7015604: SSPR error 5035 – “Out of order page request has been received”

This document (7015604) is provided subject to the disclaimer at the end of this document.

Environment

Self Service Password Reset

SSPR 3.1

SSPR 4.1

Situation

Users get Error 5035 – “Out of order page request has been received”

Problem may occur after hitting the “back” button while in an SSPR page

Problem may occur at other times as well, even if the back button has not been pressed – the error simply indicates that the sequence of pages expected by SSPR has become out of sync.

SSPR error log shows “incorrect sequence” message similar to the one below

ERROR, password.pwm.servlet.TopServlet, 5035 ERROR_INCORRECT_REQUEST_SEQUENCE (expectedPageID=3, submittedPageID=4, url=<some sspr url>

Resolution

Disable Back Button Detection in

SSPR Configuration Manager, Settings -> Security –> Web Security
Note: Disabling this setting will have no effect on end users; SSPR 4.1 has other methods to detect this user behavior.

Additional Information

As is common with web applications, SSPR tries to prevent users from clicking the back button and acting upon previous pages. SSPR uses four different methods to detect this activity, one of which is a counter / sequence method. SSPR increments a counter as each page is loaded and tracks the expected sequence of pages. If the user clicks “back” the counter will not be updated, the sequence will be out of order and the “incorrect request sequence” will show in the log.

Unfortunately, this detection method is problematic, and can result in false positives. Factors such as the behavior of different browsers and browser versions, proxy gateway services, and caching at the gateway or on the workstation can all influence the way the page counter is incremented. If the counter becomes out of sync for any reason the 5035 error will be returned.
Note that the “back button detection” setting in SSPR only applies to the “counter / sequence” method of detecting whether or not the back button has been pressed. With SSPR 4.1 the other three methods are in place regardless of the value of this setting. Beginning with version 4.2, SSPR will no longer use the sequence method of detecting back button detection, and the “back button detection” setting will be removed. Instead, SSPR will rely on the other three methods of back button detection already in place with SSPR 4.1.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

Leave a Reply