Cookie session

Hello
i am a litter new to coldfusion, I have just finish my first web site (using CF8 and MySql5)
My hosting server doesn’t enable session on CF8 plans (only on CF9)
I want to login users securely so they can edit or delete their Add
So I am obliged to upgrade to CF9 or use cookie session instead of CF or J2EE session
If any one has an idea how to login user using cookie session
If is it possible to give example code
Thank you very much

Hi,
          Try two different browser products. IE and Netscape ??
          Actually I feel url re-writing should work with multiple instances of same
          browser product.
          -Kuntal.
          Somasundaram wrote:
          > Dear Group,
          >
          > I am trying this simple click count jsp based on sessions. It works ok with
          > a single browser instance. But when i have multiple instances of the browser
          > from the same vendor, the session seems to be shared between these too
          > instances (because of cookie based session and cookie files are shared
          > between browser instances, i guess.). Trying to get separate sessions for
          > each browser instance. Tried disabling cookie based session and enable
          > URLRewriting based session. Nothing seems to work. Session is not maintained
          > and a new session is created for every access of the same JSP. Please
          > help...
          >
          > Thanks & Regards
          > Somasundaram
          >
          > --
          > -----------------------------------------------------
          > | E-mail: [email protected]
          > |
          > -----------------------------------------------------

Similar Messages

Cookie session information not being stored

I consulted the documentation on cookie sessions ids for flex
and tried the sample code below but it does not work. It always
acts as if the data never gets stored (it always goes to the size
== 0 case for initialization). I double checked the Flash Player
settings and they are set up to store 100KB. What could be causing
this to fail?

Im working with a sort of cookie
[Bindable]
public var sharedObjectData:SharedObjectData =
SharedObjectData.getInstance();
private function initApplication():void
sharedObjectData.locallyStoredObject =
SharedObject.getLocal("sampleData");
if(sharedObjectData.locallyStoredObject.data.userStatus ==
null)
else
currentState = "loggedIn";
name_text.text =
sharedObjectData.locallyStoredObject.data.userStatus;
This works fine for me

Predictable Cookie Session IDs

I am running CF8 with all the lates hot-fixes and for the past couple of mints I have not had any issues with PCI. Yesterday - I failed with a "Predictable Cookie Session ID" remark. I do have Use UUID as CFToken checked as well as Use J2EE Session Vars. What and I missing?

based on what OWASP has to say
OWASP says
"Best practice calls for J2EE session management. In the
event that only ColdFusion session management is available, strong
security identifiers must be used. Enable this setting to change
the default 8-character CFToken security token string to a UUID.
http://www.owasp.org/index.php/Configuration"
It looks like the J2EE sessions are the way to go.
I believe the reason for the PCI flag is that the scan (at
least the one from the service we use) was looking at CFID alone. I
assume this because cftoken -was- set to use uuid so it should have
been secure. The scan probably doesn't know that cfid and cftoken
are used in conjunction. So in a way this is a false positive.
Based on the new standards coming in it is enough to be out of
compliance.
solution to be in compliance is to set clientmanagement="no"
and setclientcookies="no" in application.cfm so that cfid and
cftoken are not set at all By using only the jsessionid, you are
following best practices from OWASP and also get the benefits of
session end on browser close
Other thoughts still welcome

Save cookie/session after login on web service client

I am calling a web service that has a login method. It sets a session id in
a cookie. Every subsequent call fails and says I'm not logged in. How do I
save their cookie or session ID such that the server thinks I'm logged in?
Here's the client code (I used clientgen to create jar from wsdl);
DatashareManager dsm = new DatashareManager_Impl();
WebServiceContext wsContext = dsm.context();
WebServiceSession session = (WebServiceSession)wsContext.getSession();
DatashareManagerSoap dsmsoap = dsm.getDatashareManagerSoap();
String result = dsmsoap.login("username", "password"); // this works
EResult result2 = dsmsoap.deleteReusableList(1, "bob"); // this fails 'Not
logged in'

That sounds like a difficult one to implement because you'll essentially need to intercept the AppsLogin servlet (or AppsLocalLogin.jsp) to conditionally redirect the user somewhere else - and that would be an intrusive (and not recommended) customization.
Some possible alternatives:
1. Rather than publish http://hrlive.myintranet.local:8000/OA_HTML/AppsLogin as the URL that you users connect to, publish something like http://hrlive.myintranet.local:8000/OA_HTML/XxLogin.jsp instead. That could be a custom JSP that asks the user to agree to the disclaimer and, when they agree, store that agreement in a cookie and then redirect to AppsLogin.
That's not quite the same because you're asking the user to agree before they login. It also means that they can navigate direct to AppsLogin and bypass the disclaimer (unless you customize AppsLogin to verify the cookie).
2. Assign all users a default 'Disclaimer' responsibility with a single function (such as an EIT, or a custom OA Framework page) that allows the user to agree to agree to the disclaimer. Then once they've agreed to it have some process that automatically grants them their real responsibilities and revokes the Disclaimer responsibility. For example, if you used an EIT that could be an API User Hook.
One problem with this approach is that you'll need to clear cache through Functional Administrator before the new responsibilities are visible so you'll either need to find a way of doing that programatically or ask the user to wait until tomorrow (assuming you do a nightly web server bounce).

CSM inserted cookie - session or persistant

Hi,
I am working on a requirement to load balance http requests to IBM WebSphere Application servers. Each server is configured on the CSM as one real server, but in reality there are several instances of the program running within the server. These instances are fault tolerant, so that if one of them should fail, another instance within the same server can take over and maintain the session. We currently stick clients based on the jsessionid. The problem with this is that if the instance within the server fails and another takes over, it will use a different cookie, and the stickyness is lost. Our requirement is to maintain stickyness to the same real server should an instance of the application fail. We have tried using the HTTP cookie insert feature, but this appears to be a persistant cookie that expires in 2010. We need this to be a session cookie (expires when the client's browser closes). I have seen this URL - http://www.cisco.com/en/US/partner/products/hw/switches/ps708/module_installation_and_configuration_guides_chapter09186a0080463841.html#wp1050708 which states that the CSM-S module will insert a session cookie. I know that the CSM inserts a persistant cookie. Can anyone tell me whether the cookie inserted by the CSM-S module is definitely a session cookie or not. Also, does anyone have any ideas as to how else I can resolve this issue. Many thanks in advance

The browser itself controls if it wants to keep a copy of the cookie for the session only if it want to save it.
The only thing the server, or CSM, can do is set an expiration date.
You can change the expiration to another static date if you think 2010 is too far away.
This is done with a variable.
Do a 'sho mod csm x var' to see which variable it is.
CSM-S is just a CSM with an on-board SSL module. So they act the same in this matter.
Also, even if it was a "session" cookie, I do not see how it would solve your issue.
If the client comes back with no cookie, it will not be sent to another instance of the same server - it will simply be loadbalanced among all the available servers.
What you would need is more like a cookie shared by all instances of the application on a particular server.
Then the CSM could match on the cookie to select a serverfarm that would only use instances running on this server.
Do you have the possibility to insert a static cookie in your application ?
Gilles.

Cookie session question

I wan't to know how to maintain session or cookie in a wap application.
As far as I know wap doesn't support(certainly current version) cookie.
my scenario is user login(i wan't to save its user id in the session)
He choose a brand then category then sku then enter sales from a input box.
I wan't tosave the sale with userid(i don't wan't to pass user id to each page)
So what can i do.
Please help as I am a new bie to WAP

woah, really? so would my best bet be to use a java
-> com bridge and then just re-login using that?Errr.
Okay here is the issue.
The browser should only send cookies back to the server (or domain actually) from whence they (the cookies) originally came. This prevents a malicious site from reading cookies set by other sites which is good for all sorts of reasons. Imagine for a moment if I could send you to a site where I could read the cookies set on this site. I could pretend to be logged in as you then.
So ultimatley if you want the browser to have a cookie it will send to a site it has to get it from that site in the first place and it shouldn't be getting it from somewhere else aka your code.
Does this help explain it better?

Air + Ipad + RemoteObject problem with session cookies

I am making Air version for IPad of a Flex application.
My flex application needs session from an secured enterprise proxy, without that session none remoteObject requests can pass the proxy and reach blazeDS.
My solution for flex works fine: calling an enterprise servlet at application´s startup to obtain a cookie session. I use a POST call to the servlet using URLRequest (sending the user and password parameters), the servlet responds with a message with a session cookie, and from that point, without me having to code anything more, my flex application get that cookie with the session that automatically is loaded in my browser cookie stack, and that transparently is used from all my subsequents remoteObjects calls in the flex application.
In my Adobe Air Ipad version, this just does not work, the session or is not storaged or is not attached with subsequent remoteObjects requests.
- I´m forcing request.manageCookies = true
- I´m working with the IOS simulator (Is there any difference for cookies with a real Ipad device?)
- I´m using Flex 4.6.0, Air 3.5, IOS 6, Ipad 3, BlazeDS 4.0, Java 6 BackEnd.
.. What´s the problem/difference with Air+Ipad from the flex version?

Hi BalusC ,
Thanks for your detailed response. I have a question about this comment you noted..
"Terrible. Just keep the bean request scoped. "
I changed the bean to request and now have this issue.
 <rich:dataGrid id="membersInZipcode" value="#{membersInZipcode.arrayListOfSearch4Member}"
 var="membersInZipcode" columns="5" elements="20">
 <f:facet name="footer">
 <rich:datascroller></rich:datascroller>
 </f:facet>
 </rich:dataGrid>
 </h:form> I am using a request bean to hold the search parms that loads the bean. This works great.
The problem is when I use the rich:datascroller for the next page.
It goes back to the bean and the request scope bean is empty. This holds the search values.
How do I put this back into the request after each process??
Question 2..
"Those settings only applies on the current request, i.e. the JSP file itself. Images are obtained by separate and independent requests. You need to set the headers on those requests as well. You can use a filter for this."
I have never set a filter ...how do I do it? Do you have a link for an example of this filter setup?
Thanks Again
Phil

Whether to use cookie for session mgmt

i m using session mgmt by getsession ,setvalue& getValue methods.
whether it is necessary to use cookies for it

you don't use get/setValue, you should be using get/setAttribute
you don't need to do anything with cookies. session tracking cookies are inserted automatically.

Using Session Variables for User Login - sometimes they don't persist... what am I doing wrong?

Hi all,
I'm running a site that requires user login. I approached the building of this site as almost a complete newb to CF (and dynamic coding in general), and it's been a great learing experience (with lots of help from you guys).
However, I guess I never learned the correct way to handle a user login. It seemed to me that I could just test the user-entered credentials against those stored in a database, then set a session variable containg that user's record number. Then, not only would I have an easy way of knowing who this user was and therefore what info to serve him, but I could test for the existence of a valid login on every page in the protected folder, by adding this code to my application.cfc in that folder:
<cfset This.Sessionmanagement=true>
<cfset This.Sessiontimeout="#createtimespan(0,8,0,0)#">
 <cfif NOT isDefined ("session.username") or NOT isDefined ("session.password") or NOT isDefined ("session.storeID")>
 <cflocation url="../index.cfm" addtoken="no">
 </cfif>
...and it goes on to run a query and verify that the session.username and session.password match for the store defined by session.storeID. If not, all session variables are cleared and it bounces you back to the login page. When the user clicks Logout, all I do is delete all the session variables.
This seemed to work great for like a year, but lately I've been getting reports that the login doesn't seem to persist for longer than approx. 20 minutes of inactivity. You can see I specified session variables to remain active for 8 hours (I know that seems like a drastically long login, but it's what's necessary for this application). I've only gotten this report from a few people, and I myself can't seem to duplicate it... I've tested an inactive login for 45 minutes now and it held.
SO: any reason you can think of why session variables would be spontaneously clearing for some people? Would having your router reset its IP address invalidate the session or something? Also, the problem seemed to begin appearing after my host upgraded all their servers to CF9... could there be any relation?
And on a more general note... did I go about this completely the wrong way to begin with? If so, what's the standard way to manage a login?
Lots of questions, I know... thanks very much for any answers or suggestions!
Joe

Ian,
Thanks very much - very helpful information.
Sounds like passing the tokens in every request is probably the way to go for this. I don't think it's likely that any users will be sharing links, unless they actually intend for the recipient to see their info anyway.
Is that all I would have to do, is add the tokens to every path? Would that guarantee that all the session variables would remain valid until timeout or being cleared?
Again, thanks, you've been really helpful.
Joe
On Jun 23, 2010 4:37 PM, Ian Skinner <[email protected]> wrote:
Unfortunately this is the nature of HTTP web applications. There is NO state maintained from HTTP request to request. This is by design in the HTTP protocol specifications.
ColdFusion provides two methods to circumvent this limitation. Each method has limitations and caveats. They both rely on the passing of tokens between the client and the server with every request. These tokens can be passed as cookies OR URL (GET) variables. You are using the cookie method, which is the simpler and most common. You may be experiencing the limitation of this method. If something happens to the cookies the session can be lost.
You could pass the (CFID & CFTOKEN) OR JESSIONID tokens through the URL query string with every request. This requires one to add these values to every link, form action, cflocation or other request path in our application. ColdFusion provides the session.urltoken variable to make this easier to do. The tokens will be visible to the user. Also if the links with an individual token is share with other users, via e-mail, chat, social networks, etc and one of these users utilize the link during the life of a session (8 hours apparently in your case). Then that user will access the session of the original user.
Cookie session management is by far the most common choice by CF developers. If these methods do not meet your needs you would need to go beyond the HTTP limitations of web applications. One might be able to accomplish this with a Flex|Air|Flash applications that can be configured to use a continuous connection to the server. Thus not suffer the stateless nature of the normal HTTP request-response cycle.
I do not know if a router resetting would cause cookies to be discarded or otherwise invalidated. But I would not think it is beyond the relm of possibilities.

Why firefox wont ask me to enter my mail "Account details (UserName and Password)" for 2nd time, if i open same "mail account" using another session (1st session still "login")

I opened "yahoomail" in one new tab,mail page asks me to enter "UserName and Password" once typed my details, it allows me to see my mails.Again I opened "yahoomail" in new tab (Still my 1st yahoo mail account in "login" state) to check my other account,this time it automatically allows me to see the previously opened account without asking me to enetr "Account Details"

All Firefox windows and tabs run in the same "session". You can't open a 2nd account on the same server as the first account without being able to handle "session cookies" for each account.
Take a look at these three extensions which can handle multiple "cookie sessions", and pick one. 
Multifox: 
http://br.mozdev.org/multifox/ 
Cookie Swap extension: 
https://addons.mozilla.org/firefox/3255/ 
Cookie Pie extension: 
http://www.nektra.com/oss/firefox/extensions/cookiepie/

How to create a different browser session within the same profile

Internet Explorer 8 lets you create a new session within a new browser window but how can I do the same with Firefox? I know if you switch user profiles then you can have two browsers in different sessions but I would like to have two sessions using the same user profile.

Sorry, that's not possible with Firefox. Firefox uses a single executable instance to run all windows and tabs, where IE starts another process for each window. Chrome uses a separate process for each tab (or window), which seems real nice until it sucks the life out of an older processor with the "overhead" of all those separate processes.
Depending upon what you want a "different session" for, there are 3 extensions that allow for multiple cookie sessions which allow for multiple, simultaneous logins to the same server. That works to allow the user to log into multiple webmail accounts at the same service provider. 
Multifox: 
http://br.mozdev.org/multifox/ 
Cookie Swap extension: 
https://addons.mozilla.org/firefox/3255/ 
Cookie Pie extension: 
http://www.nektra.com/oss/firefox/extensions/cookiepie/

CF 10 Clean Install - Sessions Broken

Hi all,
My firm recently upgraded to all new CF 10 servers (clean install no upgrade), and we are going through testing before we launch them in production.
I have come across an issue where the sessions are not being maintained across requests.
The application login functionality no longer works at all... testing the same code on CF9 yields expected and desired results.
To test, I created a folder with an Application.cfc and an index.cfm.
I placed a copy of the folder on the root of both the CF9 and CF10 servers.
Loaded the index.cfm page on each and then just hit the refresh button on the browser.
All the index.cfm page does is dump the session & cookie scopes.
RESULTS
CF9:
- SESSIONID stays the same upon each requestion
- CFID stays the same
- CFTOKEN stays the same
...as expected results
Initial Page Load:
struct
sessionid
8430fefbf6988bab4bbc3724627d6a323351
urltoken
CFID=64848&CFTOKEN=25813868&jsessionid=8430fefbf6988bab4bbc3724627d6a323351
username
Bill
struct
CFID
64848
CFTOKEN
25813868
JSESSIONID
8430fefbf6988bab4bbc3724627d6a323351
Refresh 2:
struct
sessionid
8430fefbf6988bab4bbc3724627d6a323351
urltoken
CFID=64848&CFTOKEN=25813868&jsessionid=8430fefbf6988bab4bbc3724627d6a323351
username
Bill
struct
CFID
64848
CFTOKEN
25813868
JSESSIONID
8430fefbf6988bab4bbc3724627d6a323351
Refresh 3:
struct
sessionid
8430fefbf6988bab4bbc3724627d6a323351
urltoken
CFID=64848&CFTOKEN=25813868&jsessionid=8430fefbf6988bab4bbc3724627d6a323351
username
Bill
struct
CFID
64848
CFTOKEN
25813868
JSESSIONID
8430fefbf6988bab4bbc3724627d6a323351
CF10:
- SESSIONID changes on everye SECOND request
- CFID changes every request
- CFTOKEN changes every request
...not as expected whatsoever
Initial Page Load:
struct
sessionid
BBEB2834CFE5CABC214714BC9984C35B.cfusion
urltoken
CFID=2199631&CFTOKEN=87302470&jsessionid=BBEB2834CFE5CABC214714BC9984C35B.cfusion
struct
CFID
2199631
CFTOKEN
87302470
JSESSIONID
A8374BAF078DCD9216870113F0A7E32B.cfusion
Refresh 1:
struct
sessionid
BBEB2834CFE5CABC214714BC9984C35B.cfusion
urltoken
CFID=2199791&CFTOKEN=22231763&jsessionid=BBEB2834CFE5CABC214714BC9984C35B.cfusion
struct
CFID
2199791
CFTOKEN
22231763
JSESSIONID
BBEB2834CFE5CABC214714BC9984C35B.cfusion
Refresh 2:
struct
sessionid
1C3645A75E85F7AEDAEBA9F90474DF83.cfusion
urltoken
CFID=2199867&CFTOKEN=96194295&jsessionid=1C3645A75E85F7AEDAEBA9F90474DF83.cfusion
struct
CFID
2199867
CFTOKEN
96194295
JSESSIONID
BBEB2834CFE5CABC214714BC9984C35B.cfusion
WTH???
Here is a copy of my Application.cfc:
          @title "Application.cfc reference in CFScript for Coldfusion 9"
    @description "This component includes all Application.cfc methods and variables, set to their default values (if applicable). Please note that default values are not always desirable, and some methods or variables should be modified or removed depending on the situation."
          @author "Russ Spivey (http://cfruss.blogspot.com)"
    @dateCreated "November 29, 2009"
    @licence "This work is licensed under the Creative Commons Attribution 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA."
          @hint "You implement methods in Application.cfc to handle ColdFusion application events and set variables in the CFC to configure application characteristics."
component output="false" {
          /* **************************** APPLICATION VARIABLES **************************** */
          // The application name. If you do not set this variable, or set it to the empty string, your CFC applies to the unnamed application scope, which is the ColdFusion J2EE servlet context.
          THIS.name = "Test";
          // Life span, as a real number of days, of the application, including all Application scope variables.
          THIS.applicationTimeout = createTimeSpan(0, 1, 0, 0);
          // Whether the application supports Client scope variables.
          THIS.clientManagement = false;
          // Where Client variables are stored; can be cookie, registry, or the name of a data source.
          //THIS.clientStorage = "registry"; //cookie||registry||datasource
          // Contains ColdFusion custom tag paths.
          THIS.customTagPaths = "";
          // The Google Maps API key required to embed Google Maps in your web pages.
          THIS.googleMapKey = "";
    // Name of the data source from which the query retrieves data.
    THIS.datasource = "";
          // Whether to store login information in the Cookie scope or the Session scope.
          THIS.loginStorage = "cookie"; //cookie||session
          // A structure that contains ColdFusion mappings. Each element in the structure consists of a key and a value. The logical path is the key and the absolute path is the value.
          THIS.mappings = {};
    // Whether to enable validation on cfform fields when the form is submitted.
    THIS.serverSideFormValidation = true;
          // Whether the application supports Session scope variables.
          THIS.sessionManagement = true;
          // Life span, as a real number of days, of the user session, including all Session variables.
          THIS.sessionTimeout = createTimeSpan(0, 0, 20, 0);
          // Whether to send CFID and CFTOKEN cookies to the client browser.
          THIS.setClientCookies = true;
          // Whether to set CFID and CFTOKEN cookies for a domain (not just a host).
          THIS.setDomainCookies = false;
          // Whether to protect variables from cross-site scripting attacks.
          THIS.scriptProtect = false;
          // A Boolean value that specifies whether to add a security prefix in front of the value that a ColdFusion function returns in JSON-format in response to a remote call.
          THIS.secureJSON = false;
          // The security prefix to put in front of the value that a ColdFusion function returns in JSON-format in response to a remote call if the secureJSON setting is true.
          THIS.secureJSONPrefix = "";
          // A comma-delimited list of names of files. Tells ColdFusion not to call the onMissingTemplate method if the files are not found.
          THIS.welcomeFileList = "";
          // A struct that contains the following values: server, username, and password.If no value is specified, takes the value in the administrator.
          THIS.smtpServersettings = {};
    // Request timeout. Overrides the default administrator settings.
    THIS.timeout = 30; // seconds
    // A list of ip addresses that need debugging.
    THIS.debugipaddress = "";
    // Overrides the default administrator settings. It does not report compile-time exceptions.
    THIS.enablerobustexception = false;
    /* ORM variables */
    // Specifies whether ORM should be used for the ColdFusion application.Set the value to true to use ORM. The default is false.
    THIS.ormenabled = false;
    // The struct that defines all the ORM settings. Documentation: http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSED380324-6CBE-47cb-9E5E-26B66ACA9E 81.html
    THIS.ormsettings = {};
    // note: THIS.datasource applies to cfquery as well as ORM. It is defined on line 31.
          /* **************************** APPLICATION METHODS **************************** */
        @hint "Runs when an application times out or the server is shutting down."
        @ApplicationScope "The application scope."
          public void function onApplicationEnd(struct ApplicationScope=structNew()) {
                    return;
              @hint "Runs when ColdFusion receives the first request for a page in the application."
          public boolean function onApplicationStart() {
                    return true;
        @hint "Intercepts any HTTP or AMF calls to an application based on CFC request."
        @cfcname "Fully qualified dotted path to the CFC."
        @method "The name of the method invoked."
        @args "The arguments (struct) with which the method is invoked."
    public void function onCFCRequest(required string cfcname, required string method, required string args) {
                    return;
        @hint "Runs when an uncaught exception occurs in the application."
        @Exception "The ColdFusion Exception object. For information on the structure of this object, see the description of the cfcatch variable in the cfcatch description."
        @EventName "The name of the event handler that generated the exception. If the error occurs during request processing and you do not implement an onRequest method, EventName is the empty string."
        note: This method is commented out because it should only be used in special cases
          public void function onError(required any Exception, required string EventName) {
        return;
        @hint "Runs when a request specifies a non-existent CFML page."
        @TargetPage "The path from the web root to the requested CFML page."
        note: This method is commented out because it should only be used in special cases
          public boolean function onMissingTemplate(required string TargetPage) {
                    return true;
        @hint "Runs when a request starts, after the onRequestStart event handler. If you implement this method, it must explicitly call the requested page to process it."
        @TargetPage "Path from the web root to the requested page."
        note: This method is commented out because it should only be used in special cases
          public void function onRequest(required string TargetPage) {
                    return;
        @hint "Runs at the end of a request, after all other CFML code."
          public void function onRequestEnd() {
                    return;
        @hint "Runs when a request starts."
        @TargetPage "Path from the web root to the requested page."
          public boolean function onRequestStart(required string TargetPage) {
                    return true;
        @hint "Runs when a session ends."
        @SessionScope "The Session scope"
        @ApplicationScope "The Application scope"
          public void function onSessionEnd(required struct SessionScope, struct ApplicationScope=structNew()) {
                    return;
        @hint "Runs when a session starts."
          public void function onSessionStart() {
                    return;
So did Adobe really ship a broken product??
Here are a list of other people with the same issues:
http://forums.adobe.com/message/5692829
http://forums.adobe.com/thread/1017340
http://forums.adobe.com/thread/1022637
http://forums.adobe.com/thread/1272465
http://forums.adobe.com/message/5696193
https://bugbase.adobe.com/index.cfm?event=bug&id=3572565
http://www.petefreitag.com/item/817.cfm
http://forums.adobe.com/thread/1199835
I have spent several days at this... if I missed some obvious conifiguration I would be upset with myself, but releived it was fixable. As of right now, I can't move my code to this new production environment as logging into the application is not even possible.
Thanks

     ISSUE RESOLVED:
     BKBK,
     You were correct...
     I failed to mention that the application that is dropping the session is also using the Portcullis XSS/SQL Injection prevention script from RIAForge.
     It is not listed as being compatible with CF10... removing it has resolved my issue entirely and the sessions are now being maintained.
     Thank you all for your responses.
     Regards,
     John
BKBK wrote:
John.Elkins wrote:
We are not using cflogin...
However, some other login process is apparently involved in the page request. That can start up a new session, if not coded properly.
In fact my guess is that that is what is happening. In any case, this is about whether or not session is maintained. To test this cleanly, you have to exclude all code involved with the login process.

$20 to anyone who can help: (I think) how to send the right cookie info

Yes, we're so befuddled and stumped that we are willing to pay $25 by Paypal or any other method (check, money order) to the first person who provides us with a concrete solution that allows us to read this page through a Java application:
http://s1.amazon.com/exec/varzea/subst/your-account/your-open-marketplace-items.html/104-3907538-7794313
The problem (we think) seems relatively simple: how can we pass the correct cookie to a server? We want to search our merchant web pages on amazon.com (and perform other operations, but for the purposes of this problem, just assume we want to read the above web page). We wrote a variation of a webcrawler which works fine on most web pages. However, the Amazon web pages we want to crawl (i.e., http://s1.amazon.com/exec/varzea/subst/your-account/your-open-marketplace-items.html/104-3907538-7794313) require you to sign in first (otherwise you get redirected to http://s1.amazon.com/exec/varzea/subst/your-account/your-won-zshop-items.html/104-0793551-2976761). So we thought that this meant we had to figure out how to get our webcrawler to login first (we implemented the Java Almanac example for accessing password-protected URLs: http://javaalmanac.com/egs/java.net/Auth.html?l=rel). During the course of testing this out (the code seemed to work, though we still got redirected), we realized that the Amazon web page is not actually performing basic authentication (not asking for username/password), but instead seems (that is, seems to inexperienced us) to be looking for a cookie. We believe this because after we sign in to Amazon, we can access all our merchant web pages just fine without ever needing to log in, even if we turn off the browser (or computer). Also, if we try to access the web page after deleting all cookies, we again get redirected to the page requesting that we sign in.
So we took a look at the Amazon cookie that was created after we signed in to Amazon (printed below), and then implemented the cookie-passing code from the Java Almanac (http://javaalmanac.com/egs/java.net/SendCookie.html). This seemed to have no effect:we still got redirected. We hunted around for other Cookie examples and found achase1's example from a previous forum question (http://forum.java.sun.com/thread.jsp?forum=54&thread=375956), which seemed to add a few HTTPUrlConnection.set's, but this also had no effect--our Java crawler still gets redirected to the page that requests that we sign in first.
So we think that either we are somehow passing the wrong cookie information, or are just missing some critical HttpURLConnection setting or parameter.
So, if you can tell us how to read the Amazon page that seems to require a cookie, and your explanation actually works (that is, we can read the page), we will send you $25 immediately--like so many others on the forum, we're frustrated and lost and need an answer that works!
Here is the Amazon account information (naturally, this is a working dummy account on Amazon, not our actual account, in case you want to test your solution before posting it):
username: [email protected]
password: melville
Here is the cookie that is generated:
session-id
104-3907538-7794313
amazon.com/
1536
3382951936
29569409
1475475408
29568127
session-id-time
1055491200
amazon.com/
1536
3382951936
29569409
1475575408
29568127
ubid-main
430-1017936-7312154
amazon.com/
1536
2916341376
31961269
1482485408
29568127
x-main
Z3yciaQAfpzN?CPFkzeRd8z1U2lWcoap
amazon.com/
1536
2916341376
31961269
2005235408
29568127
Here is the extra-simplified version of our webcrawler, which simply tries to read (and print out) the web page:
import java.net.*;
import java.io.*;
public class PasswordReader {
public static void main(String[] args) throws Exception {
// Try to access the page
try {
 HttpURLConnection m_urlConn;
 URL url = new URL(args[0]);
// Cookie passing code
 m_urlConn=(HttpURLConnection)url.openConnection();
 m_urlConn.setDoOutput(true);
 m_urlConn.setDoInput(true);
 m_urlConn.setUseCaches(false);
 m_urlConn.setRequestMethod("POST");
 // optrional
 m_urlConn.setRequestProperty("User-Agent","Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; H010818)");
 m_urlConn.setRequestProperty("Content-Type","application/x-www-form-urlencoded");
 m_urlConn.setRequestProperty("Cookie" , "session-id=104-3907538-7794313;session-id-time=1055491200;ubid-main=430-1017936-7312154;x-main=Z3yciaQAfpzN?CPFkzeRd8z1U2lWcoap");
 m_urlConn.connect();
// end cookie code
 BufferedReader in = new BufferedReader(
 new InputStreamReader(
 url.openStream()));
 String inputLine;
// Read and print out the web page
 while ((inputLine = in.readLine()) != null)
 System.out.println(inputLine);
 in.close();
} catch (MalformedURLException e) {
} catch (IOException e) {
Thank so much to anyone who even tries to help us!! We've been poring through the Sun forums, almanacs, and sample code all week without much evident progress. You'd really be making us very, very happy.
Thank you,
Ogi Ogas
[email protected]

"{[VERSION="0" ; NAME="session_id" ; VALUE="@@33f84622845133891a68ec0dffe9f620" ; DOMAIN="my.asu.edu" ; PATH="/" ; SECURE="false" ; EXPIRES="null"]}"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~The Cookie!
<HTML><HEAD>
<SCRIPT language='JavaScript'></SCRIPT>
</HEAD><BODY BGCOLOR='FFFFFF'>
</BODY><HTML>

Sessions in Flex

Can anyone tell me how sessions work in Flex? From a browser perspective, I understand when a new session is created the ID is saved into a session cookie client-side and this ID is used to link the browser to the server-side session. But I can't find any cookies that relate to my Flex application (assuming it uses cookies).

Session informatione is, basically, every variable you create and store in the Flex application.
Sessions cookies are a work around for the stateless nature of HTML Pages. Every HTML page exists in isolation andk nows nothing about any other HTML page or the history of the user viewing that page. The server sets a cookie to match the request up a request with a server side session.
In Flex, there is only one page request, so no need for cookies to keep track of sessions. The complete app exists 'once' for each user; as opposed to the server side code which is shared across all users.
That said, if you need sessions for your server side code; remote requests from Flex will include the cookie information set by the server; which will allow said requests to match your remote call to a server side session.
Flex does not have access to read browser cookies, although it may be possible to do so using ExternalInterface and JavaScript.

Session management in servlet

Hi,
I am using OC4J Server.
I know the session in servlet can be managed with cookies. In addition, the session can be managed in HTTP session of OC4J. And How about the URL rewriting? Does it mean there are 3 methods to keep track of the servlet session. What are the difference of them. I am quite confused.
Thanks in advance

I see. Thanks.
So it means there are two kinds of cookies, permanent cookies and session cookies.
session cookies are used to store the session information.
I have another question. I want to write a permanent cookies to the browser and get it again even if the browser is closed.
The source code is like:
Cookie cookie = new Cookie(cookieName, cookieValue);
response.addCookie(cookie);
Then I try to write some cookies in the browser, close the browser and open the browser again and I try to retreive the cookies using the following codes but the cookies disappear.
Cookie[] cookies = request.getCookies()
if (cookies != null && cookies.length > 0) {
for (int i = 0; i < cookies.length; i++) {
Cookie cookie = cookies;
Is this the correct way to store and retrieve permanent cookies?
thanks in advance

Cookie session

Similar Messages

Maybe you are looking for