ITS transaction session cookie needed in url

Hi All,
There is a webgui transaction created and the services published.we are able to access the transaction via browser.
The requirement is to have session ID displayed ( / path in the cookie) of the browser.( so that later we can take the path session and integrate it with webserver)
I have came accross a link with which we can hide the session iD via using aliases, but my requirement is opposite to it.
I have searched many service parameters for this purpose , but to no avail. Is there any workaround or parameter with specific value needed.
Thanking you for your responses.
M.A

Hi All,
How to create a web transaction , so that after the user access(logs in successfully) the transaction, then we get that session ID and path as details in the cookie of the browser.There is no restriction for the kind of user to be used.
Any settings please let me know.
Thanks a lot for your valuble responses
M.A

Similar Messages

Alternatives for HTTP Session(Cookies or URL Reqriting)

Sir/Madam,
Actually we can handle session using (1) URL rewriting and (2) Cookies , apart from this is there any way to handle sessions ? If so what are they ?.
Thanks and Regards
- Raja.

Of course... You could use (1) Cookies and (2) URL rewriting, as an alternative.
Or you could write your own JSP/servlet engine and require all pages to be forms that have the session ID in them or whatever other custom hair-brained idea you wanted.

How to Set up HTTPOnly and SECURE FLAG for session cookies

Hi All,
To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
I have found the below solutions.
For setting up the HTTPOnly for the session cookies.
1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
 this.sessioncookie.httponly = true;
For setting up the secure flag for the session cookies.
2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
 this.sessioncookie.secure = "true"
Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
Your timely help is well appreciated.
Thanks in advance.

BKBK wrote:
Abdul L Koyappayil wrote:
BKBK wrote:
You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
I couldnt understand this. I mean how are you relating this with my question.
When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
 If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
Name:
JSESSIONID
Content:
782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
Domain:
xyz.abc.pqr.com
Path:
Send for:
Any kind of connection
Accessible to script:
No (HttpOnly)
Created:
Wednesday, September 3, 2014 2:25:10 AM
Expires:
When the browsing session ends
BKBK wrote:
2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
 I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
BKBK wrote:
3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
 I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

Avoiding session id in the URL

Hello folks,
Do you have any idea to avoid getting session id appended to the URL like
http://host/app/login.do;jsessionid=BE142D66CF9DB14EB04D406E28AD791EHow to avoid it? (i am using struts.)
Thanks in advance
SAN

Servlet sessions on a J2EE server are maintained via a session id - called "JSESSIONID"
You need to send that id with every request you make in order to maintain your session - its how the server identifies you.
Most of the time that is set in a "session cookie" called JSESSIONID. This cookie is issue to your browser for the duration of your "browser session" (ie until you close the browser). It does not get written to disk - it is stored only in memory.
The fallback position, if your browser doesn't support session cookies, or has them switched off is to encode the jsessionid in the url as you have seen.
That is done by the use of the method response.encodeURL in the java APIs.
Note a "session cookie" is talking about your browser session, not your servlet session. It is two different uses of the word session.
Thats the standard handling anyway.
Have you maybe configured Tomcat to [disable cookies|http://jf.omnis.ch/log/archives/2004/12/disabling-session-cookie-in-tomcat.html]?
If you are using the HTTPSession object, then you need to retain state either with the cookie or the jsessionid in the url.
Just to double check you can try the following in a jspsessionid from cookie? <%= request.isRequestedSessionIdFromCookie() %> 
sessionid from url? <%= request.isRequestedSessionIdFromURL() %> Hope this helps,
evnafets

APEX accessing ASP Session Cookie...?

Hi,
I'm trying to build an application to fit in with a pre-existing website.
This site authenticates users, setting appropriate session variables in a cookie. Then each asp page carries a script to check these session variables, denying access if they aren't correct.
I want my APEX application to fit in with this. Having read some of the documentation and browsed this forum, I'm thinking an open authentication application with an authorisation scheme based on these session variables.
My main problem is, how (if at all) I can get APEX to pick up on these session variables? I don't really want to start getting them out and sticking them in the URL used to call the application, because that would be a bit too easy to spoof.
Does anyone know a way of getting APEX to check a cookie and act on that? Or at least drag cookie variables over into its own session variables?
Cheers for any help.
Scott
P.S. It may show, I'm new to quite a lot of this!

Hello Scott,
>> Does anyone know a way of getting APEX to check a cookie and act on that?
APEX itself using cookies, utilizing a package called OWA_COOKIE. You can see an example on the login page (by default page 101) of your application.
You should check if the OWA_COOKIE package could help you with what you need.
Regards,
Arie.

Session cookie security

A customer of mine asked me about session cookie security.
Questions are :
. session id randmoness
. session id length
. events producing session end (timeouts, navigation outside etc..)
. HTTP maximim header length
Could someone provide me informations/documentation about such questions ?
Tks
Tullio

Again, you still did not mention if you are generalizing or speaking of a specific product and version. Since you posted your question in the "Forms" area, I guess we will assume you are referring to Forms. However, without the version information some of the info might vary. I guess in any case, you (or your customer) should try testing the product of choice as most Oracle products are free for download.
 
Session Id Length should be long at least 20 random characters" 
<blockquote>Here is an example of what is generated for Forms 10.1.2.3 (other versions may vary): 
jsessionid=9c1253bde83b0ed66ae9687525ef3536f960c8a0f40aa4fa14179b30656e1ea3 
</blockquote>
Http header should be less than 2100 characters 
<blockquote>This will likely depend on exactly which
product version is being used. Also, it will depend on exactly
which "header" information is being considered as part of the
count. For example, are you include all request and response
data. Are you including any of the body data? Also consider
that the host name and url parameters are part of these exchanges
too. So the total amount of characters in my environment would
likely differ from yours simply because of a difference in my host name
and parameters that I pass to call my app. In doing just a couple of
simple tests using a basic tool like ieHTTPheaders and run it against
Forms 10.1.2.3 on my local machine, I can see that the total can range
from around 1000 up into over 2000. So the exact header size is
something you would need to test based on the app and environment to
include the product version. 
</blockquote>
Session timout should be 15 minutes 
<blockquote>The concept of "session timeout" will
vary depending on what exactly we are talking about. There are
Forms sessions, db sessions, http sessions, java sessions, etc.
For the most part, all of these sessions times are configurable.
The only exception is the actually application itself. In other
words, Forms, by design is intended to be living. Meaning, it will
never die unless you kill it. You would need to program in to
your app exactly when you want its session to be destroyed. If you
wanted to destroy the app based on user inactivity, you would need to
use a Java Bean in order to perform a clean exit. Any other method
would result in an ugly termination. An example (unsupported
demo) of such a bean is available on OTN in the Forms download area.
As for the other session configurations, they are documented in the product docs. 
</blockquote>

Not be able to obtain a transacted session within stateless session bean

I need some assistance on creating a transacted session. For some reason while within a stateless session bean, I am unable to create a transacted session even though I'm specifying to create the transacted queue session. Can anyone provide any assistance to me on this? It would be much appreciated.
Here is the code snippets involved with the problem:
Code snipet from ejb-jar.xml:
<session>
<display-name>Initial Request</display-name>
<ejb-name>InitialRequestBean</ejb-name>
<ejb-class>com.raytheon.rds.jms.InitialRequestBean</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
</session>
Code from stateless session bean:
static Logger logger;
private QueueConnectionFactory connectionFactory;
private SessionContext sc;
private Queue requestQueue;
public String processRequest(String msgBody)
logger.log(Level.INFO, "In processRequest(String).", msgBody);
QueueConnection con = null;
QueueSession session = null;
QueueSender sender = null;
TextMessage message = null;
String messageID = null;
QueueReceiver receiver = null;
TemporaryQueue replyQueue = null;
boolean transacted = false;
try
//Create the infrastructure (ie. The connection & the session)
logger.log(Level.FINE, "Creating connection");
con = connectionFactory.createQueueConnection();
logger.log(Level.FINE, "Creating session");
session = con.createQueueSession(true, Session.AUTO_ACKNOWLEDGE);
//Note: This line above was changed in all possible permutation and still didn't work such as using Session.SESSION_TRANSACTED
transacted = session.getTransacted();
logger.log(Level.FINE, "Is session transacted? : " + transacted);
//Note: This line above is constantly saying false
//Now first, setup the temporary reply queue and its listener
replyQueue = session.createTemporaryQueue();
logger.log(Level.FINE, "Creating receiver/consumer");
receiver = session.createReceiver(replyQueue);
con.start();
//Now create the requestor that will make the request message and put it on the request queue
logger.log(Level.FINE, "Creating Requestor/Producer");
sender = session.createSender(requestQueue);
//Now create the message and make sure that you put the "JMSReplyTo" property to the temporary response queue we just created
message = session.createTextMessage();
message.setJMSReplyTo(replyQueue);
logger.log(Level.FINE, "Created message: " + message.getJMSMessageID());
//Now add the actual info you want to send
message.setText(msgBody);
//Now send the message
logger.log(Level.INFO, "Sending message: " + message.getText());
sender.send(message);
//Now wait until we get a response
logger.log(Level.FINE, "Waiting for the response message");
Message responseMsg = receiver.receive(20000); //Toggle the "0" to specify timeout in millisectionds
//Process the message
logger.log(Level.FINE, "Processing the response message");
if(null != responseMsg)
logger.log(Level.FINE, "responseMsg is : " + responseMsg.toString());
messageID = processMessage(responseMsg);
logger.log(Level.FINE, "Response is : " + messageID);
//close the connection
logger.log(Level.FINE, "Stopping the connection");
con.stop();
catch (Throwable t)
// JMSException could be thrown
logger.log(Level.SEVERE, "Exception Thrown in sendRequest: ", t);
sc.setRollbackOnly();
finally
//Close the sender
if (sender != null)
try
logger.log(Level.FINE, "Closing the sender");
sender.close();
catch (JMSException e)
logger.log(Level.WARNING, "JMSException Thrown when trying to close the sender to the request queue: ", e);
else
logger.log(Level.FINE, "Sender is already closed.");
//Close the receiver
if (receiver != null)
try
logger.log(Level.FINE, "Closing the receiver");
receiver.close();
catch (JMSException e)
logger.log(Level.WARNING, "JMSException Thrown when trying to close the receiver to the request queue: ", e);
else
logger.log(Level.FINE, "Receiver is already closed.");
//Close the session
if (session != null)
try
logger.log(Level.FINE, "Closing the session");
session.close();
catch (JMSException e)
logger.log(Level.WARNING, "JMSException Thrown when trying to close the session to the request queue: ", e);
else
logger.log(Level.FINE, "Session is already closed.");
//Close the connection
if (con != null)
try
logger.log(Level.FINE, "Closing the connection");
con.close();
catch (JMSException e)
logger.log(Level.WARNING, "JMSException Thrown when trying to close the connection to the reply queue: ", e);
else
logger.log(Level.FINE, "Connection is already closed.");
return messageID;
}

I found the answer through lots of painful searching.
http://blogs.sun.com/fkieviet/entry/request_reply_from_an_ejb
This weblog from Frank Kieviet from a sun blog explains what's happening behind the scenes.
Then I proceeded to create a Bean-Managed Transaction out of my EJB, which is using EJB 3.0. This requires the tag:
@TransactionManagement(value= TransactionManagementType.BEAN)
Note: I got this information from http://download.oracle.com/docs/cd/B31017_01/web.1013/b28221/servtran001.htm#BAJIBAFF
Then I just added the code specified in Frank's blog and everything is working now. The main portion of the code looks like this now:
//begin the user transaction
ctx.getUserTransaction().begin();
//Create the infrastructure (ie. The connection & the session)
logger.log(Level.FINE, "Creating connection");
con = connectionFactory.createQueueConnection();
//Create the session
logger.log(Level.FINE, "Creating session");
session = con.createQueueSession(false, Session.SESSION_TRANSACTED);
transacted = session.getTransacted();
logger.log(Level.FINE, "Is session transacted? : " + transacted);
//Now create the sender that will make the request message and put it on the request queue
logger.log(Level.FINE, "Creating Sender");
sender = session.createSender(requestQueue);
//Now create the message
message = session.createTextMessage();
//Now add the actual info you want to send
message.setText(msgBody);
logger.log(Level.FINE, "Created message: " + message.getJMSMessageID());
//Now first, setup the temporary reply queue and its listener
replyQueue = session.createTemporaryQueue();
if(null != replyQueue)
logger.log(Level.FINE, "Created temporary queue: " + replyQueue.getQueueName());
else
logger.log(Level.FINE, "Temporary Queue could not be created.");
//make sure that you put the "JMSReplyTo" property to the temporary response queue we just created
message.setJMSReplyTo(replyQueue);
//Now send the message
logger.log(Level.INFO, "Sending message: " + message.getText());
sender.send(message);
//Now start the connection
logger.log(Level.FINE, "Starting the connection");
con.start();
//commit the changes
ctx.getUserTransaction().commit();
ctx.getUserTransaction().begin();
//Create the receiver
logger.log(Level.FINE, "Creating Receiver");
receiver = session.createReceiver(replyQueue);
//Now wait until we get a response
logger.log(Level.FINE, "Waiting for the response message");
Message responseMsg = receiver.receive(20000); //Toggle the "0" to specify timeout in millisectionds
//Process the message
logger.log(Level.FINE, "Processing the response message");
if(null != responseMsg)
logger.log(Level.FINE, "responseMsg is : " + responseMsg.toString());
else
logger.log(Level.FINE, "No response came back.");
messageID = processMessage(responseMsg);
logger.log(Level.FINE, "Response is : " + messageID);
logger.log(Level.FINE, "Transaction is complete");
//commit the changes
ctx.getUserTransaction().commit();

How to create a session cookie on demand

Hi,
I search the web but couldn't find anything related to creating session cookies on demand. I want to create a session cookie storing encrypted user tokens when there is none, for example, when the first page is called.
The encryption part is OK, but I want how can I intercept every call to a set of pages and create the session cookie if it doesn't exist.
I'm using ADF, of course, and Weblogic.
Anyone can provide some examples or source code?
Thanks.

Cookies are accessible via the http request and response, there you can add new cookies and or change existing ones.
        ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
        HttpServletResponse response = (HttpServletResponse) ectx.getResponse();
        // get existing cookies
        Cookies [] cookies =((HttpServletRequest)ectx.getRequest()).getCookies();
        // create and set a new one
        Cookie cookie = new Cookie( "key", "value" );
        response.addCookie( cookie );This code should work in a bean. After setting the cookie you need to implement a servlet filter or a page phase listener where you check the requested url and then check for your cookie.
Timo

Session cookie - Servername info - can it be done in the application code

HI all,
Scenario:
2 managed servers in a cluster. Application is deployed on the cluster.
Requirement:
Application needs to send a cookie to the user with server info.
Question is regarding session cookies. Can the application retrieve the server name (for example ManagedServer1) from which that request has been processed and send to the user in the cookie.?
Request->process->Response with cookie containig the server name it was process by.
Can it be done in the application code?
/SR
Edited by: Shashi_sr on Feb 4, 2011 4:37 AM

Hi SR,
You can get the server name using the following technique:
/* Getting the Server name from System Property */
String serverName=System.getProperty("weblogic.Name");
/* Adding the value of the Server Name in the Cookie*/
response.addCookie("serverName",serverName);Like you can see by yourself using the JPS utility how WLS sets its server name as a system property using the following link
Topic: Using Jps.exe to distinguish WLS ProcessIDs And Server Name
http://middlewaremagic.com/weblogic/?p=2291
Regards,
Ravish Mody
http://middlewaremagic.com/weblogic/
Come, Join Us and Experience The Magic…

Configuring Session Cookie Name in Portal DAD

I have some questions about the proper way to specify the Session Cookie Name (PlsqlSessionCookieName) in the Portal DAD.
Here's a description of the environment: There are 2 portal servers (portal1, portal2) and 2 infrastructure servers (infra1, infra2). portal1 is tied directly to infra1, and portal2 is tied to infra2. A hardware load-balancer directs traffic from a URL "www.companyname.com" to either portal1 or portal2. The infrastructure databases are kept in synch via a nightly export/import. There is no clustering.
What should I set the Session Cookie Names to in the Portal DADs? Should they be left blank and thus default to the DAD name? If not, should they be set to identical (both to "portal") or unique values ("portal1" and "portal2")?
I have read the dads.README file, the notes in the Edit DAD page in Enterprise Manager, and some other documentation and I am confused as to the proper settings.
Thanks!
Brian

It looks like distinct session cookie names are needed.
Please refer to Oracle HTTP Server Administrator's Guide 10g Release 2 (10.1.2), Section 8 Understanding Modules. Seach for PlsqlSessionCookieName.

Web Cache and cookies - need to understand a bit more!

FROM THE ORACLES DOCS
If a document contains a cookie, then Oracle Web Cache evaluates the cookie value of the browser request and application Web server response. If the values match and there is a corresponding cacheability rule, then Oracle Web Cache caches the response. Because a session value change does not necessarily indicate a change of state on the application Web servers, session cookie values are not evaluated. For documents that use these cookies, the response is cached, regardless of whether or not the cookie values match.
OK so does this mean that if I have a site that has a single persistent cookie that say contains the username and the cookie is global over the site i.e. its set for the root "/" then inheritently WebCache cannot cache any page on this site even if the cacheability rule make no mention of cookies as the request and response cookie will be different ie user "bill" goes for first page and WC caches it then user "larry" asks for a page and becuase the request cookie is "larry" and the response is "bill" then it wont cache it even though this particular pages content may make no use of the cookie value.
Also does it mean that if I have a session cookie say for "authenticated" even if I have expressed that the cookie be used to cache different version of the page its no use WebCache will ignore it and simply cache one version for all even though this particular page maybe be different for authenticated and non authenticated users.
Sorry but its not clear just how WC works with cookies.
Thanks for any assistance
Rob

I asked one of the developers about this and here is the
response:
"I think he was not clear on 2 points:
1) we do not store any "Set-Cookie" header from the response.
all such headers are stripped when the document is inserted;
2) cookie comparison is only performed when we receive a response
from the os. On cache hits, no such comparison happens -- we
don't have anything to compare against as the cached documents
never contain any Set-Cookie headers
So in his example, after the response to Bill's request gets
cached (it's cached only when the non-session cookies in his
request and response match), Larry's request for the same URL
will get the cached document WITHOUT the "Set-Cookie" header. So
Larry gets a cache hit and his cookie will not get overwritten by
Bill's.
Now in 9.0 (the upcoming release), the cookie value comparison
only happens for multiversion cookies. So we are relaxing a bit
in that sense and will cache more documents than before.
As for his second part of the question (the authentication cookie
part), I'm not sure what exactly is the application behavior. Do
only authenticated users have the session cookie? If that's the
case, then, he can define a session caching rule to say "cache
with session, and cache without session, and the 2 versions are
different" (3 YES' on the 3 session definition questions). Then
we'll cache a version for the authenticated users (with session)
regardless of the session value, and another version for the
non-authenticated users(without session).
If, however, both authenticated and non-authenticated users have
the same session cookies with different values, and all
authenticated users map to one version of the doc and all
non-authenticated users map to another, then Web Cache can't
currently handle this. This is basically a multiversion cookie
rule, with some grouping of cookie values, which we don't support
yet."

Weblogic.httpd.session.cookies.enable not working in WLS4.5 sp 11 ?

I want to disable the use of cookies in WLS 4.5, and set the following
weblogic.httpd.session.cookies.enable=false
In WLS 4.5 sp7, this correctly prevents the server from using cookies
for session-tracking, forcing the extraction of the session id from a
rewritten URL.
However, for WLS 4.5 sp11 cookies are still sent from the server
Is this a known issue ?
jo

I want to disable the use of cookies in WLS 4.5, and set the following
weblogic.httpd.session.cookies.enable=false
In WLS 4.5 sp7, this correctly prevents the server from using cookies
for session-tracking, forcing the extraction of the session id from a
rewritten URL.
However, for WLS 4.5 sp11 cookies are still sent from the server
Is this a known issue ?
jo

Can portal session cookies be used between two data centers

OAS generates the following header information and session information for my application. However when I need to failover the originating OAS datacenter into my hot stand-by for maintenance or upgrades, the OAS in the other datacenter responds with a 503 web error. We are using Akamai's GTM to manage the liveness of the datacenter, so we would need the hot stand-by OAS portal in that datacenter to return a 302 error code. Is there some method that we can add to our portal application which would always return a 302 error code.
See header information collected through wfetch. The 503 error is caused by the hot stand-by data center not accepting or recognizing the cookie. Both OAS datacenters are IDENTICAL in Oracle levels, application levels, web servers, portals and OS patches.
resolve hostname "170.107.183.32"WWWConnect::Connect("170.107.183.32","80")\nsource port: 2182\r\n
GET /portal/pls/portal/PORTAL.wwsec_app_priv.login?p_requested_url=%2Fportal%2Fpls%2Fportal%2FPORTAL.home&p_cancel_url=%2Fportal%2Fpls%2Fportal%2FPORTAL.home HTTP/1.1\r\n
Accept: */*\r\n
Accept-Language: en-us\r\n
Accept-Encoding: gzip, deflate\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)\r\n
Host: www.thomson-pharma.com\r\n
Connection: Keep-Alive\r\n
Cookie: ORA_WX_SESSION="10.225.8.30:80-1#2"; portal=9.0.3+en-us+us+AMERICA+3D66674E7EED0801E04400144F41424E+BBAA98EEB32D58C086231A8D6CBE2E5D402D89B0E79D83A18C668BB0CA7417B4044DEA389C8B50DD37D9272A24B4753B22F29978861DE14503F8B9BEDC2014654B26A434CF074F4D8749B88610ADADF5084A90ADBF749E2A; DATACENTER=EAGAN\r\n
\r\n
HTTP/1.1 503 Service Unavailable\r\n
Cache-Control: private\r\n
Content-Type: text/html\r\n
Set-Cookie: ORA_WX_SESSION="10.237.138.33:80-1#2"\r\n
Set-Cookie: portal=; expires=Wednesday, 27-Dec-95 05:29:10 GMT; path=/\r\n
Connection: Keep-Alive\r\n
Keep-Alive: timeout=5, max=999\r\n
Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=208440262161,0)\r\n
Content-Length: 710\r\n
Date: Fri, 26 Oct 2007 14:58:07 GMT\r\n
\r\n
Thanks -John

Hi John,
This question is probably more appropriate in one of the Portal forums, but perhaps you can take a look at the information in section C.5 Configuring the Portal Session Cookie in Appendix C of the Portal Configuration guide.
Here is a link: http://download.oracle.com/docs/cd/B14099_19/portal.1014/b19305/cg_app_c.htm#sthref1907
Regards,
Peter

Transaction Launcher Logical Systems and URLs

Hi,
I'm facing a problem with Transaction Launcher.
I've done all the settings specified here: http://help.sap.com/saphelp_crm60/helpdata/en/46/231befc17b5872e10000000a11466f/frameset.htm
Under section "Define Transaction Launcher Logical Systems and URLs" I've specified the values for Quality System: the ECC system is MQAS200A
By the way, when I try to access an ERP Sales Order, the transaction CRM_TL_ERP_BUS2032_DISPLAY tries to access system MSVL200A (which is the Development ECC System).
I cannot change the Logical System within the Transaction Launcher Configuration (currently it is set to ERP), since the Transaction is standard.
Does anybody know how to map the generic value ERP with the correct value MQAS200A instead of MSVL200A?
Thanks in advance,
Regards,
Andrea Ricci

Hi,
You cannot generalize the Logical system name, for the workaround you need to put the logical system for quality and transport it to quality and it should work and to check in dev you need to again change the log. sys to dev and save it but dont transport it. Similarly you can do for production system.
Regards,
Shobhit

NON-transactional session bean access entity bean

We are currently profiling our product using Borland OptmizeIt tool, and we
found some interesting issues. Due to our design, we have many session beans which
are non transactional, and these session beans will access entity beans to do
the reading operations, such as getWeight, getRate, since it's read only, there
is no need to do transaction commit stuff which really takes time, this could
be seen through the profile. I know weblogic support readonly entity bean, but
it seems that it only has benefit on ejbLoad call, my test program shows that
weblogic still creates local transaction even I specified it as transaction not
supported, and Transaction.commit() will always be called in postInvoke(), from
the profile, we got that for a single method call, such as getRate(), 80% time
spent on postInvoke(), any suggestion on this? BTW, most of our entity beans are
using Exclusive lock, that's the reason that we use non-transactional session
bean to avoid dead lock problem.
Thanks

Slava,
Thanks for the link, actually I read it before, and following is what I extracted
it from the doc:
<weblogic-doc>
Do not set db-is-shared to "false" if you set the entity bean's concurrency
strategy to the "Database" option. If you do, WebLogic Server will ignore the
db-is-shared setting.
</weblogic-doc>
Thanks
"Slava Imeshev" <[email protected]> wrote:
Hi Jinsong,
You may want to read this to get more detailed explanation
on db-is-shared (cache-between-transactions for 7.0):
http://e-docs.bea.com/wls/docs61/ejb/EJB_environment.html#1127563
Let me know if you have any questions.
Regards,
Slava Imeshev
"Jinsong HU" <[email protected]> wrote in message
news:[email protected]...
Thanks.
But it's still not clear to me in db-is-shared setting, if I specifiedentity
lock as database lock, I assumed db-is-shared is useless, because foreach
new
transaction, entity bean will reload data anyway. Correct me if I amwrong.
Jinsong
"Slava Imeshev" <[email protected]> wrote:
Jinsong,
See my answers inline.
"Jinsong Hu" <[email protected]> wrote in message
news:[email protected]...
Hi Slava,
Thanks for your reply, actually, I agree with you, we need to
review
our db
schema and seperate business logic to avoid db lock. I can not say,guys,
we need
to change this and that, since it's a big application and developedsince
EJB1.0
spec, I think they are afraid to do such a big change.Total rewrite is the worst thing that can happen to an app. The
better aproach would be identifying the most critical piece and
make a surgery on it.
Following are questions in my mind:
(1) I think there should be many companies using weblogic serverto
develop
large enterprise applications, I am just wondering what's the maintransaction/lock
mechanism that is used? Transional session / database lock,
db-is-shared
entity
I can't say for the whole community, as for my experience the standard
usage patthern is session fasades calling Entity EJBs while having
Required TX attribute plus plain transacted JDBC calls for bulk
reads or inserts.
is the dominant one? It seems that if you speficy database lock,
the
db-is-shared
should be true, right?Basically it's not true. One will need db-is-shared only if thereare
changes
to the database done from outside of the app server.
(2) For RO bean, if I specify read-idle-timeout to 0, it shouldonly
load
once at the first use time, right?I assume read-timeout-seconds was meant. That's right, but if
an application constantly reads new RO data, RO beans will be
constantly dropped from cache and new ones will be loaded.
You may want to looks at server console to see if there's a lot
of passivation for RO beans.
(3) For clustering part, have anyone use it in real enterpriseapplication?
My concern, since database lock is the only way to choose, how aboutthe
affect
of ejbLoad to performance, since most transactions are short live,if high
volume
transactions are in processing, I am just scared to death about
the
ejbLoad overhead.
ejbLoad is a part of bean's lifecycle, how would you be scared ofit?
If ejbLoads take too much time, it could be a good idea to profile
used SQLs. Right index optimization can make huge difference.
Also you may want cosider using CMP beans to let weblogic
take care about load optimization.
(4) If using Optimization lock, all the ejbStore need to do
version
check
or timestamp check, right? How about this overhead?As for optimistic concurrency, it performs quite well as you can
use lighter isolation levels.
HTH,
Slava Imeshev
"Jinsong Hu" <[email protected]> wrote in message
news:[email protected]...
We are using Exclusive Lock for entity bean, because of we do
not
want
to
load
data in each new transaction. If we use Database lock, that means
we
dedicate
data access calls to database, if database deadlock happens,
it's
hard
to
detect,
while using Exclusive lock, we could detect this dead lock in
container
level.
The problem is, using Exclusive concurrency mode you serialize
access to data represented by the bean. This aproach has negative
effect on ablity of application to process concurrent requests.As
a
result the app may have performance problems under load.
Actually, at the beginnning, we did use database lock and usingtransactional
The fact that you had database deadlocking issues tells that
application logic / database schema may need some review.
Normally to avoid deadlocking it's good to group database
operations mixing in updattes and inserts into one place so
that db locking sequence is not spreaded in time. Moving to
forced serialized data access just hides design/implementation
problems.
session bean, but the database dead lock and frequent ejbLoad
really
kill
us,
so we decided to move to use Exclusive lock and to avoid dead
lock,
we
change
some session bean to non-transactional.Making session beans non-transactions makes container
creating short-living transactions for each call to entity bean
methods. It's a costly process and it puts additional load to
both container and database.
We could use ReadOnly lock for some entity beans, but since weblogicserver will
always create local transaction for entity bean, and we found
transaction
commit
is expensive, I am arguing why do we need create container leveltransaction for
read only bean.First, read-only beans still need to load data. Also, you may seeRO
beans
contanly loading data if db-is-shared set to true. Other reason
can
be
that
RO semantics is not applicable the data presented by RO bean (forinstance,
you have a reporting engine that constantly produces "RO" data,
while
application-consumer of that data retrieves only new data and neverasks
for "old" data). RO beans are good when there is a relatively stable
data
accessed repeatedly for read only access.
You may want to tell us more about your app, we may be of help.
Regards,
Slava Imeshev
I will post the performance data, let's see how costful
transaction.commit
is.
"Cameron Purdy" <[email protected]> wrote:
We are currently profiling our product using Borland
OptmizeIt
tool,
and we
found some interesting issues. Due to our design, we have
many
session
beans which
are non transactional, and these session beans will access
entity
beans
to
do
the reading operations, such as getWeight, getRate, since
it's
read
only,
there
is no need to do transaction commit stuff which really takes
time,
this
could
be seen through the profile. I know weblogic support readonly
entity
bean,
but
it seems that it only has benefit on ejbLoad call, my test
program
shows
that
weblogic still creates local transaction even I specified
it
as
transaction not
supported, and Transaction.commit() will always be called
in
postInvoke(),
from
the profile, we got that for a single method call, such as
getRate(),
80%
time
spent on postInvoke(), any suggestion on this? BTW, most of
our
entity
beans are
using Exclusive lock, that's the reason that we use
non-transactional
session
bean to avoid dead lock problem.I am worried that you have made some decisions based on an improper
understand of what WebLogic is doing.
First, you say "non transactional", but from your description
you
should
have those marked as tx REQUIRED to avoid multiple transactions
(since
non-transactional just means that the database operation becomesits
own
little transaction).
Second, you say you are using exclusive lock, which you shouldonly
use
if
you are absolutely sure that you need it, (and note that it
does
not
work in
a cluster).
Peace,
Cameron Purdy
Tangosol, Inc.
http://www.tangosol.com/coherence.jsp
Tangosol Coherence: Clustered Replicated Cache for Weblogic
"Jinsong Hu" <[email protected]> wrote in message
news:[email protected]...
>

ITS transaction session cookie needed in url

Similar Messages

Maybe you are looking for