Disable non-SSL session tracking?

Hi, all,
I wonder if one can disable all session tracking in JSP's whenever SSL is not being used? I would like to turn off all cookie-setting and URL-rewriting and use SSL-session tracking only (if I use session-tracking at all on a given page). I also want to specify this behavior programmatically (inside my JSP's) and not in my server's config files.
I'm basically concerned that if my user leaves one of my HTTPS pages, they will still retain a non-secure cookie with their session information. This seems to be indeed the default behavior: when I run my tests and transition from an HTTPS page to an HTTP one, the browser does store a cookie. I know I can invalidate the session as the next step, but I'd rather have the cookie not being set altogether to begin with. Imagine the situation where the user leaves my HTTPS page for a totally different (HTTP) website: in this setting I won't get a chance to invalidate the session and delete the cookie.
Any ideas, therefore, on how to programmatically disable non-SSL session-tracking?
Thanks,
Dmitri.

I don't think you can do this programatically.
However I also don't think it is a problem.
Cookies are related to zone names aren't they?
http://mysite and https://mysite are two different
zones as far as cookies are concerned. One should
not be able to see the other.
It issues a new cookie for the http site you are just
navigating to. That cookie has nothing to do with
the secure site you just came from, and shouldn't be
able to tell them any info about the secure site.
I think you are worrying about something that isn't
really there.
What is your concern? That they pick up a JSESSIONID
from the cookie and can then pretend to be a
different user?Yes. A cookie is transmitted and stored unencrypted, I imagine (in any case, it should be more easily crackable than SSL). I wish Sun came up with an extension to the Session API where you would be able to explicitly specify which session-tracking protocols you want used and which ones you don't. At the moment their API abstracts and manages too much detail for you.
I mean, if my site is supposed to be secure while I'm using SSL, then you'd expect that no information about those secure sessions should leak outside the SSL protocol, wouldn't you say?

Similar Messages

Disable user and session tracking?

Hi there?
We would like to use Application Insights for everything except user and session tracking.
How can i disable these features in AI (we may not use cookies in our site)?
My guess is to change the applicationinsights.config file as below. Is there any documentation about the configuration file, right now im only guessing...
Cheers
/Niclas
<?xml version="1.0" encoding="utf-8"?>
<ApplicationInsights xmlns="http://schemas.microsoft.com/ApplicationInsights/2013/Settings" schemaVersion="2014-05-30">

<TelemetryModules>
<Add Type="Microsoft.ApplicationInsights.Extensibility.Implementation.Tracing.DiagnosticsTelemetryModule, Microsoft.ApplicationInsights" />
<Add Type="Microsoft.ApplicationInsights.Extensibility.RuntimeTelemetry.RemoteDependencyModule, Microsoft.ApplicationInsights.Extensibility.RuntimeTelemetry" />
<Add Type="Microsoft.ApplicationInsights.Extensibility.PerfCollector.PerformanceCollectorModule, Microsoft.ApplicationInsights.Extensibility.PerfCollector" />
<Add Type="Microsoft.ApplicationInsights.Extensibility.Web.WebApplicationLifecycleModule, Microsoft.ApplicationInsights.Extensibility.Web" />
<Add Type="Microsoft.ApplicationInsights.Extensibility.Web.RequestTracking.TelemetryModules.WebRequestTrackingTelemetryModule, Microsoft.ApplicationInsights.Extensibility.Web" />
<Add Type="Microsoft.ApplicationInsights.Extensibility.Web.RequestTracking.TelemetryModules.WebExceptionTrackingTelemetryModule, Microsoft.ApplicationInsights.Extensibility.Web" />

</TelemetryModules>
<ContextInitializers>
<Add Type="Microsoft.ApplicationInsights.Extensibility.BuildInfoConfigComponentVersionContextInitializer, Microsoft.ApplicationInsights" />
<Add Type="Microsoft.ApplicationInsights.Extensibility.DeviceContextInitializer, Microsoft.ApplicationInsights" />
<Add Type="Microsoft.ApplicationInsights.Extensibility.MachineNameContextInitializer, Microsoft.ApplicationInsights" />
<Add Type="Microsoft.ApplicationInsights.Extensibility.Web.AzureRoleEnvironmentContextInitializer, Microsoft.ApplicationInsights.Extensibility.Web" />
</ContextInitializers>
<TelemetryInitializers>
<Add Type="Microsoft.ApplicationInsights.Extensibility.Web.TelemetryInitializers.WebOperationNameTelemetryInitializer, Microsoft.ApplicationInsights.Extensibility.Web" />
<Add Type="Microsoft.ApplicationInsights.Extensibility.Web.TelemetryInitializers.WebOperationIdTelemetryInitializer, Microsoft.ApplicationInsights.Extensibility.Web" />
<Add Type="Microsoft.ApplicationInsights.Extensibility.Web.TelemetryInitializers.WebUserTelemetryInitializer, Microsoft.ApplicationInsights.Extensibility.Web" />
<Add Type="Microsoft.ApplicationInsights.Extensibility.Web.TelemetryInitializers.WebSessionTelemetryInitializer, Microsoft.ApplicationInsights.Extensibility.Web" />
</TelemetryInitializers>
</ApplicationInsights>

I'm not sure if we have a documentation about this somewhere yet. But your guess was right. You can remove 2 modules and AI will not read and set cookies.
Another option is to disable cookie setting but not reading. You would want this if you have JS SDK that sets cookies and you want Web SDK to read it and apply to server telemetry types.
<Add Type="Microsoft.ApplicationInsights.Extensibility.Web.RequestTracking.TelemetryModules.WebSessionTrackingTelemetryModule, Microsoft.ApplicationInsights.Extensibility.Web" >
<SetCookie>false</SetCookie>
</Add>
There are also 2 telemetry initializers for user and session. They take session and user from RequestTelemetry that was created by WebSdk and initialized in that modules and apply same session to other telemetry types like events and exceptions. If you cut
modules you can cut telemetry initializers as well.
Anastasia

Disable Non SSL for Fusion Middleware Instance

There are plenty of good information for implementing the SSL (https) for a Instance, but very little on how to disable the Non-SSL (http) access. Right now, I have both https and http access to site. How do I stop the http (non-SSL) access?
Thanks,
Ron

Change the port.
5.3.2.2 Changing the Oracle HTTP Server Non-SSL Listen Port
In document E10105-06.
If there's no port you have disabled the Non- SSL

Disable Non-SSL

Hi. After not being successfull using EPG, I installed and configured HTTP Server (11.2). Also configured it to listen as SSL (port 4443). How do I disable port 7777 (default, non-secure)?
I know there is an option on APEX Admin to require SSL, but it still keeps loading the login page. I would like to stop listening on port 7777.
How should I do it? Besides, what is the best way to disable the EPG listening too (it is working on both configs, HTTP Server, on port 4443, and EPG on port 4458. Http on EPG is already disabled, but how do I disable https?)?
Thanks in advance.

Try DBMS_XDB.SETHTTPPORT(0);
Another good option in you app, is to check the protocol, and if it's HTTP, then redirect to HTTPS. The advantage is that it silently changes to https rather than just dieing.
Something like:
-- dump all your gateway vars to see whats available to construct https url
-- owa_util.print_cgi_env
if OWA_UTIL.get_cgi_env ('SERVER_PROTOCOL') like 'HTTP/%' -- HTTP/1.1
then l_https := 'https://'||
         replace(OWA_UTIL.get_cgi_env ('HTTP_HOST'), ':7777', ':4443')||   -- hyhost:7777 --> myhost:4333
         OWA_UTIL.get_cgi_env ('SCRIPT_NAME')|| -- /apex
         OWA_UTIL.get_cgi_env ('PATH_INFO')||    -- /f
         OWA_UTIL.get_cgi_env ('QUERY_STRING'); -- p=222:1:0:::::
     owa_util.redirect_url(l_https,'TRUE');
end if;Edited by: maceyah on Mar 18, 2011 2:49 PM

Session Cookies Being Overwritten Browsing From SSL to Non SSL

I have created a bug report for this issue as well.
Please note I am using J2EE session variables so keep that in mind.
I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.
For example:
Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".
Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".
Here's the problem:
Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.
Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.
Steps to Reproduce:
1. Clear your cookies.
2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.
This behavior changed in ColdFusion 10. ColdFusion 9 did not overwrite the session cookie.
Has anyone else experience this?

Deleting and re-adding my account seems to have fixed it. I think when I initially added my Google Talk account, it was by using the "Add Jabber Account" under 10.6 or something. Now, when I re-added my account, I notice both "Google Talk" and "Jabber" are options, so my thought here is that Jabber and Google Talk options are no longer quite the same thing.

What is session tracking in servlets?

Hi ,
I'm studying servlets I don't have the clear idea about session tracking and Why and where we need to use it. Can any one say about this.....
Thanks in advance,
Maheshwaran Devaraj

Well Mheshpmr session tracking in servlets is very important...There are a number of problems that arise from the fact that HTTP is a "stateless" protocol. In particular, when you are doing on-line shopping, it is a real annoyance that the Web server can't easily remember previous transactions. This makes applications like shopping carts very problematic: when you add an entry to your cart, how does the server know what's already in your cart? Even if servers did retain contextual information, you'd still have problems with e-commerce. When you move from the page where you specify what you want to buy (hosted on the regular Web server) to the page that takes your credit card number and shipping address (hosted on the secure server that uses SSL), now let me tell you, how does the server remember what you were buying?
Well There are three typical solutions to this problem.
1. Cookies. You can use HTTP cookies to store information about a shopping session, and each subsequent connection can look up the current session and then extract information about that session from some location on the server machine. This is an excellent alternative, and is the most widely used approach. However, even though servlets have a high-level and easy-to-use interface to cookies, there are still a number of relatively tedious details that need to be handled:
* Extracting the cookie that stores the session identifier from the other cookies (there may be many, after all),
* Setting an appropriate expiration time for the cookie (sessions interrupted by 24 hours probably should be reset), and
* Associating information on the server with the session identifier (there may be far too much information to actually store it in the cookie, plus sensitive data like credit card numbers should never go in cookies).
2. URL Rewriting. You can append some extra data on the end of each URL that identifies the session, and the server can associate that session identifier with data it has stored about that session. This is also an excellent solution, and even has the advantage that it works with browsers that don't support cookies or where the user has disabled cookies. However, it has most of the same problems as cookies, namely that the server-side program has a lot of straightforward but tedious processing to do. In addition, you have to be very careful that every URL returned to the user (even via indirect means like Location fields in server redirects) has the extra information appended. And, if the user leaves the session and comes back via a bookmark or link, the session information can be lost.
3. Hidden form fields. HTML forms have an entry that looks like the following: <INPUT TYPE="HIDDEN" NAME="session" VALUE="...">. This means that, when the form is submitted, the specified name and value are included in the GET or POST data. This can be used to store information about the session. However, it has the major disadvantage that it only works if every page is dynamically generated, since the whole point is that each session has a unique identifier.
Servlets provide an outstanding technical solution: the HttpSession API. This is a high-level interface built on top of cookies or URL-rewriting. In fact, on many servers, they use cookies if the browser supports them, but automatically revert to URL-rewriting when cookies are unsupported or explicitly disabled. But the servlet author doesn't need to bother with many of the details, doesn't have to explicitly manipulate cookies or information appended to the URL, and is automatically given a convenient place to store data that is associated with each session.

Custom sig: Non-SSL over SSL port

I am trying to build a custom signature for detecting non-SSL traffic on a specific SSL port (let's say tcp/443). This has to do with CONNECT tunnels through an HTTP proxy. Conceptually, it's not a complicated idea. Whether or not it can technically be done effectively with the Cisco IPS I don't know.
It seems that very early in every SSL connection, there is an SSL "client hello" message(SYN,SYN/ACK,ACK,CLIENT HELLO). There are two relevant record formats, SSLv2 and SSLv2/TLS. I would like to create a signature that fires when it DOES NOT see the client hello message very early in a given TCP session. I would want the signature to only need to check the very first n packets of any given TCP session (n = max size of connection establishment + max size of client hello packet). Has anyone created such a beast or willing to help? Here are a couple packets.
SSLv3 Client Hello
0000 00 00 5e 00 01 67 00 a0 8e 82 ec 5d 08 00 45 00 ..^..g.....]..E.
0010 00 8e 33 b8 40 00 3e 06 94 16 ce c3 c3 6c 40 22 ..3.@.>......l@"
0020 a2 49 58 27 01 bb b7 42 c6 92 fd 36 a3 d1 50 18 .IX'...B...6..P.
0030 44 70 08 e2 00 00 16 03 00 00 61 01 00 00 5d 03 Dp........a...].
0040 00 44 5f 9a 77 69 49 5a 85 52 a0 96 38 b3 b4 15 .D_.wiIZ.R..8...
0050 8f db f2 0f c9 0e ea 10 f5 69 39 8c 58 87 e5 33 .........i9.X..3
0060 70 20 ba 06 1e 3f d4 4e 3c d0 de a8 ea 4e a3 7f p ...?.N<....N..
0070 0f 07 fd 5f 88 07 17 ef 50 ce 6b cf 10 e3 84 99 ..._....P.k.....
0080 04 a2 00 16 00 04 00 05 00 0a 00 09 00 64 00 62 .............d.b
0090 00 03 00 06 00 13 00 12 00 63 01 00 .........c..
TLSv1 Client Hello
0000 00 0f 20 6c 99 8b 00 a0 8e 82 c4 c1 08 00 45 00 .. l..........E.
0010 00 96 a2 89 40 00 7f 06 32 b3 ce c3 c2 29 ce c3 [email protected]....)..
0020 c6 74 0d 13 01 bb 38 17 d5 89 98 0f fc 73 50 18 .t....8......sP.
0030 44 70 6c 75 00 00 16 03 01 00 69 01 00 00 65 03 Dplu......i...e.
0040 01 44 5f 9a 84 8a 94 ab f3 78 e7 b1 c9 ca 04 34 .D_......x.....4
0050 3b 95 1b 86 51 05 5f ac 9d a0 b0 69 fe 0c 27 e5 ;...Q._....i..'.
0060 9c 20 78 08 00 00 ce c3 c2 29 58 58 58 58 58 58 . x......)XXXXXX
0070 58 58 58 58 58 58 58 58 58 58 48 9a 5f 44 8c 4b XXXXXXXXXXH._D.K
0080 05 00 00 1e 00 04 00 05 00 2f 00 33 00 32 00 0a ........./.3.2..
0090 00 16 00 13 00 09 00 15 00 12 00 03 00 08 00 14 ................
00a0 00 11 01 00 ....
SSLv2 Client Hello
0000 00 00 5e 00 01 67 00 a0 8e 82 ec 5d 08 00 45 00 ..^..g.....]..E.
0010 00 82 fb a7 40 00 3e 06 cf 32 ce c3 c3 6c 9f 35 ....@.>..2...l.5
0020 40 36 58 6d 01 bb b7 78 06 1b cd e2 e2 3d 80 18 @6Xm...x.....=..
0030 44 70 47 6b 00 00 01 01 08 0a 31 fd f9 51 00 00 DpGk......1..Q..
0040 00 00 80 4c 01 03 00 00 33 00 00 00 10 00 00 04 ...L....3.......
0050 00 00 05 00 00 0a 01 00 80 07 00 c0 03 00 80 00 ................
0060 00 09 06 00 40 00 00 64 00 00 62 00 00 03 00 00 [email protected].....
0070 06 02 00 80 04 00 80 00 00 13 00 00 12 00 00 63 ...............c
0080 7b af 57 75 f8 a9 72 54 23 29 32 50 bf ef 1e a9 {.Wu..rT#)2P....

Hi mhellman:
I can see 3 difficulties with this kind of sign.
1) To determine the order of the packets.
2) To determine that happen at the very begining of the conection
3) fire when the traffic doesn't match with the signature.
The difficulty number 3, I think, is imposible to resolve because the sensor can compare the trafic with a well defined pattern and fire when it match, but not when it doen't.
The difficult number 2
You need a kind of state signature because this can be classified like a machine state (first three way handshake, then hello packet) but I can't see fields in the state engine that help in this case.
The difficult number 1 could be resolved by a Meta signature.
You will need to create an a custom atomic signature for the syn packet, another for the syn ack, another to ack, and the last one for hellow packet.
Then create a meta signature and add the fourth atomic singatures whith a strict order.
but guess what...
Meta signature doesn't permit custom signatures.
I think this kind of signature is imposible to write.
But I'd try.
Regards
Alberto Giorgi from spain.

Can we use an overloaded constructor of a Java Bean with Session Tracking

Hi Friends,
If any one can solve my query.... It would be helpful.
Query:
I have a Java Bean with an overloaded constructor in it. I want to use the overloaded constructor in my JSP.
1. One way of doing that is to use it directly in the "Scriptlets" (<% %>). But then I am not sure of the way to do session tracking. I think I can use the implicit objects like "session", "request" etc. but not sure of the approach or of the implementation method.
2. Another way is through the directive <jsp: useBean>. But I cannot call an overloaded constructor with <jsp: useBean>. The only alternative way is to use the directive <jsp: useBean> where I have to write getter and setter methods in the Java Bean and use the <jsp: setProperty> and <jsp: getProperty> standard actions. Then with this approach I cannot use the overloaded constructor.
Can any one suggest me the best approach to solve this problem ?
Thanks and Regards,
Gaive.

My first reaction is that you can refactor your overloaded constructor into an init(arguments...) method. Instead of overloaded constructor, you can call that init method. This is the ideal solution if possible.
As to the two choices you listed:
1. This is OK, I believe. You can use scriplet to define the bean and put it into session scope of the pageContext. I am not sure exactly what you meant by session tracking; whatever you meant, it should be doable using HttpSessionAttributeListener and/or HttpSessionBindingListener.
2. Agreed. There is no way that <jsp:useBean> can call a constructor that has non-empty arguments.
Please tell me how it works for you.

Http.keepAlive does not turn off SSL session cache?

Hi there,
I have a web service client that uses JSSE for making web service calls via https. In an effort to debug problems, I set http.keepAlive to false, I can see from the SSL debug output that KeepAlive timer messages no longer shows up, but I still see text such as "Cached client session" and "try to reuse cached session", etc.
Should not turning off keepAlive disable the use of persistent sessions?
Thanks.
Yan

They are unrelated features.
HTTP Keep Alive allows the browser to maintain a Socket to the server and issue multiple HTTP requests over that same socket.
SSL Session caching is when an SSL Session is assigned an ID, and additional SSL connects may be established with the same ID. These additional sockets then do not need to perform the full SSL handshake, since much of the data has already been negotiated previously.

Always use URL Rewriting for session tracking?

All you JSP guru:
I am working on a JSP project that requires session tracking. I have successfully implements session tracking with both cookies or URL rewriting. I know that with the HttpSession object, it will always try to use cookie first, if that's disabled, then it'll automatically switch to URL rewriting. However, is there a way to force the HttpSession object to ALWAYS use URL rewriting instead of cookies? I have searched for an answer for a long time and haven't been able to found a solution. Is it possible at all? Thank you very much.

i was going to say that WebSphere always uses URL rewriting if you enable it at all, but someone beat me to it (indirectly) :-)
however, that seemed to me to be a violation of the spec, which seemed to imply the behaviour you're describing (only use URL rewriting if cookies are not supported on the current client)
here's a response someone else made on a websphere newsgroup to a statement in that regard:
I believe you are technically correct. However from my
experience, I think the spec if flawed in this area since
there is no reliable way of determining whether the
client browser supports cookies. The authority on
cookies (www.cookiecentral.com) says:
"To properly detect if a cookie is being accepted via
the server, the cookie needs to be set on one HTTP
request and read back in another. This cannot be
accomplished within 1 request."
This is asking too much of a servlet engine
implementation. Even if it did submit a request for this
purpose, the user could refuse the cookie. So
then technically the browser supports cookies, but the
servlet engine infers it doesn't. So if the servlet engine
infers the browser does not support cookies and so
encodes the URL, it is again out of spec because the
browser really does support cookies. By doing it
however encoding is configured makes things simpler,
robust, consistent and avoids the flaw.
My opinion.so, mostly i'm just rambling, but if you're using websphere, you should get the behaviour your boss wants. if you're using something else, i suppose there's a chance it'll "violate" the spec in this same, potentially helpful way.
btw, i remember somebody else complaining that URL rewriting is less secure than cookies, but i kinda think they're about equal. it seems like either could be intercepted by a sniffer and then used to spoof. but i'm no expert in that stuff...

J2EE session variables & Non Random Session IDs

Our server keeps failing our PCI compliance test due to the Session ID's being non random.
Description: Web Server Uses Non Random Session IDs Synopsis: The remote web server generates predictable session IDs. Impact: The remote web server generates a session ID for each connection. A session ID is typically used to keep track of the actions of a user while he visits a web site. The remote server generates non-random session IDs. An attacker might use this flaw to guess the session IDs of other users and therefore steal their session. See also : http://pdos.csail.mit.edu/cookies/seq_sessionid.html Data Received: Sending several requests gives us the following session IDs : CFID=896744 CFID=896745 CFID=896746 CFID=896747 CFID=896748 Resolution: Configure the remote site and CGIs so as to use random session IDs. Risk Factor: Medium/ CVSS2 Base Score: 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N
We are using J2EE session variables which I though was the more secure option. Is there something else you have to do to guarentee that the Session ID's are non random or is this the Compliance test picking up on a false positive?
P.S. It's a recent migration to CF10, don't know if that has anything to do with it.

Personally, I use the client scope instead of the session scope so that I don't have to worry about sticky sessions. That has always worked out nicely for me.
I read that article you referenced, and it's got some interesting stuff. In particular, I have seen the client scope database tables not purge as they're supposed to. And the stuff about preparing, executing, and then unpreparing SQL statements on each request is alarming, if true.
However, I have to say that I have never, ever, ever, ever had performance issues due to client variables. Not once. Whatever performance hit my application may incur from using client variables has, to this point, been completely dwarfed by the performance of the application itself. And, c'mon, the stuff about being lazy because you don't want to spend precious engineering time worrying about something like session management (which is never going to add value to your product) rather than coding something actually useful to your end users...that seems overly harsh to me.
I completely agree that storing client vars in the Windows Registry is bananas, as is the defualt 90 day purge limit (though as of CF 9.0.whatever, the default is 1 day, 7 hours, so clearly they've made some changes since this article was written). But I'm loathe to throw away client-based management.
I think, getting back to the issue at hand, that this may be a false positive. CFID is sequential, but CFTOKEN is not; that should really be the end of the story. I'll see if McAfee will listen. (-;

Dsee 6.3.1 - disable non-secure port

I disabled access to the non-secure port on my ldapserver as I only want clients to talk to my server using ssl (tls:simple)
root@ldapserver#/> dsconf set-server-prop ldap-port:disabled
After the compulsory restart, I was no longer able to bind a client (even if I tell it to connect on port 636) :
root@ldapclient #/> ldapclient init -v -a profileName=SB -a domainName=unix.mydomain.com -a proxyDN=cn=proxyagent,ou=profile,dc=unix,dc=mydomain
,dc=com ldapserver.mydomain.com:636
Parsing profileName=SB
Parsing proxyDN=cn=proxyagent,ou=profile,dc=unix,dc=mydomain,dc=com
Arguments parsed:
proxyDN: cn=proxyagent,ou=profile,dc=unix,dc=mydomain,dc=com
profileName: SB
defaultServerList: ldapserver.mydomain.com:636
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
__ns_ldap_list return NULL resultp
findBaseDN: Err exit
LDAP ERROR (85): Error occurred during receiving results. Timed out.
Failed to find defaultSearchBase for domain unix.mydomain.com
I know my certs are good as ldapsearch returns data as I would expect...
root@ldapclient #/> ldapsearch -Z -p 636 -h ldapserver.mydomain.com -P /var/ldap -b dc=unix,dc=mydomain,dc=com uid=myuser
returns my userid.
There is an anonymous read only ACI in place:
root@ldapclient #/> ldapsearch -Z -p 636 -h ldapserver.mydomain.com -P /var/ldap -b dc=unix,dc=mydomain,dc=com -s base "(objectclass=*)" aci
aci: (target ="ldap:///dc=unix,dc=mydomain,dc=com")(targetattr!="userPassword")(
version 3.0;acl "Anonymous read-search access";allow (read, search, compare)
(userdn = "ldap:///anyone");)
As soon as I re-enable standard 389 access the client init works fine again....
Am I missing something here?
Does the `ldapclient init` command need to make a 389 connection first before it downloads the profile which tells it to use tls:simple and therefore port 636 from then onwards?

quote:
SSL enables support for the Start TLS extended operation that provides security on a regular LDAP connection. Clients can bind to the non-SSL port and then use the Transport Layer Security protocol to initiate an SSL connection. The Start TLS operation allows more flexibility for clients, and can help simplify port allocation.
[http://docs.sun.com/app/docs/doc/820-2765/gdzdc?l=en&a=view]

Mixing ssl and non ssl jsp pages.

Hi,
I am new to Weblogic 8.1 and I would like to learn how to setup few jsp pages in https:// and few pages to be served in http:// protocol.
I have created a managed server using 7004 for http and 7040 for https. Currently I have 2 jsp pages index.jsp and test.jsp and both the pages can be accessed using http:// or https://
I wanted to make test.jsp work only with https:// and not work with http:// How do I configure this?
In realtime webapplications. How is switching of http and https working? Are the URL's hard coded in the controller servlet?
Some tips would be helpful.
Uma

Hi,
To do this task do the following,
1. Create a property file in your application. for example let us take myapp.properties
2. include the following to the myapp.properties file
#sslport=7002
#nonsslport=7001
#serverip=127.0.0.1
#ctpath=myApp
# In your case
sslport=7004
nonsslport=7040
serverip=127.0.0.1
# ctpath is the web deployment directory
ctpath=yourapp
3. Create a class to read the property file say PropertyReader.java and implement the following
String sslport=Properties.getProperty("sslport");
String nonssl=Properties.getProperty("nonsslport);
String serverip=Properties.getProperty("serverip);
String cpath=Properties.getProperty("ctpath");
4. initialise the propertyReader class and
in the property class keep following variables in admin session data
String sslpath="https://"+serverip+":"+sslport+"/"+cpath
String nonsslpath="http://"+serverip+":"+nonsslport+"/"+cpath
5. use these variables for ssl or nonssl
response.senRedirect(sslpath+"/bank.jsp"); //for ssl
response.sendRedirect(nonsslpath+"/welcome.jsp"); //for non ssl
like the same way
Regards,
Nishant Kulkarni

Tomcat Session Tracking with Object Post and Repeated Applet Jar Download

Hi there,
I have an issue with session tracking in Tomcat (5.0.28) and the JRE repeatedly downloading the original Applet Jar.
Everything works fine (session tracking and HTTP GETs) until I post an Object from the Applet to a Servlet and the Servlet reads the Object.
After that happens the JRE downloads the Applet Jar about 20 times and continues to download it after further requests to the Servlet.
Not sure if the following is related but I'm parsing XML returned by the Servlet in the Applet and I get the following in the Tomcat logs:
127.0.0.1 - - [08/Feb/2005:08:43:12 +0000] "GET /[webapp_path]/servlet/META-INF/services/javax.xml.parsers.SAXParserFactory HTTP/1.1" 404 1142
If I turn off the session tracking in the Servlet it all works fine.
I'm using the standard HTTPSession tracking API.
Any help is much appreciated as this is a serious issue!
Ian

...furthermore...
I've now found I had disabled caching in the JRE.
If I enable it the immediately after a POST (not an Object) then the Applet is repeatedly downloaded and it appears more so than before.

Customer login session tracking questions

Hi,
I work for a research support group at a university. We have a mixed platform environment. The nature of the services we provide requires that we bill for time spent on out compute devices.
There are a couple of questions in this posting. The fundamental one though is -- for 10.4 and higher Macs running on Intel and non-Intel hardware what is the "best" solution to track login sessions for our customers? A session has to include the concepts of logging in and out from the console or remote (ssh) access to the machine(s).
I am interested in Apple native and third party or open source solutions. I need to track/log that customer-X logged in to machine-M at dateTime-T and logged out at dateTime-T'. I also need to know if the machine was (re)booted or had some other action occur that would impact a customer login session.
So the main question is, are there existing customer session tracking solutions?
I have an existing home grown (non-Intel) solution that works well on non-Intel macs and other *nix boxes. It is a daemon that reads accumulated, rotated wtmp files and then "hangs" on the current wtmp file waiting for and processing session records as they arrive.
This worked like a champ until we installed our first Intel Mac. I re-compiled the C code that uses the utmp.h include files and structs to get at the info but it silently fails. I received some advice on changing my make file and am currently using:
# Mac OS
CC = gcc -Wall -g
CFLAGS = -I/usr/include/mysql -isysroot \
/Developer/SDKs/MacOSX10.4u.sdk -arch ppc -arch i386 \
-framework CoreServices
LDFLAGS = -L/usr/lib/mysql -lmysqlclient -lz \
-Wl,-syslibroot,/Developer/SDKs/MacOSX10.4u.sdk \
-arch ppc -arch i386
PLATFORM = osx
wtmp_parser: wtmp_parser.c
${CC} ${CFLAGS} -o $@ $? ${LDFLAGS}
/bin/mv $@ $@.${PLATFORM}
Again, this compiles without error but silently fails. I don't know anything about compiling on any Macs, much less these new ones. Ideas are greatly appreciated.
Lastly, I have started reworking the whole setup and may move it all to perl. Here I can read the wtmp files easily using unpack() even on the Intel Macs. I can daemonize the thing but I'm stumbling a bit on one issue.
I have noticed in the past that there can be a sort of race condition during the wtmp rotation on some machines where the active wtmp gets rotated but the old logging still writes one or two records to the rotated file before switching to the new one. I was starting to look into a programmatic solution for this when I looked at the rotated wtmp files on this one machine and I see file dates of:
Dec 5 15:29 wtmp
Oct 1 01:47 wtmp.0.gz
Aug 29 16:05 wtmp.1.gz
Aug 1 05:29 wtmp.2.gz
Jul 31 18:26 wtmp.3.gz
May 31 2007 wtmp.4.gz
Okee... I know there is a /etc/monthly script that should be doing the rotation but it looks like it is not doing what I expect. It seems that it is not rotating all the existing files correctly. Ideas?

I am done. Sorry for bothering

Disable non-SSL session tracking?

Similar Messages

Maybe you are looking for