Environment
Self Service Password Reset
SSPR 3.1
SSPR 3.1
SSPR 4.1
Situation
Users get Error 5035 - "Out of order page request has been received"
Problem may occur after hitting the "back" button while in an SSPR page
Problem may occur at other times as well, even if the back button has not been pressed - the error simply indicates that the sequence of pages expected by SSPR has become out of sync.
SSPR error log shows "incorrect sequence" message similar to the one below
ERROR, password.pwm.servlet.TopServlet, 5035 ERROR_INCORRECT_REQUEST_SEQUENCE (expectedPageID=3, submittedPageID=4, url=<some sspr url>
Problem may occur at other times as well, even if the back button has not been pressed - the error simply indicates that the sequence of pages expected by SSPR has become out of sync.
SSPR error log shows "incorrect sequence" message similar to the one below
ERROR, password.pwm.servlet.TopServlet, 5035 ERROR_INCORRECT_REQUEST_SEQUENCE (expectedPageID=3, submittedPageID=4, url=<some sspr url>
Resolution
Disable Back Button Detection in
SSPR Configuration Manager, Settings -> Security --> Web Security
Note: Disabling this setting will have no effect on end users; SSPR 4.1 has other methods to detect this user behavior.
Additional Information
As is common with web applications, SSPR tries to prevent users from clicking the back button and acting upon previous pages. SSPR uses four different methods to detect this activity, one of which is a counter / sequence method. SSPR increments a counter as each page is loaded and tracks the expected sequence of pages. If the user clicks "back" the counter will not be updated, the sequence will be out of order and the "incorrect request sequence" will show in the log.
Unfortunately, this detection method is problematic, and can result in false positives. Factors such as the behavior of different browsers and browser versions, proxy gateway services, and caching at the gateway or on the workstation can all influence the way the page counter is incremented. If the counter becomes out of sync for any reason the 5035 error will be returned.
Note that the "back button detection" setting in SSPR only applies to the "counter / sequence" method of detecting whether or not the back button has been pressed. With SSPR 4.1 the other three methods are in place regardless of the value of this setting. Beginning with version 4.2, SSPR will no longer use the sequence method of detecting back button detection, and the "back button detection" setting will be removed. Instead, SSPR will rely on the other three methods of back button detection already in place with SSPR 4.1.