  </h:head>
</html>
  1. Add disableEarlyWarning as condition to resetTimeout function in SailPointBundle.js
(m.resetTimeout = function () {
  var a = f + 3e4,
  c = 3e5,
  d = a - c,
  e = window.location.hash;
  if (e !== n) {
    var g = { hash: e };
      j.post(i + "/ui/rest/redirect/hash", g), (n = e);
  }
  this.timeoutPromise && b.cancel(this.timeoutPromise),
  this.warningPromise && b.cancel(this.warningPromise),
  (l = Date.now() + a),
  (this.timeoutPromise = b(this.showTimeoutDialog, a)),
  (!window.SailPoint.disableEarlyWarning && d > 0) && 
    (this.warningPromise = b(this.showWarningDialog, d));
  }),
...
  • Now the user should be unable to extend the session
  1. To handle 500 status code in SailPointBundle.js
(m.showTimeoutDialog = function () {
  j
    .get(i + "/ui/rest/checkSession", { handledErrors: [408, 500] })
    .catch(function () {
      SailPoint.NotificationMenuItem &&
      SailPoint.NotificationMenuItem.cancelNotification();
    }),
...
12

we added “noIdpSameSiteNone = true and ui.sessionTimeoutCheckEnabled = false” . but still seeing these errors continuously in the syslog. any other option to suppress this error.

13

Did you try this one ??

14

looks like your suggestion didnt come through.. are you referring to javascript changes??

15

ENtry needs to be added in systemconfiguration from debug and test it. It should fix .

16

Changing ui.sessionTimeoutCheckEnabled to false stops the checkSession requests flooding IIQ.

I haven’t tested if it works for already existing sessions, but new sessions will stop sending the request after a request timeout response.

17

This is a known issue with 8.5/8.5p1, see bug IIQSR-954. Feel free to open tickets w/ support to get further resolution.

18

we added “noIdpSameSiteNone = true and ui.sessionTimeoutCheckEnabled = false” . but still seeing these errors continuously in the syslog. any other option to suppress this error. — Whats the alternative and E-Fix is ready for this bug ?

19

@SaruRavi84 You can open a ticket to Sailpoint Support and ask status for bug: IQSR-954? If they are releasing efix, then it would not be for all. You need to reach out to Sailpoint to get the efix.

20

Did anyone get a permanent/official fix for this issue? Our database is geting 200,000 calls to syslog with the javax.ws.rs.NotFoundException: HTTP 404 Not Found stack trace