Cookie session question

Similar Messages

• Security/session questions

  Hi,
  I have some security/session questions for you guys.
  My application uses flex, blazeds and spring. I use RemoteObjects to initiate calls from flex to java. The application consists of a login screen and 'other screens' available only to authenticated users after login. When the user logs in the server stores user credentials on the FlexContext (FlexContext.getFlexSession().setAttribute). So if the server timeout is reached and the user presses 'refresh' the user is thrown out and the login screen appears.
  Question 1: How can I check if the timeout is reached when the user makes a call to the server, without checking manually against the FlexContext. Are there any config parameters to set?
  Question 2: Is it necesssary to check against the user credentials in the session for every flex-to-server call? (I guess someone can omit the login screen and do a manual call)
  Question 3: If the answer to question 2 is yes, how can I check against the session credentials? The only way I can think of is calling a method which checks the session attribute manually, but then I have to remember to add this method call to each of the methods called from flex through Blazeds. Is it, for example, possible to call the user-logged-in method before the method given in the RemoteObject is called? (If not authenticated, do not run method).
  Hope someone got the time to help me out.

  I appreciate your answer, but as you yourself write, I think there must be a blazeDS way. But as nobody with extensive BlazeDS knowledge answers this post, I probably have to google this topic even more.
  Following are the main changes in my application: (Introducing spring security)
  Everything seems to be working as it should. But as already stated, I'm a newbie. So if anybody see something suspicious, let me know.
  The main problem I had implementing Spring Security was something that should be easy, but somehow it was not: the loading of the context files. Before introducing the spring security I only had one application-context file, and this was loaded by the DispatcherServlet. When introducing security I tried to add this to the same file. It did not work. Then I tried splitting up the files, and loading both using DispatcherServlet. It did not work. Then I tried loading both using ContextLoaderListener. It did not work. Finally I found the solution. Flex settings must be loaded by the DispatcherServlet, and spring security settings must be loaded by ContextLoaderListener. This work. I don't know if this is the only solution.
  On the server:
  web-xml:
  <context-param>
          <param-name>contextConfigLocation</param-name>
          <param-value>
              /WEB-INF/config/web-application-config.xml
              /WEB-INF/config/web-application-security.xml
          </param-value>
      </context-param>
      <filter>
          <filter-name>springSecurityFilterChain</filter-name>
          <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      </filter>
      <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      <listener>
          <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
      <servlet>
          <servlet-name>Spring MVC Dispatcher Servlet</servlet-name>
          <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
          <init-param>
              <param-name>contextConfigLocation</param-name>
              <param-value>/WEB-INF/config/flex-application-config.xml</param-value>
          </init-param>
          <load-on-startup>1</load-on-startup>
      </servlet>
  flex-application-context:
  <flex:message-broker>
          <flex:secured/>
      </flex:message-broker>
  web-application-context:
  I had to implement my own authentication mechanism. Had to compare the username/password against an object attribute. So this bean is not mandatory, but I think you have to write down username/password/role in flex-application-context if not provided.
  <bean id="customAuthenticationProvider" class="packagename.CustomAuthenticationProvider">
          <security:custom-authentication-provider/>  
  </bean>
  web-application-security:
  <http entry-point-ref="preAuthenticatedEntryPoint" />
      <beans:bean id="preAuthenticatedEntryPoint"
          class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint " />
      <!-- Securing the service layer -->
      <global-method-security>
          <protect-pointcut expression="execution(*package.ServiceImpl.*(..))" access="ROLE_USER"/>
      </global-method-security>
  On the client:
  private function login():void {
      var cs:ChannelSet =  ServerConfig.getChannelSet(loginRemoteObject.destination);
      var token:AsyncToken;
      token = cs.login(username, password);
    // Add result and fault handlers.
    token.addResponder(new AsyncResponder(loginResultHandler, loginFaultHandler));
  private function logout():void {
      var cs:ChannelSet =  ServerConfig.getChannelSet(loginRemoteObject.destination);
      var token:AsyncToken = cs.logout();
    // Add result and fault handlers.
    token.addResponder(new AsyncResponder(logoutResultHandler, logoutResultHandler));

• Cookie session

  Hello
  i am a litter new to coldfusion, I have just finish my first web site (using CF8 and MySql5)
  My hosting server doesn’t enable session on CF8 plans (only on CF9)
  I want to login users securely so they can edit or delete their Add
  So I am obliged to upgrade to CF9 or use cookie session instead of CF or J2EE session
  If any one has an idea how to login user using cookie session
  If is it possible to give example code
  Thank you very much

  Hi,
            Try two different browser products. IE and Netscape ??
            Actually I feel url re-writing should work with multiple instances of same
            browser product.
            -Kuntal.
            Somasundaram wrote:
            > Dear Group,
            >
            > I am trying this simple click count jsp based on sessions. It works ok with
            > a single browser instance. But when i have multiple instances of the browser
            > from the same vendor, the session seems to be shared between these too
            > instances (because of cookie based session and cookie files are shared
            > between browser instances, i guess.). Trying to get separate sessions for
            > each browser instance. Tried disabling cookie based session and enable
            > URLRewriting based session. Nothing seems to work. Session is not maintained
            > and a new session is created for every access of the same JSP. Please
            > help...
            >
            > Thanks & Regards
            > Somasundaram
            >
            > --
            > -----------------------------------------------------
            > | E-mail: [email protected]
            > |
            > -----------------------------------------------------
            

• Cookie session information not being stored

  I consulted the documentation on cookie sessions ids for flex
  and tried the sample code below but it does not work. It always
  acts as if the data never gets stored (it always goes to the size
  == 0 case for initialization). I double checked the Flash Player
  settings and they are set up to store 100KB. What could be causing
  this to fail?

  Im working with a sort of cookie
  [Bindable]
  public var sharedObjectData:SharedObjectData =
  SharedObjectData.getInstance();
  private function initApplication():void
  sharedObjectData.locallyStoredObject =
  SharedObject.getLocal("sampleData");
  if(sharedObjectData.locallyStoredObject.data.userStatus ==
  null)
  else
  currentState = "loggedIn";
  name_text.text =
  sharedObjectData.locallyStoredObject.data.userStatus;
  This works fine for me

• Predictable Cookie Session IDs

  I am running CF8 with all the lates hot-fixes and for the past couple of mints I have not had any issues with PCI. Yesterday - I failed with a "Predictable Cookie Session ID" remark. I do have Use UUID as CFToken checked as well as Use J2EE Session Vars. What and I missing?

  based on what OWASP has to say
  OWASP says
  "Best practice calls for J2EE session management. In the
  event that only ColdFusion session management is available, strong
  security identifiers must be used. Enable this setting to change
  the default 8-character CFToken security token string to a UUID.
  http://www.owasp.org/index.php/Configuration"
  It looks like the J2EE sessions are the way to go.
  I believe the reason for the PCI flag is that the scan (at
  least the one from the service we use) was looking at CFID alone. I
  assume this because cftoken -was- set to use uuid so it should have
  been secure. The scan probably doesn't know that cfid and cftoken
  are used in conjunction. So in a way this is a false positive.
  Based on the new standards coming in it is enough to be out of
  compliance.
  solution to be in compliance is to set clientmanagement="no"
  and setclientcookies="no" in application.cfm so that cfid and
  cftoken are not set at all By using only the jsessionid, you are
  following best practices from OWASP and also get the benefits of
  session end on browser close
  Other thoughts still welcome

• BOE 3.1 - Mulitple Session Question

  Hi
  Currently working with BOE 3.1 sp3 on Win 2008x64 and notice something weird with session. 
  Question:
  1.  Can you create more than 1 session at a time.  For example, open 1 IE and connect to Infoview.  Open another IE, it will automatically connect to Infoview sharing the session.   Sign-off on 1 IE session, the other IE session is disconnect form Infoview.  Is this by design or is there a setting to keep both seperate.  I've both NAME user and CONCURRENT user but the effect is the same.
  -rs

  The browser is sharing a cookie for the session, so logging off will clean out the cookie.  This has nothing to do with Named or Concurrent.
  If you use 2 different browsers like IE + Firefox, then what you do in one will not affect what you do in the other, they will remain separate sessions.

• Session question; best practice

  Hi,
  One of our high profile application's queries/updates are served to user sessions. But we wanted to improve user query performance and reduce general database activity.
  This piece of application cause an auto refresh to execute every 60 seconds. These queries execute against order tables looking for statuses on active orders, are user specific, and in some cases are not optimally tuned producing very high database buffer get and disk read activity. On average, 1,500 executions representing various flavors of these queries are executed hourly.
  my questions are:
  1) how can we get max performance ?
  2) can we cache these queries for like every 30 secs ?
  3) how can we cache ? so that user sessions would access the cache.
  -sharma

  well, you could load the data and put it in the application scope (in memory) with a timeout time so that it's not used after however long, in which case, a request would have to go to get the newer data from the DB.

• Save cookie/session after login on web service client

  I am calling a web service that has a login method. It sets a session id in
  a cookie. Every subsequent call fails and says I'm not logged in. How do I
  save their cookie or session ID such that the server thinks I'm logged in?
  Here's the client code (I used clientgen to create jar from wsdl);
  DatashareManager dsm = new DatashareManager_Impl();
  WebServiceContext wsContext = dsm.context();
  WebServiceSession session = (WebServiceSession)wsContext.getSession();
  DatashareManagerSoap dsmsoap = dsm.getDatashareManagerSoap();
  String result = dsmsoap.login("username", "password"); // this works
  EResult result2 = dsmsoap.deleteReusableList(1, "bob"); // this fails 'Not
  logged in'

  That sounds like a difficult one to implement because you'll essentially need to intercept the AppsLogin servlet (or AppsLocalLogin.jsp) to conditionally redirect the user somewhere else - and that would be an intrusive (and not recommended) customization.
  Some possible alternatives:
  1. Rather than publish http://hrlive.myintranet.local:8000/OA_HTML/AppsLogin as the URL that you users connect to, publish something like http://hrlive.myintranet.local:8000/OA_HTML/XxLogin.jsp instead. That could be a custom JSP that asks the user to agree to the disclaimer and, when they agree, store that agreement in a cookie and then redirect to AppsLogin.
  That's not quite the same because you're asking the user to agree before they login. It also means that they can navigate direct to AppsLogin and bypass the disclaimer (unless you customize AppsLogin to verify the cookie).
  2. Assign all users a default 'Disclaimer' responsibility with a single function (such as an EIT, or a custom OA Framework page) that allows the user to agree to agree to the disclaimer. Then once they've agreed to it have some process that automatically grants them their real responsibilities and revokes the Disclaimer responsibility. For example, if you used an EIT that could be an API User Hook.
  One problem with this approach is that you'll need to clear cache through Functional Administrator before the new responsibilities are visible so you'll either need to find a way of doing that programatically or ask the user to wait until tomorrow (assuming you do a nightly web server bounce).

• More session questions

  Enumeration e = session.getAttributeNames(); String key, value;
  while( e.hasMoreElements() ) {
  key = (String) e.nextElement();
  value = (String) s.getAttribute( key );
  out.print( key + value );
  I'm not familiar with (String) usage, lines 3,4.
  It's obvious what's happening, though. My questions follow.
  1.) Why is the reserved word String in parentheses?
  2.) What other reserved words could I use in its place?
  3.) By deleting it, error says it found Object but required String.
  In earlier code, I defined it as a String. What gives?
  thanks,
  [email protected]

  the syntax (String) is called a CAST - it converts the 'type' of an object from one type to another.
  in this case it's converting from the type Object to type String - this is basic Object talk - read any beginning
  book on OO/Java and get a better understanding.
  one must cast the object returned from the enumeration to a more usefull type - but you may find
  that the code has run time errors - if the enumeration has other than Strings in it - for example
  one could put a Boolean object in the enumeration and casting to a String will give a class cast exception
  at run time.

• ODI database connection - session question

  Hi,
  I have a package, where I have used a procedure.
  In my procedure, I open a database connection.
  My question is - In my next procedure - will I be able to use my same database connection which I created in previous step?
  Re-phrasing the question - for any number of database transaction happening in a package, will ODI opens multiple database connection per step or will there be only one single database connection?
  Thank you,
  Paras

  I believe its one per session so one connection inside the package. I think you should be , although i have not tried it practically.

• CSM inserted cookie - session or persistant

  Hi,
  I am working on a requirement to load balance http requests to IBM WebSphere Application servers. Each server is configured on the CSM as one real server, but in reality there are several instances of the program running within the server. These instances are fault tolerant, so that if one of them should fail, another instance within the same server can take over and maintain the session. We currently stick clients based on the jsessionid. The problem with this is that if the instance within the server fails and another takes over, it will use a different cookie, and the stickyness is lost. Our requirement is to maintain stickyness to the same real server should an instance of the application fail. We have tried using the HTTP cookie insert feature, but this appears to be a persistant cookie that expires in 2010. We need this to be a session cookie (expires when the client's browser closes). I have seen this URL - http://www.cisco.com/en/US/partner/products/hw/switches/ps708/module_installation_and_configuration_guides_chapter09186a0080463841.html#wp1050708 which states that the CSM-S module will insert a session cookie. I know that the CSM inserts a persistant cookie. Can anyone tell me whether the cookie inserted by the CSM-S module is definitely a session cookie or not. Also, does anyone have any ideas as to how else I can resolve this issue. Many thanks in advance

  The browser itself controls if it wants to keep a copy of the cookie for the session only if it want to save it.
  The only thing the server, or CSM, can do is set an expiration date.
  You can change the expiration to another static date if you think 2010 is too far away.
  This is done with a variable.
  Do a 'sho mod csm x var' to see which variable it is.
  CSM-S is just a CSM with an on-board SSL module. So they act the same in this matter.
  Also, even if it was a "session" cookie, I do not see how it would solve your issue.
  If the client comes back with no cookie, it will not be sent to another instance of the same server - it will simply be loadbalanced among all the available servers.
  What you would need is more like a cookie shared by all instances of the application on a particular server.
  Then the CSM could match on the cookie to select a serverfarm that would only use instances running on this server.
  Do you have the possibility to insert a static cookie in your application ?
  Gilles.

• Servlet Session Questions

  Hi,everybody:
  I'm puzzled by two questions about session in servlet.
  1.The default timeout of J2EE example WAR is set to 30sec.Is it too short?
  2.in J2EE Tutorial1.3 it says"To ensure that an active session is not timed-out, you should periodically access the session in service methods because this resets the session's time-to-live counter",But I can't see any codes in example servlets to access session "periodically".Could you please explain that?
  Thank you!

  I,
  I have a problem with the session.
  After the "getMaxInactiveInterval" time, I reload my servlet , but
  the session is lost even if I test it :
  Before doing anything, I do this :
  HttpSession oSession = req.getSession (=(false);
       if(oSession == null)
  // forward to a login_page
  RequestDispatcher rd = getServletContext().getRequestDispatcher(
  "login_page");
  rd.forward(req, res);
  // request to the database to get user'characteristics
  // and put then in the session
  String sUser = (String)oSession.getValue("COD"); // sUser is null !
  The pb is that the session has not been removed from the Server after
  the MaxInactiveInterval, so when i make a request , I have in the session :
  the req.isRequestedSessionIdValid() gives : true .
  and a new session is created with a new id
  Something very strange.
  Thanks for help.

• Apple Remote Desktop session questions

  Hi all:  Just got my new mini server up the running.  I have a question concerning Apple Remote Desktop that I would like answered before plunking down $79.  I am wondering how ARD handles sessions run from a device with a smaller screen than the device you are trying to control?  That is, does ARD do simple screen scaling like you can do in vnc OR does it open a new remote x session that has the appropriate resolution for your device?  I am hoping it funcitons the same way MS Remote Desktop Connecton does.

  You'd be better off asking this question in the Remote Desktop forum...
  ARD supports 2 modes scaling, and "panning". As far as I know, there is no support for what you are describing.

• Synchronized(session) question

  Hi Gurus,
  I see some race condition in my application. And my question ist now. If I use:
  synchronized(session)
  in one servlet. Does is prevent an other servlet (not another instance of the same servlet) to manipulate the session? (second servlet doesen't use synchronized(session) )
  I thought this isn't possible but I realise this is the case in my webapp.

  No that doesn't help.
  "there is no gurantee that you are using the the same object in different requests "
  Session objects are on a per user basis.
  Scenario One: User1 makes request. Servlet synchronizes on the Session object for this user. All other requests for other users use different Session objects so are not impacted by the synchronization for user1's Session. Servlet releases lock on user1' s session and returns the response.
  Scenario Two: User1 makes request. Servlet synchronizes on the Session object for this user. All other requests for other users use different Session objects so are not impacted by the synchronization for user1's Session. Before the server releases the lock on user1's Session object, user1 makes a new request which tries to access user1's Session object and is blocked until the first request is processed and the lock released.
  I don't see how in either of these two scenarios that useri could get two different Session objects. In fact if it were possible then the storing of data in sessions would not be guaranteed which would be amajor flaw in the whole technology.

• Web service session question

  i develop a web service from a java class that has get and set method for a int variable.
  first i call set method of web service then i call get method.But i lose the value set before.
  Is it possible to store the value of the variable for the session.

  This is not something related to WS.
  Check your backend java code.