Alternatives for HTTP Session(Cookies or URL Reqriting)
Sir/Madam,
Actually we can handle session using (1) URL rewriting and (2) Cookies , apart from this is there any way to handle sessions ? If so what are they ?.
Thanks and Regards
- Raja.
Of course... You could use (1) Cookies and (2) URL rewriting, as an alternative.
Or you could write your own JSP/servlet engine and require all pages to be forms that have the session ID in them or whatever other custom hair-brained idea you wanted.
Similar Messages
-
How to configure Apache Plug-in CookieName for multiple session cookies?
I'm deploying an ear file with 2 web applications (.war files) in it and each .war
has its own CookieName defined in the weblogic.xml file. I need to set up the
Apache plugin for Weblogic to look at both of them and not just one. Can I simply
add both CookieName lines into my httpd.conf or will this not work?
Thanks,
-wrWe are facing exactly the same need.
If you tested it and got answers, we will be happy to hear from you.
Concerning alternatives, we thought of defining the CookiePath to the contextroot of each WebApp. In our case, the name (and so then the contextroot) of our WebApps is always changing (it includes the version number), so we would have to change the weblogic.xml at each build which we would like to avoid ...
Apparently the CookiePath can also be set to a "basis" for "begings with" test. See http://groups.google.fr/groups?q=weblogic.xml session-param CookiePath&hl=fr&lr=&ie=UTF-8&oe=UTF-8&selm=3e84a75a%[email protected]&rnum=1 so it could be less harmfull but anyway we do not put too much confidence into this kind of behaviour for future WLS sp/versions :(
Any help appreciated,
Philippe. -
How to Set up HTTPOnly and SECURE FLAG for session cookies
Hi All,
To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
I have found the below solutions.
For setting up the HTTPOnly for the session cookies.
1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
this.sessioncookie.httponly = true;
For setting up the secure flag for the session cookies.
2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
this.sessioncookie.secure = "true"
Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
Your timely help is well appreciated.
Thanks in advance.BKBK wrote:
Abdul L Koyappayil wrote:
BKBK wrote:
You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
I couldnt understand this. I mean how are you relating this with my question.
When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
Name:
JSESSIONID
Content:
782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
Domain:
xyz.abc.pqr.com
Path:
Send for:
Any kind of connection
Accessible to script:
No (HttpOnly)
Created:
Wednesday, September 3, 2014 2:25:10 AM
Expires:
When the browsing session ends
BKBK wrote:
2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
BKBK wrote:
3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea?? -
In-memory replication of http session is not working in BEA7 cluster
Hi everyone,
I have 3 managed servers in Bea7.0 SP4 in a cluster. The client requests are sent
through apache web server. I have given cluster address as URL in httpd.conf of
apache server which sends the client requests for dynamic pages such as JSPs and
servlets to the weblogic cluster.
Load balancing is working fine. I ensured this from the log files of all the 3
servers. All the 3 servers are getting different client requests and thus load
balancing is working.
Now, I wanted to achieve Fail-over. I do not think that i should use proxy plug-in
for this. I feel the cluster itself will handle fail-over provided i make the
http session as memory replicated.
I updated the weblogic.xml with the following entry :
<session-descriptor>
<param-name>PersistentStoreType</param-name>
<param-value>replicated</param-value>
</session-param>
</session-descriptor>
I guess this is sufficient to make the http session as cluster aware.
But when I shutdown server1, the user connected to server1 will be kicked out
of the session and come to login page through server2 or server3 which are running
fine.
Could anyone help me to achieve http session as cluster aware. Does it indicate
that I have to go for WLS proxy – HttpClusterServlet to achieve fail over for
http session ?
BTW, for your info, i am using setAttribute() and getAttribute() while manipulating
the session.
thanks in advance.
Hi Ryan,
Thanks for ur valuable input.
I can see failover working.
But, I can not continue with the same session in my application.
I printed session Ids before and after failover, I found both are different.
I guess session replication is a responsibility of weblogic/apache plugin.
If not please let me know which all settings I should do to make failover working?
Thanks again.
Plad
"ryan upton" <ryanjupton at learningvoyage dot com> wrote:
>Plad,
>
>Are you trying to gracefully shut down the server? If you are then the
>problem that you say you can't identify is simply the server's default
>behavior which is to wait for all non-replicated sessions to be dropped
>or
>timed out before killing the process. Try forcing the shutdown: kill
>-9 the
>PID or CTRL-C if you started the server from the command line. You can
>also
>check the ``Ignore Sessions During Shutdown" checkbox under the server's
>control tab in the admin console, this should allow you to shut down
>gracefully without waiting for session timeout. BTW your sequence is
>off
>in #5 below, the replication doesn't occur upon failure, the replication
>has
>already happened once you created the session object on the first server,
>I
>think maybe you're confusing replication with failover.
>
>~RU
>
>"Plad" <[email protected]> wrote in message
>news:[email protected]...
>>
>> Hi,
>> I have 2 managed servers in a cluster.
>>
>> 1. I have got a DNS name configured which maps to these 2 managed server's
>IP
>> addresses.
>> 2. I can browse my site using this DNS name.
>> In HTTPD.conf I have :
>>
>> ServerName dev.a.b.net
>>
>> <IfModule mod_weblogic.c>
>> WebLogicCluster 10.1.38.232:7023,10.1.34.51:7023
>> MatchExpression *.*
>> </IfModule>
>>
>> LoadModule weblogic_module modules/mod_wl_20.so
>>
>> 3. I have adeded session descriptor in weblogic.xml , also enabled
>proxy
>plugin
>> in weblogic console.
>>
>> 4. I tested accessing my application using DNS url after shutting down
>alternatively
>> each manaed server. I can access application.
>>
>> 5. Now, problem comes when I access a managed server1 , keeping server2
>down.
>> I am able to access my application.
>> Now, I start the server2.
>> (Here I am supposing that replication should occur)
>> Then I am shutting down server1.
>> But, this time the server log shows me following:
>>
>>
>> 9:58:51 AM GMT+05:30 NOTICE Web application(s) chlist still have
>non-replicated
>> sessions after 2 minutes of initiating SUSPEND. Waiting for non-replicated
>sessions
>> to finish.
>> 10:00:51 AM GMT+05:30 NOTICE Web application(s) chlist still have
>non-replicated
>> sessions after 4 minutes of initiating SUSPEND. Waiting for non-replicated
>sessions
>> to finish.
>>
>> I am unable to make out where the problem is?
>> Can it be a problem of Liecense? Is there any specialcluster liecense
>for
>weblogic8?
>>
>> Hoping to get replies.
>> Thanx.
>> Plad
>>
>> "ryan upton" <ryanjupton at learningvoyage dot com> wrote:
>> >See my reply to your first post, but I've also added a few comments
>here.
>> >
>> >"jyothi" <[email protected]> wrote in message
>> >news:[email protected]...
>> >>
>> >> I guess someone from bea support team only can answer both your
>question
>> >and mine.
>> >> As per my knowledge, we do not need to do any setup at Apache
>side
>> >regarding
>> >> cluster other than mentioning cluster address as URL while
>contacting
>> >WLS
>> >> from apache.
>> >>
>> >> I hope someone from Bea, will help us. I do not think that we
>> >go for
>> >WLS
>> >> proxy plug-in using HttpClusterServlet for making session replication.
>> > I
>> >strongly
>> >> feel that the cluster itself be able to manage the fail-over of
>> >http
>> >sessions
>> >> provided we put the entry "PersistentStoreType" in weblogic.xml
>> >regarding
>> >> the session replication.
>> >>
>> >
>> >The cluster does handle the management of Sessions. The clustered
>> >applications still create the Session objects and the cluster manages
>> >them
>> >as per your deployment descriptor settings (replicated, JDBC, File)
>however
>> >the proxy has to be aware of which server the client has an affinity
>> >for
>> >(only with replicated sessions) and it does that by reading a cookie
>> >passed
>> >back from the server that handled the initial request and created
>the
>> >primary session object. The proxy has a list of both the primary
>and
>> >secondary server locations from this cookie that it can use to failover
>> >the
>> >request if the primary server fails. Clusters _DO NOT_ failover nor
>> >do they
>> >load balance, that's the job of your proxy, whether you're using the
>> >HTTPClusterServlet, WLS Plug-in or a more sophisticated hardware load
>> >balancer like Big IPs F5
>> >
>> >> jyothi
>> >>
>> >
>> >~RU
>> >
>> >
>>
>
>
-
How to do http session stickiness based on URL patterns?
Is there a feature within the WL plugin for Apache that would allow me to emulate the "jvmroute" session stickiness behaviour as provided by Tomcat and its plugin. I would like to have the control to tie requests from http clients to particular WLS servers in a cluster depending on the URL. For example http://foo.com/web01 requests would be forwarded to an appsererver app01 and so on. For all other requests (e.g http://foo.com/web), the WL plugin would do its normal load balancing ignoring the stickiness. From my understanding the WLS inbuilt http session stickiness is based on JSessionIDs which are exchanged using cookies - which is something i cannot use in my case since i want the stickiness based on URL patterns.
I am using WLS 10.0 with Apache 2.2.4 on Linux.
Thanks
RamdasSession is not replicated across all the servers in the Cluster.
Apache knows which server to go using the JSession ID.
There is a concept of primary and secondary, secondary is selected based on the replication groups there are configured in the cluster.
you can configure the cluster so that /web01 requests go to different cluster, and /web requests go to different cluster.
but you can get all the funtiionalities from the single cluster.
Do you have any java caching that you are not able to replicate across the cluster ?(I know this can be done too).
let me know what you are actually trying to solve by doing the behavior you explained. -
Prevent user from setting a parameter in url. Always use http session variable
In my xsql page I want to prevent a user from seeing data that he is not allowed to see. I am thinking of implementing this by reading a http session variable (like userid=xxx) to be used in my query. I want to be absolutely sure that the userid variable cannot be set manually by the user, for instance by manipulating the url (like: mypage.xsql?userid=123). How can I do this?
Sorry guys, already found it. Thanks to a reply from our lead-guru Muench on another post in this forum. Look here for the answer:
http://download-west.oracle.com/otndoc/oracle9i/901_doc/appdev.901/a88894/adx10xsq.htm#1023490
Search for "Understanding the Different Kinds of Parameters". -
Alternative for session variable in OBIEE Translation
Hi all,
I am working on translating OBIEE reports to various languages. I am using specific xmls for particular language which has entries for translated text.
Now in few of the reports I have case statements/BINs defined in column formula. This 'column formula' content is not a part of xml and hence not getting translated.
One of the solution that i found was use of language specific session variable defined in rpd. When user logins with specific language, corresponding translated text is provided by session variable. This approach was correct and is working fine.
But the problem is in few of my reports there are about hundreds of such case statements and hence thousands of texts to be translated for each particular language. hence it is a cumbersome task to define session variable for each of these column formula. Plus I am not sure about the performance issue that will be there after defining thousands of such session variables.
Is there any alternative available for use session variable in OBIEE translation? Please reply.Hi,
Check if this helps-
http://obiee10grevisited.blogspot.in/2012/05/changing-language-in-obiee-on-fly.html -
Session cookies have been disabled for your web browser.
Please enable session cookies so you can register your device.
The URL is not specified.Session cookies have been disabled for your web browser.
Please enable session cookies so you can register your device.
The URL is not specified. -
Looking for sample code to decrypt MYSAPSSO2 session cookie
Hello,
I am looking for a sample code to decrypt MYSAPSSO2 session cookie and get the username out of it.Hi Roy,
if you just need the username the easiest way is to grab the Cookie and Decode it using Base64. The username is contained in cleartext.
e.g.
MYSAPSSO2 Ticket as fetched from Browser:
AjExMDAgABFwb3J0YWw6bXRyaWNhcmljb4gAE2Jhc2ljYXV0aGVudGljYXRpb24BAApNVFJJQ0FSSUNPAgADMDAwAwADRDAxBAAMMjAwODA3MjUwNTA3BQAEAAAACAoACk1UUklDQVJJQ0%2F%2FAQUwggEBBgkqhkiG9w0BBwKggfMwgfACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGB0DCBzQIBATAiMB0xDDAKBgNVBAMTA0QwMTENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDgwNzI1MDUwNzU5WjAjBgkqhkiG9w0BCQQxFgQUxUGK!5EDTrHQErPQCVJhEySzTBAwCQYHKoZIzjgEAwQvMC0CFQCD3K2A2hrgpNa5EceiDXjRN309ewIUTM3DJi8QTxmk%2FJez!rjnFlTM3BQ%3D
Decoded Ticket using Base64:
1100 uFFFD portal:mtricaricou02C6uFFFD basicauthentication uFFFD
MTRICARICO uFFFD 000 uFFFD D01 uFFFD 200807250507 uFFFD uFFFDuFFFDuFFFD
If you want to do it programmatically using any libraries to completely decode the ticket, check the validity and also access the certificate information inside the ticket you can use a SAP Extension called SAP SSOEXT (Goto service.sap.com/swdc and search for SSOEXT => The package also contains documentation and samples for various programming langauges such as JAVA).
This one needs dynamic libraries or shared libraries to be linked.
There also is a pure JAVA approach.
Have a look at this:
http://www.zope.org/Members/Dirk.Datzert/MySapSsoSupport/
But:
The approach of decrypting the cookie does not really make since when you are in a SAP system it is more intended for 3rd party systems in order to implement SSO.
Hope this helps
Cheers -
ACE - Load Balance insert cookie method for https
I am trying to load balance between 2 web servers using the cookie insert method by ACE for achieving the session persistence. The servers are not inserting any cookie. It works fine for the http connections but when trying with https connection it is not working.
Can anyone help me with this please.
Is it that ACE cookie insert method of session persistence will not work with https connections.Hi,
1. for https you can use src ip as sticky (mega proxy problem).
2. you can terminate ssl connection on ace (ssl between client and ace only, between ace and server it's clear) and you can use any L7 sticky (for example cookie)
3. if you need ssl terminate up to real server, you can first terminate ssl between client and ace on ace, then use L7 sticky and after then terminate second ssl to real server.
in other words, if you don't decrypt ssl on ace, you can use only L2/3 data for sticky (or ssl id for ssl v2.0)
martin -
BC4J HTTP Container/session cookie time out
Hi,
We have a BC4J jsp app(developed in Jdev 9i Beta) deployed to oc4j 9ias. Every time the BC4J HTTP container and session cookie for the application time's out and a new instance of the application is invoked through a client browser, the RAM on the machine decreases. The fear is that the RAM will eventually fall to very low levels and adversely affect perfomance every time a time out occurs and a new instance of the application is invoked. When no time out's occur and new instances are invoked, the RAM is stable. The issue seems to be the time out's not releasing resources? The following is the message:
"BC4J HTTP container was timed out
The session cookie for the application, AdminAppModule, was timed out"
Any suggestions would be appreciated. Thanks in advance.Please see response to other post at:
Access,Oracle Trusted Connection ODBC?
JR -
Dynamic URL for HTTP receiver adapter
Hi all,
when the XI send the http request to the target system, the format maybe like this:
header + body the body is including: Prolog, payload and Epilog
here is about the target system have a 'input' parameter(maybe string type)
is it possible to pass the 'head + body' these value(or maybe the whole http request message) into input
i mean is it possible to set the dynamic URL for http receiver adapter like this:
http://host:port/path?input=<the header and body>
i have searched the blog Dynamic Configuration of Some Communication Channel Parameters using Message Mapping
Link:[/people/william.li/blog/2006/04/18/dynamic-configuration-of-some-communication-channel-parameters-using-message-mapping]
and the similar threads in the forum
please give me some advice
thanks in advanceWhen a HTTP server requests the whole message as URL parameters, then I assume that the server also requests an HTTP GET, which is not supported by XI.
Could you check this?
Regards
Stefan -
Revision: 21394
Revision: 21394
Author: [email protected]
Date: 2011-06-16 12:34:13 -0700 (Thu, 16 Jun 2011)
Log Message:
bug fix for watson 2887837 Not getting duplicate session detected error when same flex client id is used from two different HTTP sessions in CRX.
get the sessions id before we invalidate the duplicate session.
Checkintests pass
Modified Paths:
blazeds/trunk/modules/core/src/flex/messaging/endpoints/BaseHTTPEndpoint.javaFor our profect I think this issue was caused as follows:
Believing that remoting was full asynchronous we fired a 2 or 3 remote calls to the server at the same time ( within the same function ) - usually when the users goes to a new section of the app.
This seemed to trigger the duplicate http session error since according to http://blogs.adobe.com/lin/2011/05/duplication-session-error.html two remote calls arriving before a session is created will cause 2 sessions to be created.
Our current solution ( too early to say it works ) is to daisy chain the multiple calls together .
Also there seemed to be an issue where mobile apps that never quit ( thanks Apple! ) caused the error when activated after a few hours.
I guess the session expires on the server and the error above occurs on activation.
So the mobile apps now ping the server with a remote call when activated after sleeping for more than one hour.
All duplicate http errors are silently caught and reported.
Fingers crossed we won't get any more! -
Cookie persistence for HTTP traffic
hello,
i have the following situation: on an 11506, clients connects to VIP on port 80, this VIP maps to port 7777 on 2 services. The objective is to configure cookie persistence for http. The cookie persistence should be for URI /thestring/
I have used
advanced-balance cookies
string prefix "/thestring/"
in the content rule and it did not work.
Does this have anything to do with the port changing from 80 to 7777, or am i missing something for cookie persistence?
Regards
Bassamthx for you reply; still it sometimes work and sometimes dont
my service config:
service ebizsso1
keepalive frequency 3
keepalive port 7777
ip address 10.10.230.82
port 7777
protocol tcp
string /oiddas/
active
my content rule
content ebizsso-servers
add service ebizsso1
vip address 10.10.231.9
protocol tcp
port 80
advanced-balance cookieurl
string prefix "/oiddas/"
active
is this is the required?
thank you
bassam -
Create Java bean for a http session
how can i create a java bean for an http session. also is it possible to access it from another java class within that session
Try the following forum (about JSP technology)
http://forum.java.sun.com/forum.jspa?forumID=45
Maybe you are looking for
-
I have a tax code in a old purchase order. Now tax codes have been changed. But I have not updated new tax code in Purchase Order. Can I configure the system so that during invoice verification system will display error ?
-
Photos on timeline showing black when using ken burns effect
My photos in the project are not visible in the preview window when selecting'show settings' after the ken burns effect has been applied. The arrow moves but the screen is black. Any ideas ??
-
Can't watch Youtube or online streaming on Mountain lion
I have the latest from Adobe but still doesn't work. Any ideas to solve this problem?
-
I cannot upload a picture to modify a project, it shows all black on the timeline any idea?
I am rying to modify an existing project by adding new pictures, i can drag them fine into the project, but in reality they appear as a black space later, looks like the project rejects them. Any idea?
-
Not getting request in quality server
hello Gurus , I created a sap script in developement server , and release it in quality server . I fergot request number and description . We have restore data from production server to developement server , now i am not gettin