Weblogic

Could not find saved view state for token j0ej17tvl… What can be the cause?

Problem

When observing Weblogic server log files, there are occasional occurancies of Error message:

Could not find saved view state for token XXXXXXXXX…

Where XXXXXXXXX is randomly generated string for each page post request. This error always comes along with:

ADF_FACES-30107:The view state of the page has expired. Reload the page.

Some background info

Each web page, which posts a request to server has assigned and saved view state. It is a randomly generated string, which is saved in server side as a token. It is used to link server state and page saved locally in client side. During initial page request token is generated. During every subsequent request of same page, same token string is sent to server. Accordingly server finds saved token and relates it to request received. In this way it knows that current request is of the same page which was requested previously and is aware of its state.

Number of tokens, which can be saved for one user session can be configured in dedicated parameter:

org.apache.myfaces.trinidad.CLIENT_STATE_MAX_TOKENS

It is located in web.xml. Every new page request to server utilises one token. If page number exceeds configured number of tokens, the oldest one is just removed.

Token history is utilised only when need to recover some previously set page state. Here are some of relevant cases:

  • User clicks “Back” button in browser
  • User clicks to open page from history list (pages saved in cache)
  • Browser recovers from forced shutdown (i.e. during computer restart, when browser is not closed explicitly)

Tokens can be purged when:

  • User session ends
  • Reached configured max token size and oldest token removed
  • Server restarts

What can be the cause of the error?

Following scenarios can result into error:

  • User clicks “Back” in browser, it tries to re-post request with saved view state token. Token can not be found in server for one of expiry reasons.
  • User keeps opened the same application in several tabs for long period of time. Session ends. User tries to use application further, restores session in one of tabs. Error is raised when try to use application in other tabs.
  • User restarts computer, browser automatically starts up and tries to open application (which was opened before restart). It fails because of changed session and not matched token.
  • Server restart happens. User tries to continue working with previously opened application. Tokens purged, error is logged.
  • After long period of time, user tries to open application from browser history. Saved client token is not available any more.

Recommendations for user to avoid this error:

  • Avoid using browser “Back” button, while there is limited client state token size, thus limited hits on “Back”.
  • Avoid using browser history
  • Always try to start ADF/JSF application opening it in new browser window, by starting it from root context (i.e. https://myhost.com/myapp). There should not be any parameters after “…/myapp”.
  • Try to use application in single browser window/tab.
  • If after computer restart application is opened implicitly in the browser, close it and open again as described in point #3.
  • If server was restarted for some reason, open application again like in point #3
  • After longer period of time (when session timeouts), open application again as described in item #3.

For complex ADF/JSF applications it can make sense to completely disable saving of view states. To achieve that, need to set org.apache.myfaces.trinidad.CLIENT_STATE_MAX_TOKENS parameter to “1”.

In such a case makes sense to disable “Back” function in browser as well. To achieve that, need to add this javascript in you application template or anywhere where it executes:


history.pushState(null, null, location.href);
window.onpopstate = function () {
history.go(1);
};

I’ve taken this idea and script from https://codepen.io/dhavalt10/pen/rGLBzB

Oracle Weblogic Version 12.2.1.0.0


Advertisement

Leave a Reply

Your email address will not be published.