How to secure session cookie

Similar Messages

• Enable secure session cookie on Sun ONE Web Server 6.1

  How can I enable secure session cookie (JSESSIONID) on Sun ONE Web Server 6.1?.
  For 6.0 is <session-cookie is-secure="true"/> inside the <web-app> tags in web-apps.xml but I'm not able to find this setting for 6.1.

  There is a fix in 6.1sp5 that enables the session cookie to be marked as secure.
  See the release notes and search for 6262885 under Issues Resolved in 6.1sp5:
  http://docs.sun.com/app/docs/doc/819-2479/6n4p1bdea?a=view

• Secure Session Cookie

  How to enable secure attribute for session cookies in Sun 1 WS 6.1.. I could not find any attributes or elements to enable secure under Session Manager in sun-web.xml.
  Thanks
  ssk

  Are you sure about that? I've been looking on how to do this without enabling SSL on the web server (It's behind an SSL offload device). It is possilbe to do this in 6.0, I'd be very surprised if it can not be done on 6.1.

• How to use session cookie property of System object?

  Hi all,
  I have searched all over the SDN but didnt get anything relevent so here i am posting my query...
  My scenario is as follows:
  I have created a KM document iview that launches an HTML page, on click of button of HTML page a VC iview is launched. On this iview i have a button that hits BI query.
  PS: A system object is created for the connectivity bet portal and backend BI server.
  PS: i have configured SSO between portal and backend.
  Now when i click on button on iview that fetches the data from backend, i am asked for authentication pop-up, although i have configured SSO why i am asked to enter UID and PWD again??
  In system object there is a property named
  <b>"session cookie = MYSAPSSO2"</b>
  So should i use this property so that cookie will get transfered from one session to other session when i click button on iview??
  If yes then HOW??
  Is there any other setting remained in Visual Admin?? or Backend or portal?
  What could be the missing??
  PS: User id are same on portal & backend.
  Any help will be highly appreciated...
  Regards,
  Ameya
  Thanks in advance
  Message was edited by:
          Ameya Pimpalgaonkar
  null
  Message was edited by:
          Ameya Pimpalgaonkar

  Hi Ameya,
  I do not know the exact answer.However you should look for something called JSESSION ID.
  Have a look at the thread:
  Re: Problems Using Application Integrator for BSP Application
  Reg SSO Logon Tickets and Browser sessions
  How to use jsessionid while making HTTP calls??
  Hope you find something which can help you.
  Regards
  Atul Shrivastava

• How to secure CFGLOBALS cookie

  To secure CFGLOBALS  cookie I tried the following method as I did for CFID and CFTOKEN . But its not working for CFGLOBALS . Note that this method is working fine for CFID and CFTOKEN.
  <cfset cf_ssn_cookies = {httponly='true', secure='true'}>
  <cfapplication name="ABCD" clientmanagement="Yes" sessionmanagement="Yes" setclientcookies="Yes"sessioncookie=#cf_ssn_cookies#>
  Any idea why the HTTPOnly and SECURE flags are not setting up for CFGLOBALS cookie.

  Ya .... Can you just send the summary.....
  BK ,  can you do one more help. I have posted another question here How to prevent clickjacking issue in CF. If possible can you just look into it.

• How to Set up HTTPOnly and SECURE FLAG for session cookies

  Hi All,
  To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
  I have found the below solutions.
  For setting up the HTTPOnly for the session cookies.
  1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.httponly = true;
  For setting up the secure flag for the session cookies.
  2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.secure = "true"
  Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
  <cfapplication setclientcookies="false" sessionmanagement="true" name="test">
  <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
    <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
    <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
  </cfif>
  But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
  Your timely help is well appreciated.
  Thanks in advance.

  BKBK wrote:
  Abdul L Koyappayil wrote:
  BKBK wrote:
  You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
  I couldnt understand this. I mean how are you relating this with my question.
  When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
       If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
  Name:
  JSESSIONID
  Content:
  782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
  Domain:
  xyz.abc.pqr.com
  Path:
  Send for:
  Any kind of connection
  Accessible to script:
  No (HttpOnly)
  Created:
  Wednesday, September 3, 2014 2:25:10 AM
  Expires:
  When the browsing session ends
  BKBK wrote:
  2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
  Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
       I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
  BKBK wrote:
  3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
  It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
       I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

• Setting secure flag on weblogic (5.1) session cookie.

  Hello All,
            I need to set secure flag on weblogic session cookie. I am not able to
            find any property in weblogic.properties file to set the secure flag for
            session cookie.
            Does anybody has any idea how to achieve this.?
            Thanks
            Nitin
            

  The best way to reduce GC is to change you application to use less memory. Serious.
  There are a number of JVM options for GC. I can't tell you what will work best
  for your application.
  25 seconds is way too long for a GC. Is the OS paging? You may wish to invest
  in additional memory.
  Mike Reiche
  vijendran <[email protected]> wrote:
  Hi,
  I am running a load test which will simulate 100 users. when i tried
  to simulate i found that GC is happening often even though i set the
  heap to 512 MB., and that too some time it takes upto 25 secs. for a
  GC to complete. Please advise on how to increase the performance for
  more number of users (without clustering weblogic) and to avoid GC happening
  often.
  Regards
  Vijendran

• How to create a session cookie on demand

  Hi,
  I search the web but couldn't find anything related to creating session cookies on demand. I want to create a session cookie storing encrypted user tokens when there is none, for example, when the first page is called.
  The encryption part is OK, but I want how can I intercept every call to a set of pages and create the session cookie if it doesn't exist.
  I'm using ADF, of course, and Weblogic.
  Anyone can provide some examples or source code?
  Thanks.

  Cookies are accessible via the http request and response, there you can add new cookies and or change existing ones.
          ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
          HttpServletResponse response = (HttpServletResponse) ectx.getResponse();
          // get existing cookies
          Cookies [] cookies =((HttpServletRequest)ectx.getRequest()).getCookies();
          // create and set a new one
          Cookie cookie = new Cookie( "key", "value" );
          response.addCookie( cookie );This code should work in a bean. After setting the cookie you need to implement a servlet filter or a page phase listener where you check the requested url and then check for your cookie.
  Timo

• How do I enable per session cookies?

  Would someone be so kind as to instruct me on how to enable per session cookies.
  I cannot use one website to its fullest without this.
  Thank you,
  Leeflea

  See [[Enabling and disabling cookies]]

• How to turn on session cookies on firefox

  i have a magic jack and i plugged it in and it said to turn on session cookies how do i do that

  If this is a browser issue, you can go to Tools (at the top of the screen) and go down to options. Go to Privacy and change the Firefox Will to Use custom settings for my history. Then, make sure "Allow Session Cookies" is checkmarked.

• Session cookie security

  A customer of mine asked me about session cookie security.
  Questions are :
  . session id randmoness
  . session id length
  . events producing session end (timeouts, navigation outside etc..)
  . HTTP maximim header length
  Could someone provide me informations/documentation about such questions ?
  Tks
  Tullio

  Again, you still did not mention if you are generalizing or speaking of a specific product and version. Since you posted your question in the "Forms" area, I guess we will assume you are referring to Forms. However, without the version information some of the info might vary. I guess in any case, you (or your customer) should try testing the product of choice as most Oracle products are free for download.
  <br>
  Session Id Length should be long at least 20 random characters" <br>
  <blockquote><font color="blue">Here is an example of what is generated for Forms 10.1.2.3 (other versions may vary):<br>
  <i>jsessionid=<b>9c1253bde83b0ed66ae9687525ef3536f960c8a0f40aa4fa14179b30656e1ea3</b></i><br>
  </font></blockquote>
  Http header should be less than 2100 characters<br>
  <blockquote><font color="blue">This will likely depend on exactly which
  product version is being used.  Also, it will depend on exactly
  which "header" information is being considered as part of the
  count.  For example, are you include all request and response
  data.  Are you including any of the body data?  Also consider
  that the host name and url parameters are part of these exchanges
  too.  So the total amount of characters in my environment would
  likely differ from yours simply because of a difference in my host name
  and parameters that I pass to call my app. In doing just a couple of
  simple tests using a basic tool like ieHTTPheaders and run it against
  Forms 10.1.2.3 on my local machine, I can see that the total can range
  from around 1000 up into over 2000.  So the exact header size is
  something you would need to test based on the app and environment to
  include the product version.</font><br>
  </blockquote>
  Session timout should be 15 minutes <br>
  <blockquote><font color="blue">The concept of "session timeout" will
  vary depending on what exactly we are talking about.  There are
  Forms sessions, db sessions, http sessions, java sessions, etc. 
  For the most part, all of these sessions times are configurable. 
  The only exception is the actually application itself.  In other
  words, Forms, by design is intended to be living.  Meaning, it will
  never die unless you kill it.  You would need to program in to
  your app exactly when you want its session to be destroyed.  If you
  wanted to destroy the app based on user inactivity, you would need to
  use a Java Bean in order to perform a clean exit.  Any other method
  would result in an ugly termination.  An example (unsupported
  demo) of such a bean is available on OTN in the Forms download area. 
  As for the other session configurations, they are documented in the product docs.</font><br>
  </blockquote>
  <br>

• APEX Security: Multiple session cookies in one browser

  Hi all,
  I use mozilla firefox as web browser. When I open a new tab and enter the APEX application url I will be redirected to the login page. After successfully login I receive the session id and the browser the session cookie WWV_CUSTOM-F....
  When I now open the next browser tab and enter the APEX application url I will be redirected to the login page. After successfully login I receive the new session id and the browser the session cookie WWV_CUSTOM-F... with new content. My session from the first browser tab will be killed, because the session cookie for this session was deleted/replaced by the session cookie from the second tab.
  Is it possible to have multiple APEX sessions opened in one browser in multiple tabs?
  Regards

  Hi PaulP,
  it's simple.
  Unzip bsApex2 http://www.betasoftware.it/codice/bsApex2.zip
  If not installed, install Microsoft .NET Framework 4 Client Profile.
  Configure bsApex.exe.config
  <?xml version="1.0" encoding="utf-8" ?>
  <configuration>
    <appSettings>
      <!-- Application Title -->
      <add key="aTitolo" value="Apex Desktop by Beta Software snc" />
      <!-- Short application title -->
      <add key="aTitoloBreve" value="Apex Desktop" />
      <!-- Window height -->   
      <add key="aAltezza" value="960" />
      <!-- Window width-->
      <add key="aLarghezza" value="1200" />
      <!-- Close botton text -->
      <add key="aChiudi" value="Close" />
      <!-- Print botton text -->
      <add key="aStampa" value="Print" />
      <!-- Application icon-->
      <add key="aIcona" value="bsApex.ico" />
      <!-- Client -->
      <add key="aCliente" value="Apex Community" />
      <!-- Application address -->
      <add key="aIndirizzo" value="http://apex.oracle.com/pls/otn/f?p=23873:1" />
    </appSettings>
  </configuration>Run bsApex.exe, that's all.
  Regards,
  Gianluigi

• Air + Ipad + RemoteObject problem with session cookies

  I am making Air version for IPad of a Flex application.
  My flex application needs session from an secured enterprise proxy, without that session none remoteObject requests can pass the proxy and reach blazeDS.
  My solution for flex works fine: calling an enterprise  servlet at application´s startup to obtain a cookie session. I use a POST call to the servlet using URLRequest (sending the user and password parameters), the servlet responds with  a message with a session cookie, and from that point, without me having to code anything more, my flex application get that cookie with the session that automatically is loaded in my browser cookie stack, and that transparently is used from all my subsequents remoteObjects calls in the flex application.
  In my Adobe Air Ipad version, this just does not work, the session or is not storaged or is not attached with subsequent remoteObjects requests.
  - I´m forcing request.manageCookies = true
  - I´m working with the IOS simulator (Is there any difference for cookies with a real Ipad device?)
  - I´m using Flex 4.6.0, Air 3.5, IOS 6, Ipad 3, BlazeDS 4.0, Java 6 BackEnd.
  .. What´s the problem/difference with Air+Ipad from the flex version?

  Hi BalusC ,
  Thanks for your detailed response. I have a question about this comment you noted..
  "Terrible. Just keep the bean request scoped. "
  I changed the bean to request and now have this issue.
              <rich:dataGrid id="membersInZipcode" value="#{membersInZipcode.arrayListOfSearch4Member}"
                          var="membersInZipcode" columns="5" elements="20">                       
              <f:facet name="footer">
                  <rich:datascroller></rich:datascroller>
              </f:facet>
          </rich:dataGrid>
          </h:form>  I am using a request bean to hold the search parms that loads the bean. This works great.
  The problem is when I use the rich:datascroller for the next page.
  It goes back to the bean and the request scope bean is empty. This holds the search values.
  How do I put this back into the request after each process??
  Question 2..
  "Those settings only applies on the current request, i.e. the JSP file itself. Images are obtained by separate and independent requests. You need to set the headers on those requests as well. You can use a filter for this."
  I have never set a filter ...how do I do it? Do you have a link for an example of this filter setup?
  Thanks Again
  Phil

• How do I use cookies to control which part of the timeline to play from?

  Hi there,
  I have created an animation with Adobe Edge. My site uses Concrete5 and I am pulling in the Edge content into an IFRAME on my home page (there my be a better way to do this and I'm open to suggestions). I want the animation to play from the start when someone first visits the site, but if during their browser session they navigate back to the home page, I want the animation to only play a shorter segment of frames near the end.
  My question is, how do I use cookies to acheive this? I'm new to javascript/jquery.
  I've included the following code on compositionReady, (found in another post on this forum) but don't have a clue how to continue...
  // insert code to be run when the composition is fully loaded here yepnope(   {     nope:[       '/js/jquery.cookie.js'     ],   complete: init   } ); function init() { //create your cookie's initial values here } 
  My temp site is here - http://79.170.40.43/nutcrackerdesign.co.uk/
  On revisting the homepage, I only want to play from when the green 'How can we help?' button drops in.
  Many thanks!
  Russ

  Hi, Russ-
  I found this article, which seemed really helpful in describing how cookies work in JavaScript:
  http://www.quirksmode.org/js/cookies.html
  Remember that JS works just fine within Animate, so on your compositionReady, you can read your cookie and then set the play based on that.  You should probably uncheck the autoplay for your Stage and control the play of your Stage from the compositionReady.
  Good luck!
  -Elaine

• How to handle sessions with two severs on one machine?

  All,
  I am having a problem with session cookies being overwritten when I host two apps on one machine running WebLogic 8.1 The apps are http://myserver:7300/app1 and http://myserver:7400/app2, and each runs in its own server.
  Users will often access both apps at once, in two browser windows. If the windows are different threads in the same process, the sessions collide. For Internet Explorer, this isn't usually a problem since clicking on the shortcut multiple times launches different processes by default. Some browsers (Firefox, etc.) won't let you have two windows under different processes. Attempts to launch a second window 'detect' the existing process and appear to spawn a new thread. When this happens there appears to be no way for the users to use both apps at once.
  I know this is happening because of the way session cookies are stored in the browser process' memory. The session cookies appear to me to be 'keyed' by the host name or ip address of the server. Does anyone know of a setting in WebLogic so that this 'key' includes the port or context root? Is this even something which can be controlled on the server side?
  Thanks for any help,
  Brian

  Not quite sure what your intent is, but if you want to avoid a clash how
  about giving each application a different default session cookie name.