Exchange Portlet - Session Cookies - Collapsing Portlets

I am having trouble with the exchange portlet collapsing when refreshed.
I have been tracing through the code and narrowed it down to a missing cookie in the PortletRenderRequest object.
The process method in ExchangeProvider creates a new ApplicationLogin object using the PortletRenderRequest object.
When the ApplicationLogin object is created it scans the cookie list in the request object for the exchangecookie which it then uses to populate the login details and sets the logged-in flag to true, if it can't find the cookie it assumes the caller is not logged in and sets the logged-in flag to false.
The first time the ExchangeProvider.process method is called there are two cookies in the list (an exchangecookie and a JServSessionIdroot cookie) which is fine because it sets up the users details as expected, the second time it gets called (when you refresh the page) the exchangecookie has disappeared from the request object, so it leaves the ApplicationLogin object in the logged-in = false state, which inturn means the page does not get rendered.
Does anyone know when the exchangecookie gets created and when it gets passed around? This would help in tracking down the error, or better still does anyone know how to fix this problem?
Any help would be greatly appreciated.
DJ
P.S. There is a known problem in Oracle Financials and Application Server with cookies and IE, but this problem occurs in IE and NS so it does not appear to be browser dependent.
null

If I comment out caching and set login to "always" the portlets take 2-5 minutes to render, which is not acceptable for deployment.
Can anybody fix the JPDK or the portlets?
John
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Amr El Magayry ([email protected]):
Alan ,
Comment the code that do caching in the begining of each renderShow method in each of the four renderer classes (e.g. InboxRenderer,CalendarRenderer, ...), together with login freqeuncy set to 'Always', it will work.
Pls Send me your code to fix the Ok & Apply buttons in the Customize page.
Amr<HR></BLOCKQUOTE>
null

Similar Messages

  • Session-syncronized web portlets (a la master-detail), how to?

    Hi.
    Here is what I want: I have a number of servlet portlets on a page. The user activates a form action on one portlet. The parameters go to that portlet only. The portlet calls some data provider (e.g. a servlet) to fetch some data. When the data arrives the portlet makes it available to all portlet-threads (do i undersstand it correctly?) in the session and tell them to go and present the data according to their predefined XSLTs.
    Now my questions are: Is there built-in support for this syncronization in Portal? What should be the preferred way to do this? Or have I missed something in the docs? (In that case my appologies, but please point out for me.)
    FYI, our current solution is to have all portlets send requests with session info to a "conventional" servlet where the threads for slave portlets are put on hold and the master is passed on to the data layer. When the data comes back it is converted to XML. Then all threads in the session fetch the XML and send back to their respective portlets where the XSLT is done. Any comments on this solution?
    BTW, what is the best way to syncronize servlet threads based on session?
    Any information are much appreciated.
    Jian Hu

    One way of approaching your issue is to simplify. While portlets are executed in parallel, you are guaranteed that they will all be called at a point right after the page is requested and that they will all complete when the page is rendered (either by success or timeout).
    You cannot predict the order of execution between those two points in time, but you can use those bounds to your advantage.
    For example, if you can guarantee that you can commit information to a database before a new page request, you can have all your portlets read from that source.
    Synchronization is a tricky issue and there are others that may know more about it. I'm just presenting one possibility.

  • JSTL, HttpSession and Portlet Session

    Here's a mysterious problem.
    I am trying to use portlet with JSP together. Inside the portlet, I populate some data, put the data into portlet session and dispatch (include) to a jsp. On the jsp, if I use JSTL to access the http session data:
    <c:out value="{sessionScope.test}"/> I got the following excepiton:
    14:27:08,880 ERROR StandardWrapper[portlet:jsp]:727 - Servlet.service() for se
    vlet jsp threw exception
    java.lang.IllegalStateException: Cannot access session scope in page that does
    ot participate in any session
    at org.apache.jasper.runtime.PageContextImpl.doGetAttribute(PageContext
    mpl.java:264)
    at org.apache.jasper.runtime.PageContextImpl.getAttribute(PageContextIm
    l.java:249)
    at org.apache.taglibs.standard.lang.jstl.ImplicitObjects$3.getValue(Imp
    icitObjects.java:633)
    If I use jsp scriptlet to access the http session, everything is fine:
    <%= request.getSession("test") %>
    Has anyone seen this exception? I posted the question on portlet forum already and no one is able to answer it so far.
    What's the different between JSTL sessionScope and jsp scriptlet?
    thanks!

    Try the calls
    <%= session.getAttribute("test") %>
    and
    <%= request.getSession().getAttribute("test") %>
    Make sure do not have on your page anywhere:
    <%@ page session="false" %>

  • Putting a HashMap in the portlet session

    I am trying to put a HashMap into a portlet session bean, so I am using this code
    HashMap sectype = getSessionBean(request).getAccess();
                   if (sectype == null){
                   Security security = new Security();
                   Vector secvec = security.findDistinctlevels(division, request.getUser().getID());
                   Iterator i = secvec.iterator();
                   while (i.hasNext()) {
                        sectype.put(i.next(),i);                                   
    getSessionBean(request).setAccess(sectype);
    it is falling over at the "if (sectype == null)" part. is there another way to test if the hashMap has been fullfilled by the session bean or I have to create one?

    "Falling over"?

  • Sharing a single session among multiple portlets for single application (e.g. wInsight)

    Does anyone know the best practices way for sharing a single Session for an application (running on a single Porlet server) among multiple portlets on a page?
    For example, the application wInsight uses 3 frames (navigation, search results - tabular, search results - chart) which need to communicate via the application's session scope. It is not just that we do not want for a single user to be running multiple sessions, but they really do share variable parameters this way.
    So far I can only think of trying to build a one true portlet and two empty containers on page load. I would use the portlet to establish the session with the Portlet server and then transfer the session information to the other two empty containers to instantiate their respective portlets. I haven't tried this yet, but will do so soon...
    Any help and feedback would be greatly appreciated.

    Karen,
    You can easiliy create several portlets out of a Struts application. For detailed instructions, refer to the Struts section of the Portal Developer's Guide.
    Good luck,
    Peter

  • How to secure session cookie

    Iam using iPlanet 6.0SP6 in NT 4.0.
    I would like to make the session cookie JSESSIONID to be transfer only on secure connection.
    Then, I make the change to web-apps.xml as below
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE vs PUBLIC "-//Sun Microsystems, Inc.; iPlanet//DTD Virtual Server Web Applications 6.0//EN"
         "http://developer.iplanet.com/webserver/dtds/iws-webapps_6_0.dtd">
    <vs>
    <session-cookie is-secure="true"></session-cookie>
    </vs>
    After that, I restart the iplanet web server and load the page with I.E. again. I see that the cookie is still passed with non-secure mode.
    Is there any wrong with my web-apps.xml?

    Janice,
    Thanks for your help.
    When I use the below web-apps.xml, I can make the cookie in secure session.
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE vs PUBLIC "-//Sun Microsystems, Inc.; iPlanet//DTD Virtual Server Web Applications 6.0//EN"
         "http://developer.iplanet.com/webserver/dtds/iws-webapps_6_0.dtd">
    <vs>
    <web-app uri="/" dir="d:/java/docroot" enable="true">
    <session-manager class="com.iplanet.server.http.session.IWSSessionManager">
    <init-param>
    <param-name>maxSessions</param-name>
    <param-value>16000</param-value>
    </init-param>
    <init-param>
    <param-name>timeOut</param-name>
    <param-value>7200</param-value>
    </init-param>
    <init-param>
    <param-name>reapInterval</param-name>
    <param-value>30</param-value>
    </init-param>
    <init-param>
    <param-name>maxValueSize</param-name>
    <param-value>8192</param-value>
    </init-param>
    </session-manager>
    <session-cookie is-secure="true"/>
    </web-app>
    </vs>
    However, when I configure more on the web applicaiton with the web.xml, I check that the cookie no more secure.
    THe web.xml is
    <?xml version="1.0" encoding="ISO-8859-1"?>
    <!DOCTYPE web-app PUBLIC
    "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
    "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
    <web-app>
    <display-name>Trade Info Exchange</display-name>
    <description>
    Trade Info Exchange
    </description>
    <!-- Define servlets that are included in the example application -->
    <servlet>
    <servlet-name>Login</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.LoginServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>Login</servlet-name>
    <url-pattern>/Login</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>Fmenu</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.FmenuServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>Fmenu</servlet-name>
    <url-pattern>/Fmenu</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>Fcontent</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.FcontentServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>Fcontent</servlet-name>
    <url-pattern>/Fcontent</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>Express</servlet-name>
    <servlet-class>com.chase.apps.express.servlet.EXPRESS2</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>Express</servlet-name>
    <url-pattern>/EXPRESS2</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>AppControl</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.AppControlServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>AppControl</servlet-name>
    <url-pattern>/AppControl</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>errorPage</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.errorPage</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>errorPage</servlet-name>
    <url-pattern>/errorPage</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>LoginFail</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.LoginFailServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>LoginFail</servlet-name>
    <url-pattern>/LoginFail</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>Logout</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.LogoutServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>Logout</servlet-name>
    <url-pattern>/Logout</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>ChangePwdWarning</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.ChangePwdWarningServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>ChangePwdWarning</servlet-name>
    <url-pattern>/ChangePwdWarning</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>ChangePwd</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.ChangePwdServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>ChangePwd</servlet-name>
    <url-pattern>/ChangePwd</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>ReLoginDialog</servlet-name>
    <servlet-class>com.chase.infra.appcontrol.servlet.ReLoginDialog</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>ReLoginDialog</servlet-name>
    <url-pattern>/ReLoginDialog</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>TradeTrackProcessSearch</servlet-name>
    <servlet-class>chase.app.tt.servlet.ProcessSearchServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>TradeTrackProcessSearch</servlet-name>
    <url-pattern>/TradeTrackProcessSearch</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>TradeTrackSearchScreen</servlet-name>
    <servlet-class>chase.app.tt.servlet.SearchScreenServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>TradeTrackSearchScreen</servlet-name>
    <url-pattern>/TradeTrackSearchScreen</url-pattern>
    </servlet-mapping>
    <servlet>
    <servlet-name>TradeTrackMain</servlet-name>
    <servlet-class>chase.app.tt.servlet.MainServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>TradeTrackMain</servlet-name>
    <url-pattern>/LCIMPORT</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>TradeTrackMain</servlet-name>
    <url-pattern>/LCEXPORT</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>TradeTrackMain</servlet-name>
    <url-pattern>/COLLIMP</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>TradeTrackMain</servlet-name>
    <url-pattern>/COLLEXP</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>TradeTrackMain</servlet-name>
    <url-pattern>/B2BMenu</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>TradeTrackMain</servlet-name>
    <url-pattern>/B2BMain</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
    <welcome-file>ctielogin.html</welcome-file>
    </welcome-file-list>
    </web-app>
    Pls advise how I can make the cookie secure for using the web.xml and web-apps.xml
    thanks
    samuel poon

  • Session cookie security

    A customer of mine asked me about session cookie security.
    Questions are :
    . session id randmoness
    . session id length
    . events producing session end (timeouts, navigation outside etc..)
    . HTTP maximim header length
    Could someone provide me informations/documentation about such questions ?
    Tks
    Tullio

    Again, you still did not mention if you are generalizing or speaking of a specific product and version. Since you posted your question in the "Forms" area, I guess we will assume you are referring to Forms. However, without the version information some of the info might vary. I guess in any case, you (or your customer) should try testing the product of choice as most Oracle products are free for download.
    <br>
    Session Id Length should be long at least 20 random characters" <br>
    <blockquote><font color="blue">Here is an example of what is generated for Forms 10.1.2.3 (other versions may vary):<br>
    <i>jsessionid=<b>9c1253bde83b0ed66ae9687525ef3536f960c8a0f40aa4fa14179b30656e1ea3</b></i><br>
    </font></blockquote>
    Http header should be less than 2100 characters<br>
    <blockquote><font color="blue">This will likely depend on exactly which
    product version is being used.  Also, it will depend on exactly
    which "header" information is being considered as part of the
    count.  For example, are you include all request and response
    data.  Are you including any of the body data?  Also consider
    that the host name and url parameters are part of these exchanges
    too.  So the total amount of characters in my environment would
    likely differ from yours simply because of a difference in my host name
    and parameters that I pass to call my app. In doing just a couple of
    simple tests using a basic tool like ieHTTPheaders and run it against
    Forms 10.1.2.3 on my local machine, I can see that the total can range
    from around 1000 up into over 2000.  So the exact header size is
    something you would need to test based on the app and environment to
    include the product version.</font><br>
    </blockquote>
    Session timout should be 15 minutes <br>
    <blockquote><font color="blue">The concept of "session timeout" will
    vary depending on what exactly we are talking about.  There are
    Forms sessions, db sessions, http sessions, java sessions, etc. 
    For the most part, all of these sessions times are configurable. 
    The only exception is the actually application itself.  In other
    words, Forms, by design is intended to be living.  Meaning, it will
    never die unless you kill it.  You would need to program in to
    your app exactly when you want its session to be destroyed.  If you
    wanted to destroy the app based on user inactivity, you would need to
    use a Java Bean in order to perform a clean exit.  Any other method
    would result in an ugly termination.  An example (unsupported
    demo) of such a bean is available on OTN in the Forms download area. 
    As for the other session configurations, they are documented in the product docs.</font><br>
    </blockquote>
    <br>

  • How to Set up HTTPOnly and SECURE FLAG for session cookies

    Hi All,
    To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
    I have found the below solutions.
    For setting up the HTTPOnly for the session cookies.
    1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
         this.sessioncookie.httponly = true;
    For setting up the secure flag for the session cookies.
    2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
         this.sessioncookie.secure = "true"
    Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
    <cfapplication setclientcookies="false" sessionmanagement="true" name="test">
    <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
      <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
      <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
    </cfif>
    But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
    Your timely help is well appreciated.
    Thanks in advance.

    BKBK wrote:
    Abdul L Koyappayil wrote:
    BKBK wrote:
    You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
    I couldnt understand this. I mean how are you relating this with my question.
    When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
         If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
    Name:
    JSESSIONID
    Content:
    782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
    Domain:
    xyz.abc.pqr.com
    Path:
    Send for:
    Any kind of connection
    Accessible to script:
    No (HttpOnly)
    Created:
    Wednesday, September 3, 2014 2:25:10 AM
    Expires:
    When the browsing session ends
    BKBK wrote:
    2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
    Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
         I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
    BKBK wrote:
    3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
    It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
         I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

  • Weblogic.httpd.session.cookies.enable not working in WLS4.5 sp 11 ?

    I want to disable the use of cookies in WLS 4.5, and set the following
    weblogic.httpd.session.cookies.enable=false
    In WLS 4.5 sp7, this correctly prevents the server from using cookies
    for session-tracking, forcing the extraction of the session id from a
    rewritten URL.
    However, for WLS 4.5 sp11 cookies are still sent from the server
    Is this a known issue ?
    jo

    I want to disable the use of cookies in WLS 4.5, and set the following
    weblogic.httpd.session.cookies.enable=false
    In WLS 4.5 sp7, this correctly prevents the server from using cookies
    for session-tracking, forcing the extraction of the session id from a
    rewritten URL.
    However, for WLS 4.5 sp11 cookies are still sent from the server
    Is this a known issue ?
    jo

  • Can portal session cookies be used between two data centers

    OAS generates the following header information and session information for my application. However when I need to failover the originating OAS datacenter into my hot stand-by for maintenance or upgrades, the OAS in the other datacenter responds with a 503 web error. We are using Akamai's GTM to manage the liveness of the datacenter, so we would need the hot stand-by OAS portal in that datacenter to return a 302 error code. Is there some method that we can add to our portal application which would always return a 302 error code.
    See header information collected through wfetch. The 503 error is caused by the hot stand-by data center not accepting or recognizing the cookie. Both OAS datacenters are IDENTICAL in Oracle levels, application levels, web servers, portals and OS patches.
    resolve hostname "170.107.183.32"WWWConnect::Connect("170.107.183.32","80")\nsource port: 2182\r\n
    GET /portal/pls/portal/PORTAL.wwsec_app_priv.login?p_requested_url=%2Fportal%2Fpls%2Fportal%2FPORTAL.home&p_cancel_url=%2Fportal%2Fpls%2Fportal%2FPORTAL.home HTTP/1.1\r\n
    Accept: */*\r\n
    Accept-Language: en-us\r\n
    Accept-Encoding: gzip, deflate\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)\r\n
    Host: www.thomson-pharma.com\r\n
    Connection: Keep-Alive\r\n
    Cookie: ORA_WX_SESSION="10.225.8.30:80-1#2"; portal=9.0.3+en-us+us+AMERICA+3D66674E7EED0801E04400144F41424E+BBAA98EEB32D58C086231A8D6CBE2E5D402D89B0E79D83A18C668BB0CA7417B4044DEA389C8B50DD37D9272A24B4753B22F29978861DE14503F8B9BEDC2014654B26A434CF074F4D8749B88610ADADF5084A90ADBF749E2A; DATACENTER=EAGAN\r\n
    \r\n
    HTTP/1.1 503 Service Unavailable\r\n
    Cache-Control: private\r\n
    Content-Type: text/html\r\n
    Set-Cookie: ORA_WX_SESSION="10.237.138.33:80-1#2"\r\n
    Set-Cookie: portal=; expires=Wednesday, 27-Dec-95 05:29:10 GMT; path=/\r\n
    Connection: Keep-Alive\r\n
    Keep-Alive: timeout=5, max=999\r\n
    Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=208440262161,0)\r\n
    Content-Length: 710\r\n
    Date: Fri, 26 Oct 2007 14:58:07 GMT\r\n
    \r\n
    Thanks -John

    Hi John,
    This question is probably more appropriate in one of the Portal forums, but perhaps you can take a look at the information in section C.5 Configuring the Portal Session Cookie in Appendix C of the Portal Configuration guide.
    Here is a link: http://download.oracle.com/docs/cd/B14099_19/portal.1014/b19305/cg_app_c.htm#sthref1907
    Regards,
    Peter

  • Session Cookies Being Overwritten Browsing From SSL to Non SSL

    I have created a bug report for this issue as well.
    Please note I am using J2EE session variables so keep that in mind.
    I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.
    For example:
    Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".
    Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".
    Here's the problem:
    Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.
    Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.
    Steps to Reproduce:
    1. Clear your cookies.
    2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
    3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.
    This behavior changed in ColdFusion 10. ColdFusion 9 did not overwrite the session cookie.
    Has anyone else experience this?

    Deleting and re-adding my account seems to have fixed it.  I think when I initially added my Google Talk account, it was by using the "Add Jabber Account" under 10.6 or something.  Now, when I re-added my account, I notice both "Google Talk" and "Jabber" are options, so my thought here is that Jabber and Google Talk options are no longer quite the same thing.

  • How to create a session cookie on demand

    Hi,
    I search the web but couldn't find anything related to creating session cookies on demand. I want to create a session cookie storing encrypted user tokens when there is none, for example, when the first page is called.
    The encryption part is OK, but I want how can I intercept every call to a set of pages and create the session cookie if it doesn't exist.
    I'm using ADF, of course, and Weblogic.
    Anyone can provide some examples or source code?
    Thanks.

    Cookies are accessible via the http request and response, there you can add new cookies and or change existing ones.
            ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
            HttpServletResponse response = (HttpServletResponse) ectx.getResponse();
            // get existing cookies
            Cookies [] cookies =((HttpServletRequest)ectx.getRequest()).getCookies();
            // create and set a new one
            Cookie cookie = new Cookie( "key", "value" );
            response.addCookie( cookie );This code should work in a bean. After setting the cookie you need to implement a servlet filter or a page phase listener where you check the requested url and then check for your cookie.
    Timo

  • CFID and CFTOKEN Being Deleted from Session Cookie

    I can't believe that no one else has run into this - but I
    have found nothing on the internet.
    When I copy a piece from a web page that is generated by my
    coldfusion server, and paste it into a word document, the session
    cookie is altered, and the CFID and CFTOKEN information is deleted,
    so I lose my login. Recently, I've developed a problem on a
    different application - when I open a word document that is stored
    on the server, using CFCONTENT, same thing happens - the cookie is
    altered, CFID and CFTOKEN are deleted, and I lose my login.
    I'm tearing my hair out. Has anyone seen this behaviour, any
    ideas as to why this would occur? Any ideas as to how to get around
    it?

    Here's my CFAPPLICATION tag:
    <cfapplication name="DashBoard"
    clientmanagement="Yes"
    sessionmanagement="Yes"
    setclientcookies="Yes"
    clientstorage="cookie"
    loginstorage="session"
    sessiontimeout="#CreateTimeSpan(0, 0, 30, 0)#">
    Not sure what you mean by application sections. It's one
    application.
    I don't refer to the cookie in any other way. It's there only
    to do what CF does with it - maintain the information that's used
    to find the session.

  • APEX Security: Multiple session cookies in one browser

    Hi all,
    I use mozilla firefox as web browser. When I open a new tab and enter the APEX application url I will be redirected to the login page. After successfully login I receive the session id and the browser the session cookie WWV_CUSTOM-F....
    When I now open the next browser tab and enter the APEX application url I will be redirected to the login page. After successfully login I receive the new session id and the browser the session cookie WWV_CUSTOM-F... with new content. My session from the first browser tab will be killed, because the session cookie for this session was deleted/replaced by the session cookie from the second tab.
    Is it possible to have multiple APEX sessions opened in one browser in multiple tabs?
    Regards

    Hi PaulP,
    it's simple.
    Unzip bsApex2 http://www.betasoftware.it/codice/bsApex2.zip
    If not installed, install Microsoft .NET Framework 4 Client Profile.
    Configure bsApex.exe.config
    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
      <appSettings>
        <!-- Application Title -->
        <add key="aTitolo" value="Apex Desktop by Beta Software snc" />
        <!-- Short application title -->
        <add key="aTitoloBreve" value="Apex Desktop" />
        <!-- Window height -->   
        <add key="aAltezza" value="960" />
        <!-- Window width-->
        <add key="aLarghezza" value="1200" />
        <!-- Close botton text -->
        <add key="aChiudi" value="Close" />
        <!-- Print botton text -->
        <add key="aStampa" value="Print" />
        <!-- Application icon-->
        <add key="aIcona" value="bsApex.ico" />
        <!-- Client -->
        <add key="aCliente" value="Apex Community" />
        <!-- Application address -->
        <add key="aIndirizzo" value="http://apex.oracle.com/pls/otn/f?p=23873:1" />
      </appSettings>
    </configuration>Run bsApex.exe, that's all.
    Regards,
    Gianluigi

  • Hiding portlets in the Available Portlets List

    Can’t seem to find a way to control who sees what in the Available Portlets List. It is obviously possible to hide the portlets from unauthorized users. For example regular user will only see Services Portlet in the Portlet Repository->Administration->Portal, while the user with more privileges will also see Export/Import.
    However I have a number of portlets that I want only be available to a certain group of users. Let’s say HR should have access to the portlet and no one else. I could tweak permissions of the pages and portlets so that portlet will disappear from the page for the unauthorized user, and such user will receive an error if he attempts to add this portlet to the page. But he can still see the portlet in the Available Portlets List. Not only that means that user often has a list of 50 items when he actually can only use 5 (very user-unfriendly IMO), but there are portlets I simple don’t want unauthorized people to know about.
    I thought Changing Provider Access rules will do it, but it seems to have no effect, or perhaps I just can’t figure it out.
    I’ll appreciate any thoughts or ideas.

    The portlet repository is a somewhat special page group. Enable item level security in the page group and assign the required privileges to users or groups of users to your providers/portlets listed in the portlet repository as sub-pages and items.
    Also, by moving around the items and sub-pages representing your portlets and providers you can easily re-arrange the view of portlet repository exposed through the Add Portlets page.
    Peter

Maybe you are looking for

  • Preview and print a printout in production order release

    Iu2019m using CO02 to release and save the production order. Currently u201Cbatch cardu201D printout is automatically printed in production order release. I want to change this to preview the printout before printout is send to the printer. Can someo

  • How to hide a payload in sxmb_moni and RWB and Adapter engine.

    Hi I need to hide the pay load in  sxmb_moni, RWB, Adapter engine. Because payload has some sensite information. I need to hide the pay load for perticuler interface Name (http://filetoidoc.com) only. not all payloads. Please help us this. advanced t

  • Write DVD/CD unit to a G4

    Have a Mac G4 running OS 10.4.11 with the play only DVD/CD unit installed still. Can a write DVD/CD or a unit similar to a super drive be installed? Easily that is.

  • Latest IVI Class Step Types in TestStand

    IVI instrument classes have recently been defined for RF Signal Generator, Spectrum Analyzer and Power Meter. There are IVI drivers for these classes available for download from the Instrument Driver network. However, TestStand3 does no contain step

  • Installing FLash player (and Creative cloud)

    I am having trouble with Flash player and creative cloud. Most recently I have tried umpteen times to install Flash player and it wont work. I have run through uninstalling it. re installing it. ensuring it is enabled. and nothing. i have established