This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.
Remedy AR System Server
AR System Mid Tier
Midtier 9.x, 19.x, 20.x
- ARERR 9506 displays when form is requested
- Fiddler capture shows request for udd.js results in HTTP403
- Fiddler capture shows the response to the LoginServlet call sets the HTTPOnly flag on all cookies including MJUID
- Fiddler capture shows the request for udd.js file is sent with the parameter ui=null
- Detailed Midtier log shows the following: > Possible Cross-Origin request detected. Refusing request for udd.js
MJUID cookie has the HTTPOnly flag set so browser side scripts cannot set the ui parameter correctly
The request for udd.js fails because the ui parameter is null. The reason for this is that all cookies are set to be httponly. This causes problems as some cookies need to be set and accessed by the clientcode, setting the flag does not allow this and the cookies cannot be accessed. In this particular case the MJUID cookie is affected.
This is a web server / reverse proxy configuration problem. From a security standpoint, only the session cookie (JSESSIONID) needs to be protected, Mid-Tier already automatically flags this cookie as httponly. You have to disable the httponly filter on your web server.