Hello, In the first request:- The browser sends a request: https://ANYSERVER/operations/jsreports/j_acegi_security_check?j_username=USERID&j_password=!USERID&orgId=testportal&_flowId=homeFlow- Looks like Jasper returns a 302 redirect back to the client browser with the following address:https://ANYSERVER/operations/jsreports/loginsuccess.html;JS_SESSIONID=9lJXKbQp41F7J3XVCTszrCrSrp2svGhyv5K5b7XGRVLhhhJY7NPV!-961826308!NONE- The client browser sends the request back, but SiteMinder notices a cross site scripting character, the semi-colon ( ; ). As in ‘loginsuccess.html;JS_SESSIONID=’- The encoded list of in valid characters used by SiteMinder is: badcsschars='%00,%22,%27,%3b,%3c,%3e,%60,%7c,%0a,%0d'. A semi-colon is ‘%3b’.- Because SiteMinder found a cross site scripting character, it redirected the browser to ‘ /operations/Default/message.html’. That displayed a generic error message from our application On the second request:- The browser sends a request: https://ANYSERVER/operations/jsreports/j_acegi_security_check?j_username=USERID&j_password=!USERID&orgId=vbc_portal&_flowId=homeFlow- Looks like Jasper returns a 302 redirect back to the client browser with the following address (without the JS_SESSIONID parameter):https://polka.verizon.com/operations/jsreports/loginsuccess.html- The client browser sends the request back, but since there is no semi-colon this time, SiteMinder allows the request.Is there a way we can fix it w/o touching the badcsschars ??? Thanks