CSP sessions with frames and https

We have an web application accessed using https, that uses CSP technology with frames.

The initial 'login' is via a single CSP page, which then redirects to another CSP page which creates the frames (4 in all) and loads a CSP page in each of those.  For the most part the frames load without error, but sometimes when logging in and sometimes while using the system ' 5916 Illegal CSP Request ' errors occur.

I say 'login' in inverted commas as a Cache login is not performed just an application login, I don't know if that's relevant so thought I'd mention it.

I presume the errors are connected to using frames, as we do have a non-framed version of the application where we don't get those errors occurring. There are currently still some issues with the non-framed version of our application which is why most of our customers haven't moved to that version.

I have read some old posts on the google group Cache forum about issues with frames/https and CSP sessions, where it seemed to be saying that multiple sessions could be created with separate tokens and end up causing confusion, but if you logged in via a single frame CSP page and load the frameset after it should mean just one session is created and maintained.

Am I understanding the workings correctly? Does anyone have any ideas you have any ideas for eradicating the errors for the frame using customers? Could the errors be influenced by slow network response?

Our customers are on quite an old version of Cache for UNIX (IBM AIX for System P5-64) 2010.2
In case it has a bearing.




  • 0
  • 0
  • 311
  • 2
  • 0


You are right that if you access frameset page from another CSP page, all frames should use the same session.

5916 Illegal CSP Request error happens if you access encrypted or private CSP page with incorrect session token. I guess if it can be because of some cached pages in the browser. Do you use cookies to identify the session? And what happens if you make a forced refresh of the frameset page (CTRL-F5), does it  load correctly then?

Well we don't append anything onto the URL on the form tag of the login page, so it will rely on cookies.

I haven't had it happen to me so I don't know. I've asked them to try refreshing the individual panels (frames) but I've have had no reports of them trying it and whether it succeeded or not.