The HTTP 400 "Session not found" error usually occurs when the backend session is missing, or the browser session can not be connected to the backend session Depending on the release, the error message may also be HTTP 400 "Session Timed Out", so the below explanation is also valid if for unjustified "Session Timed Out" errors - for example, when this error occurs right after the user has logged on, and the timeout period has not yet passed. For the actual timeout control of HTTP sessions, see this article.
The three most common root causes for the HTTP 400 "Session not found" error are described below:
1. The backend session does not exist
The application session (SM04) or security session (SM05) belonging to the HTTP request is actually missing from the backend. It has been deleted from the transaction SM04 or SM05 either manually, or due to an overflow.
It is also possible, that an older session has been displaced by a new session. For example, if four browser sessions are opened, then the first one may fail with the error HTTP 400 "Session not found".
See the below SAP Notes for details. The explanation is provided for Enterprise Portal, but it is valid for ABAP applications also (BSP, WebDynpro, etc.).
SAP Note 1427190 - ABAP sessions are displaced for applications in the portal
SAP Note 1147394 - Error message "Session timeout" when using Portals
Keep in mind, that one browser session may generate several application sessions - for example, one browser tab may open two or more application sessions in the backend (transaction SM04).
2. The backend session does exist
The HTTP request tries to access a backend session without a valid login credential, or the login credential is different from the one used for creating that back end session. The most common root cause is that the MYSAPSSO2 or SAP_SESSIONID_<SID> cookie is missing from the request. This can be verified with the HTTPWatch tool or with the browser's own Developer Tool (F12). The cookie may have been removed by a local proxy, firewall, or some other network element.
This situation occurs also, when the parameter login/ticket_only_by_https = 1 is set, and the system is accessed via HTTP, instead of HTTPS:
1. The ABAP system is configured to accept logon and session cookies only via HTTPS (parameter login/ticket_only_by_https = 1)
2. When the system issues the logon or session cookie, it will set the Secure flag in the cookie
3. The browser will send secure cookies only via HTTPS, and not via HTTP. Therefore, the browser's HTTP request will be sent without a logon / session cookie.
4. The ABAP system will respond with the error HTTP 400 "Session not found"
3. The backend session does exist, but the request goes to the wrong application server
This situation may occur in systems with multiple application servers, using an HTTP load balancer - such as the SAP Web Dispatcher or third party load balancers like F5.
When logging on via HTTP, a session is created on a specific application server - for example Application Server A. After this, all subsequent HTTP requests must be routed to the same Application Server A. If the load balancer misroutes the request to Application Server B, then the system will not find the session. This will result in either an HTTP 400 "Session not found" or an HTTP 400 "Session timed out - please log in again" error.
4. "Session Timed Out" error occurs for an ITS service
In addition to the possible root causes above, using the GUI parameter ~singletransaction 1 in ITS services will lead to a timeout after the transaction has been executed - see the SAP Note 2717193.
Also, unexpected timeouts may occur for ITS applications after implementing the SAP Note 2760552 or the corresponding support package. To fix this error, the SAP Note 2872932 needs to be implemented.
5. "Session Not Found" error occurs for an ITSMobile service
ITSMobile services are used in RF handheld devices. If a "Session Not Found" occurs for an ITSMobile service, that indicates that the service is misconfigured, because using HTTP security session management is not expected for ITSMobile services. The service must be configured as explained in the KBA 1980475, with special attention to restricting the security session management, and deactivating the reauthentication for the service.
SAP Note 1899896 - Security Sessions / Application Sessions - and timeouts
SAP Note 1980475 - ITSMobile - Configuration settings regarding Logon, Logoff and Load balancing
SAP Note 2717193 - 400 Session time out - please log in again
SAP Note 2872932 - ITS applications timeout unexpectedly