Javacard and session variables
Hello,
I'm trying to find a reasonable Javacard technique to handle "session variables" that must be kept between successive APDUs, but must be re-initialized on each card reset (and/or each time the application is selected); e.g. currently selected file, currently selected record, current session key, has the user PIN been verified...
Such variables are best held in RAM, since changing permanent (EEPROM or Flash) variables is so slow (and in the long run limiting the operational life of the card).
Examples in the Java Card Kit 2.2.2 (e.g. JavaPurseCrypto.java) manipulate session variables in the following way:
1) The programmers group session variables of basic type (Short, Byte, Boolean) according to type, and map each such variable at an explicit index of a vector (one per basic type used as session variable).
2) At install() time, each such vector, and each vector session variable, is explicitly allocated as a transient object, and this object is stored in a field of the application (in permanent memory), where it remains across resets.
3) Each use of a session variable of basic type is explicitly translated by the programmer into using the appropriately numbered element of the appropriate vector.
4) Vector session variables require no further syntactic juggling, but eat up an object descriptor worth of permanent data memory (EEPROM or Flash), and a function call + object affectation worth of applet-storage memory (EEPROM, Flash or ROM).
The preparatory phase goes:
public class MyApp extends Applet {
// transientShorts array indices
final static byte TN_IX = 0;
final static byte NEW_BALANCE_IX=(byte)TN_IX+1;
final static byte CURRENT_BALANCE_IX=(byte)NEW_BALANCE_IX+1;
final static byte AMOUNT_IX=(byte)CURRENT_BALANCE_IX+1;
final static byte TRANSACTION_TYPE_IX=(byte)AMOUNT_IX+1;
final static byte SELECTED_FILE_IX=(byte)TRANSACTION_TYPE_IX+1;
final static byte NUM_TRANSIENT_SHORTS=(byte)SELECTED_FILE_IX+1;
// transientBools array indices
final static byte TRANSACTION_INITIALIZED=0;
final static byte UPDATE_INITIALIZED=(byte)TRANSACTION_INITIALIZED+1;
final static byte NUM_TRANSIENT_BOOLS=(byte)UPDATE_INITIALIZED+1;
// remanent variables holding reference for transient variables
private short[] transientShorts;
private boolean[] transientBools;
private byte[] CAD_ID_array;
private byte[] byteArray8; // Signature work array
// install method
public static void install( byte[] bArray, short bOffset, byte bLength ) {
//Create transient objects.
transientShorts = JCSystem.makeTransientShortArray( NUM_TRANSIENT_SHORTS,
JCSystem.CLEAR_ON_DESELECT);
transientBools = JCSystem.makeTransientBooleanArray( NUM_TRANSIENT_BOOLS,
JCSystem.CLEAR_ON_DESELECT);
CAD_ID_array = JCSystem.makeTransientByteArray( (short)4,
JCSystem.CLEAR_ON_DESELECT);
byteArray8 = JCSystem.makeTransientByteArray( (short)8,
JCSystem.CLEAR_ON_DESELECT);
(..)and when it's time for usage, things go:
if (transientShorts[SELECTED_FILE_IX] == (short)0)
transientShorts[SELECTED_FILE_IX] == fid;
transientBools[UPDATE_INITIALIZED] =
sig.verify(MAC_buffer, (short)0, (short)10,
byteArray8, START, SIGNATURE_LENGTH);I find this
a) Verbose and complex.
b) Error-prone: there is nothing to prevent the accidental use of transientShorts[UPDATE_INITIALIZED].
c) Wastefull of memory: each use of a basic-type state variable wastes some code; each vector state variable wastes an object-descriptor worth of permanent data memory, and code for its allocation.
d) Slow at runtime: each use of a "session variable", especially of a basic type, goes thru method invocation(s) which end up painfully slow (at least on some cards), to the point that for repeated uses, one often attain a nice speedup by caching a session variable, and/or transientShorts and the like, into local variables.
As an aside, I don't get if the true allocation of RAM occurs at install time (implying non-selected applications eat up RAM), or at application selection (implying hidden extra overhead).
I dream of an equivalent for the C idiom "struct of state variables". Are these issues discussed, in a Sun manual, or elsewhere? Is there a better way?
Other desperate questions: does a C compiler that output Javacard bytecode make sense/exists? Or a usable Javacard bytecode assembler?
Francois Grieu
Interesting post.
I don't have a solution to your problem, but caching the session variables arrays in local variable arrays is a good start. This should be only done when the applet is in context, e.g. selected or accessed through the shareable interface. This values should be written back to EEPROM at e.g. deselect or some other important point of time. Do you run into problems if a tear happens? I don't think so since the session variables should be transactional, and a defined point will commit a transaction.
Analyzing the bytecode is a good idea. I know of a view in JCOP Tools (Eclipse plugin) where you can analyze the bytecode and optimize it to your needs.
Similar Messages
-
Direct database request and session variable value
Hi,
I have a problem by doing the following : idea is to have report with a list of all tables in user schema (which are not all in repository physical layer).
By clicking on the name of any, should bring answer report which is done as direct database request doing basically select * from table_clicked (this will be basically the same table with sufix _err holding error rows).
What I'm trying to do is having some kind report for error rows which can be in different tables in my database. So i had in mind to construct name of table i need , and pass it to database request through session variable. Am i doing right by doing direct database request like this :
select * from 'VALUEOF(NQ_SESSION.TestVar2)'
Is there another easyer way of doing this? I know this can be done by gourl by passing parameters but not sure how when i can't filter columns in direct database request (this can be different tables with different names of columns). I hope i didn't complicated this too much.
Thnx in adwanceHi,
I know this is a hack, and would be much more easy to create one table with dimension and measures, but this is intended to be used with code generator, which can produce different error tables with different column names in different time: It is not conviniet for somebody to add them to repository every 5 minutes. For example : i run my workflow and for first run I have errors in table1(let us say customer table with 30 columns) and if click on the table name in some answer report, i want to see all the bad records in the table. Tomorrow after the run, there are bad records in table1 and in table2 (lets say products) so I would have choice to pick table 1 or table2 and see al the bad records in any of these tables. This means that I can not now which tables will I have tomorrow, and as it is generic, I can manually add some tables in my model, and would have to add err table also as a possibility to have error rows?
I saw post saying that you can pass parameter value by using go url functionality, by modifying configinstance file, but didn't suceed - http://gerardnico.com/wiki/dat/obiee/logical_sql/obiee_session_variable_go_url . Maybe some mistake or any better solution? I created session variable TestVar2, also modified instanceconfig.xml by adding this before </ServerInstance>
<ParamList>
<Param name="NQ_SESSION.TestVar2" source="url" nameInSource="SETVAR"/>
</ParamList>
and used go url in column formula : ''||"Physical Targets"."Physical Table"||''
Can I use @1 for using first column value?
Thnx -
Server hangs and session variable value not maintained.
dear all,
this is exteremetly urgent. i upgraded my tomcat to 4.1.24.but i have problems running the same code which was working earlier, i get null in the value of session variable. and also get the following error
////////////////error got /////////////
Compile failed; see the compiler error output for details.
at org.apache.tools.ant.taskdefs.Javac.compile(Javac.java:842)
at org.apache.tools.ant.taskdefs.Javac.execute(Javac.java:682)
at org.apache.jasper.compiler.Compiler.generateClass(Compiler.java:317)
at org.apache.jasper.compiler.Compiler.compile(Compiler.java:370)
at org.apache.jasper.JspCompilationContext.compile(JspCompilationContext
.java:473)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper
.java:190)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:2
95)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:241)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:247)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:193)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:256)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:643)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:191)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:643)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:
2415)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:180)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:643)
at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatche
rValve.java:171)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:172)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:174)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:643)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:22
3)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:594)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce
ssConnection(Http11Protocol.java:392)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java
:565)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP
ool.java:619)
at java.lang.Thread.run(Thread.java:536)
///////////////end of error messsge ////////////
the code where i am getting this message is as follows
<%@ page session="true"%>
<HTML>
<HEAD><TITLE> LOGGED IN ok</TITLE> </HEAD>
<%@ page import="java.sql.*" %>
<%! // declaring variables
String s = "";
java.sql.ResultSet rs=null;
java.sql.Connection con;
java.sql.Statement stmt=null,stmt1=null;
String username = "";
String password = "";
String Ousername = "";
String Opassword = "";
String changepass="";
String usertype ="",useremail="",EmpName="";
%>
<body>
<%
try
//set session for max of 100 milliseconds
// session.setMaxInactiveInterval(10000);
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
con = java.sql.DriverManager.getConnection("jdbc:odbc:Driver={Microsoft Access Driver (*.mdb)};" +"DBQ=c:/vishal/HelpDesk.mdb;DriverID=22;READONLY=false","","");
stmt = con.createStatement();
s = "select * from LoginUser";
username = request.getParameter("LogonId"); //get this through prev. form
password = request.getParameter("txtPassword");
out.println(username + " " + password);
// make explicitly to lower case
username = username.toLowerCase();
rs = stmt.executeQuery(s);
while(rs.next())
//getting data from database
Ousername = rs.getString("EmpName");
Opassword = rs.getString("Password");
useremail = rs.getString("EmailId");
usertype = rs.getString("UserType");
if(Opassword.equals(password) && Ousername.equals(username)) //found match correct entry
changepass = request.getParameter("PasswordNew");
if(changepass != null)
stmt1 = con.createStatement(java.sql.ResultSet.TYPE_SCROLL_INSENSITIVE,java.sql.ResultSet.CONCUR_UPDATABLE);
s = "update LoginUser set Password = '" + changepass + "' where EmpName = '" + username +"'";
out.println(s);
stmt1.executeUpdate(s);
stmt1.close();
if(usertype.equals("User") == false)//ie admin
session.setAttribute("username",username);
************************this value not maintained *********************
session.setAttribute("useremail",useremail);
session.setAttribute("usertype",usertype);
************************this value not maintained *********************
//closing connections
%>
<jsp:forward page= "ComplaintType.jsp" />
<%
else //user
EmpName = username;
session.setAttribute("EmpName",EmpName);
session.setAttribute("useremail",useremail);
//closing connections
%>
<jsp:forward page="ComplaintCategory.jsp" />
<%
}//end if
}//while loop
//first closing connections then forwarding
%>
<jsp:forward page="InvalidLOGIN.jsp" />
<%
///rs.close();
////closing
//stmt.close();
// con.close();
}//try
catch(Exception ep)
out.println(ep);
System.exit(1);
%>
</BODY>
</HTML>hi all,
thanx a lot for your help,specially hari52
hari52 strangely enough the code started working,but
now i have another problem
after a while my server hangs or gets shutdown ,a
message is shown as
"java.exe has generated error and will be shutdown"
i know that more connections can be a prob. but i
make sure that connections r closed on each page,also
i am a newbie and do not have the time at present to
learn abt. connection pool ,can this problem be
solved easily?
it would be a great help again on your part,
thanx again,You remove the System.exit(1) line from the code inside the catch block
and try again. That's the reason tomcat getting down. System.exit(1) should not be used inside jsp. it will make the underlaying Servlet Engine to shutdown. -
Row level security with session variables, not a best practice?
Hello,
We are about to implement row level security in our BI project using OBIEE, and the solution we found most convenient for our requirement was to use session variables with initalization blocks.
The problem is that this method is listed as a "non best practice" in the Oracle documentation.
Alternative Security Administration Options - 11g Release 1 (11.1.1)
(This appendix describes alternative security administration options included for backward compatibility with upgraded systems and are not considered a best practice.)
Managing Session Variables
System session variables obtain their values from initialization blocks and are used to authenticate Oracle Business Intelligence users against external sources such as LDAP servers or database tables. Every active BI Server session generates session variables and initializes them. Each session variable instance can be initialized to a different value. For more information about how session variable and initialization blocks are used by Oracle Business Intelligence, see "Using Variables in the Oracle BI Repository" in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
How confusing... what is the best practice then?
Thank you for your help.
Joao Moreiraauthenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
Init block for authenticating / authorizing and session variables are different, i guess you are mixing both. -
Report in new page does not know of session and presentation variables
I have a question about GOURL.
I am using GOURL as a column function in one report (report A), so that when i click on that column it takes me to another report(report B) that open in new popup window.
the first report (A) also uses some session and presentation variables, which is also used by Report B as filters. I am curious that if I add these filters which are using variables to report B, why can't report B get the value of these, (it just errors out ) because it didn't found any value to those variables in the filter.
Becuase I am ending up with passing all these variables in GOURL and setting them as 'isprompted'.
Does this report (B) knows nothing else than what it finds in GOURL?
thanksIn a nutshell, if u use gourl then its parameters will be only using in navigated report. This is functionality
-
Session variable and initialization block issues
We are using OBIEE 10.1.3.3 and utilizes built in security features. (No LDAP or other single sign on). The user or group names are not stored in any external table. I have a need to supplement Group info of the user to the usage tracking we implemented recently as the NQ_LOGIN_GROUP.RESP column contains username instead of group name. So I created a session variable and associated with a new initialization block and also had a junk default value set to the variable. In the initialization block, I wrote the following query and as a result it inserted correct values into the table when the TEST button was clicked from the initialization block form.
insert into stra_login_data (username, groupname, login_time) values ('VALUEOF(NQ_SESSION.USER)', 'VALUEOF(NQ_SESSION.GROUP)', SYSDATE)
My intention is to make this execute whenever any user logs on. The nqserver.log reports the following error and it doesn?t insert values into the table.
[nQSError: 13011] Query for Initialization Block 'SET_USER_LOGIN_BLOCK' has failed.
[nQSError: 23006] The session variable, NQ_SESSION.USER, has no value definition.
[nQSError: 13011] Query for Initialization Block 'SET_USER_LOGIN_BLOCK' has failed.
[nQSError: 23006] The session variable, NQ_SESSION.GROUP, has no value definition.
When I changed the insert statement as below, this does get populated whenever someone logs in. But I need the values of GROUP associated with the user as defined in the repository.
insert into stra_login_data (username, groupname, login_time) values ('TEST_USER', TEST_GROUP', SYSDATE)
Could someone help me out! As I mentioned above, I need the GROUP info into the usage tracking. So, if there is another successful approach, could you please share?
Thank you
AminHi Amin,
See [this thread|http://forums.oracle.com/forums/thread.jspa?messageID=3376946�]. You can't use the GROUP session variable in an Init Block unless it has been seeded from an Init Block first. There isn't an easy solution for what you want, but here are some options:
1) Create a copy of your User => Groups assignments in your RPD in an table so you can use it in your Usage Tracking Subject Area. But this means you will have to replicate the changes in two places so it's not a good solution.
2) As the GROUP session variable is populated when you login you could theoretically use it a Dashboard and pass it a parameter to write the value to the database. But as I am not sure how can you make fire only once when the user logins it sounds like a bad idea.
3) Move your User => Groups assignments from your RPD to a DB table. Use OBIEE Write Back or something like Oracle APEX to maintain them.
I think 3) is the best solution to be honest. -
Session variable being lost between parent and include file
I am running into the following scenario: Page 1 includes page 2, on both pages a session variable is returned to the screen. On occasions, page 2 throws an error on the session variable even though it was successfully called on page 1.
It only happens occassionally, and is very difficult to recreate in order to debug it in realtime. Has anyone run into something like this before? Thanks!semi star gazer wrote:
I am running into the following scenario: Page 1 includes page 2, on both pages a session variable is returned to the screen. On occasions, page 2 throws an error on the session variable even though it was successfully called on page 1.
It only happens occassionally, and is very difficult to recreate in order to debug it in realtime. Has anyone run into something like this before? Thanks!
I suspect it has less to do with page-inclusion, more to do with the code on page 2. Suppose, instead of using cfinclude, you had copied the code from page 2 into page 1, and made 1 page of it. Then the error would still have occurred. That's at least my theory.
Have a look at how the code in page 2 handles the session. There is bound to be something not quite right about it. What kind of error do you get anyway?
Runtime debugging can be as simple as this:
<cftry>
<cfinclude template="page2.cfm">
<cfcatch type="any">
<cfdump var="#cfcatch#"><cfabort>
</cfcatch>
<cftry> -
Code to set and destroy session variables in Java Server Pages(JSP)
code to set and destroy session variables in Java Server Pages(JSP)
we have use following statement to set session variable
session.setAttribute("userClient",id);
we have use following statement to destroy session variable
session.setAttribute("userClient","");
and
the session.invalidate() is not working
Plz. solve this probemcode to set and destroy session variables in Java
Server Pages(JSP)
we have use following statement to set session
variable
session.setAttribute("userClient",id);
we have use following statement to destroy session
variable
session.setAttribute("userClient","");Perhaps if you tried using
session.setAttribute("userClient", null);
or
session.removeAttribute("userClient");
and
the session.invalidate() is not workingNot working how?
>
Plz. solve this probem -
Is this how to pull data from a database and insert it to a session variable?
$_SESSION['Stud_FirstName'] = $row_rs_Login['Stud_FirstName'];
'cause it ain't working. I swear the more I learn the less I know.
What do I change?
Thanks!Yes, it is. However, the recordset must exist before you can assign the value to another variable. The final line of the code that creates a recordset looks like this:
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
If you're attempting to create the session variable before that line, as I suspect you are, it's not really surprising that it doesn't work.
Even if you don't want to write all the code yourself, you need to understand the code that Dreamweaver is writing for you. Otherwise you'll find yourself constantly banging your head on the keyboard. A PHP script is executed from top to bottom, and the flow of the script is controlled by conditional statements and loops. Get your head around those concepts, and you'll find customizing the Dreamweaver code a lot easier. -
Xml search and replace for 'Session Variables' in column title view
Hi Experts,
I have around 10 reports where measure column titles are displayed based the session variable.
Below is the syntax I have used in the column title
@{biServer.variables['NQ_SESSION.VariableName']}
Now I would like to replace the above syntax with some static text. To do this, I am trying to use the xml search and replace feature in the catalog manager.
For some reason, catalog manager is unable to find the syntax in the xml file. I have tried using escape character also for the apostrophe by using &apos, but no luck.
Any pointers on how to replace the text?
ThanksUsing Analysis get the xml conversion for @{biServer.variables['NQ_SESSION.VariableName']} from Advanced tab's xml code
use this code to find in catalog manager, if you able to find then go for search and replace option.
I think this should work for you. -
Session variable and script error
Hello;
I am still writting this script that turns a bg sound on and
aff for the whole site to remember. I have a good start on this
code, but I am running into issues.
1. I am trying to use a checkbox to make the selection, and
when it is clicked, it will function without using a submit button,
the java script I am using isn't doing the job allowing the
checkbox to act as a link so to speak.
2. I need to make this script into a session variable. So
that when the decision is made, the site will remember it.
3. there might be a problem in my IF statement.
Can someone please help me out? I am attaching the code. It
is using a DB that has a yes/no box in the table this sound code is
accessing.
Thank you.
PhoenixA Quess...
Remove the OnClick in the form
<form onClick="category.submit();">
Place it in the input type?
<input type="checkbox"
onClick="category.submit();"> -
Session variable filters in the integration between OBIEE and webcenter
Hello All,
I have a customer with the requirement to make sure that reports created in answers and containing sessions variables in filters definition will be correctly filtered once called from webcenter.
So if an OBI report is diplayed in webcenter and contains the same type of filters (based on session variable), will the results be filtered based on the specified variable?
In other words can we use session variables in the integration between OBIEE and webcenter?
Thanks OlayinkaHave you follow all the steps written here :
http://download.oracle.com/docs/cd/E10415_01/doc/bi.1013/e12188/T421739T475591.htm#T480640
Do you have create the groups ?
Do you connect as a member of the group XMLP_ADMIN ?
Cheers
Nico -
Flashbuilder and Cold Fusion (using application/session variables)
I would like to know if anybody uses Flashbuilder with Cold Fusion?
Since Cold Fusion has lots of different scopes of variables (application, session, client, form, url, etc...) how do you manage this in Flex/Flashbuilder?
Are there forums or groups specifically for using Flex3/Flashbuilder with backend server side technologies such as Cold Fusion?.
The only server side technology that I have interest in is Cold Fusion. I've seen basic tutorials and videos using Cold Fusion CFC's and data binding with Flex. I haven't seen or heard anything using a Cold Fusion application, session, or client variable in Flex.
Hopefully some of you have some experience on this topic.
Thankshey popster,
i too had this question some time ago. my entire app was built on CF with HTML before i started integrating Flex 3 with it. i found that i needed to create cookie variables for all my session variables i was using in order to maintain and remember who the user was in my CFC calls. i also found that after i compiled a flex app, i changed the .html to .cfm (the file that loads the compiled SWF file). by doing this i was able to pass CF session variables into the flex app and you can refer to these anywhere in Flex by using Application.application.parameters.{variable name here}
add the CF variable in the FlashVars line to pass it into Flex (see the last line of code). this will create a variable (in my case i'm passing session.employeenumber). then in your flex app you can reference it by using Application.application.parameters.emplid:
AC_FL_RunContent(
"src", "Request",
"width", "100%",
"height", "87%",
"align", "middle",
"id", "Request",
"quality", "high",
"bgcolor", "#869ca7",
"name", "Request",
"allowScriptAccess","sameDomain",
"type", "application/x-shockwave-flash",
"pluginspage", "http://www.adobe.com/go/getflashplayer",
"wmode","transparent",
"FlashVars","emplid=<cfoutput>#session.employeenumber#</cfoutput"
A little trick I learned (does Adobe really expect us to re-engineer how our apps have been working by no longer using sessions for Flex?). Then in your CFCs if you also create cookies for every session variable you can maintain the variables based on user login. HOPE THIS HELPS!
-Matt -
Missing session variables and multiple CFID/CFTOKEN
We are using ColdFusion 9.0.1 and have recently started to experience some sporadic behavior in our applications. These applications have worked without error for over 6+ years and have not been modified during this time.
Over the past couple of weeks, we have been receiving calls in regards to users not being able to login and receiving errors when performing various actions. We have put troubleshooting measures in place that display values when this occurs.
We have noticed that when the errors occur, there are multiple CFID/CFTOKEN COOKIE values. Additionally, session variables are being dropped (during simple tasks such as going from one screen to the next). These errors do not occur for the majority of users and have primarily occurred in Internet Explorer, but we have had some instances in other browsers. In most instances, if the user switches browsers, the same application works fine for them.
In one particular case, we have a <cfif> tag in the application.cfm file that checks for “session.user_id”. If it doesn’t exist, the user is directed to a login page using the <cflocation> tag. When experiencing the problem, users are continuously going back to the login screen because the system is saying that the session variable does not exist.
When working with one user who was experiencing this problem, we were able to remedy the problem by adding “addtoken=’yes’” to the cflocation tag. ** We do not prefer to do this for security reasons.
Rather than go through each application and try to “band-aid” each instance that occurs, can anybody offer some suggestions on why this behavior recently began and how we may be able to globally address it?My immediate guess is that there is faulty logic in the code that updates the value of session.user_id. Apparently, one of the following scenarios might be happening.
Coldfusion creates a session, X, say. Session.user_id is as yet undefined, so ColdFusion cflocates the user to the login page. The user logs in, still within session X. His session.user_id is set.
Suppose, for whatever reason (and I know of at least two), the session drops. The user's very next request will make ColdFusion to create a new session, Y, say. Under session Y, the variable session.user_id, which corresponded to session X, will no longer exist. So ColdFusion cflocates the user to the login page. This cycle will of course repeat if left uncorrected.
Another possible scenario is that the variable session.user_id is not set at all, or is set in the context of a new session. I am assuming that the login page is a form. Then login validation occurs at the action page of the form. Presumably the variable session.user_id is set at this action page. If so, then perhaps ColdFusion fails to set this variable, or a new session is created as the request goes from the login-form page to the action page.
The 2 main reasons why a session drops are 1) it times out, 2) a new request starts a new session. Hence the following suggestions.
1) Is your sessionTimeout value low, say, just a few minutes? If so, increase it to 20 minutes.
2) Remember that the default behaviour of ColdFusion is to start a new session at every request. Use cflogin and cfloginuser together with loginStorage="session". Cflogin executes only if there is no logged in user, irrespective of the session. Therefore, getAuthUser() is a better authentication test than session.user_id.
3) Use Application.cfc in place of Application.cfm. In particular, the CFC offers you more fine-grained control over the beginning and end of sessions. -
Help building an object, setting it in a session variable and casting
Hi all,
I have a problem that I hope you can help me with. The application I am working on has a simple MVC design architecture. The problem occurs when a request is made from the application to the controller servlet. The controller servlet looks at the request type and delegates the processing to the appropriate action and model classes. The model class returns an object of a specific class type that is put into the session variable. This session variable is then cast to the appropriate class type in the jsp that renders that class. The problem is that this particular class type has an array of another class type. The array is filled in the class constructor, but is null when returned to the controller.
At run time when accessing the array I get a NullPointerException error. I can't seem to figure this one out. Any help is greatly appreciated.
Here's the code:
Controller DoPost method. The 'Action' objects are defined and initialized in the init() method.
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException{
try {
HttpSession session = request.getSession();
MemberProfileTbl memProf = (MemberProfileTbl)session.getAttribute("Member");
RequestDispatcher rd;
if (!validateUser(memProf, session)){
session.setAttribute("LoginStatus", "Session Expired");
rd = getServletContext().getRequestDispatcher("/LoginFail.jsp");
rd.forward(request, response);
return;
String act = getAction(request);
Action action = (Action)actions.get(act);
Object result = null;
try {
result = action.perform(request, memProf);
}catch (NullPointerException npx) {
npx.printStackTrace();
session.setAttribute("currObject", result);
rd = getServletContext().getRequestDispatcher("/test/MemberConsole.jsp");
rd.forward(request, response);
catch (Exception ex){
ex.printStackTrace();
Action class:
package accolo.actions;
import javax.servlet.http.*;
import accolo.model .*;
import accolo.view.*;
import accolo.db.MemberProfileTbl;
public class ChangeMainView extends Action {
public String getName() {return "changeMainView";}
public Object perform(HttpServletRequest request, MemberProfileTbl memProf)
throws Exception, ClassNotFoundException, InstantiationException, IllegalAccessException{
Object result;
HMMainView hmMain = new HMMainView(memProf.email);
result = hmMain;
return result;
HMMainView.java class
public class HMMainView
private HMMainViewJob[] jobs;
public String test;
public HMMainView(String email)
HMJobsBean hmJobsBean = new HMJobsBean();
JobTblDao jobTblDao = new JobTblDao();
test = "test in constructor";
try{
JobTbl[] hmJobs = jobTblDao.getHMOpenJobs(email);
for(int j = 0; j < hmJobs.length; j++){
this.jobs[j].jobTitle = hmJobs[j].optionalTitle;
this.jobs[j].city = hmJobs[j].city;
this.jobs[j].state = hmJobsBean.getState(hmJobs[j].zipCode);
Hashtable counts = hmJobsBean.getJSCountsByStatus(hmJobs[j].jobId);
this.jobs[j].unranked = (String)counts.get("CANUNRANKED");
this.jobs[j].interviews = (String)counts.get("HMRI");
this.jobs[j].ranked = (String)counts.get("CANRANKED");
long closed = Long.parseLong((String)counts.get("HMRNI"));
closed += Long.parseLong((String)counts.get("HMCH"));
closed += Long.parseLong((String)counts.get("HMNH"));
this.jobs[j].closed = Long.toString(closed);
}catch(Exception ex){
ex.printStackTrace();
public HMMainViewJob[] getJobs(){ return jobs; }
HMMainViewJob.java class
package accolo.model;
public class HMMainViewJob
public long jobId;
public String jobTitle;
public String status_id;
public String city;
public String state;
public String unranked;
public String interviews;
public String ranked;
public String closed;
public HMMainViewJob()
Snippet of JSP that uses the code
Object result = session.getAttribute("currObject");
if (result != null){
String className = result.getClass().getName();
if (className.equals("accolo.model.HMMainView")){
header = "HM/HMConsoleHeader.jsp";
subNav = "HM/HMConsoleSubNav.jsp";
user = "HM/HMConsoleUser.jsp";
left = "HM/HMConsoleLeft.jsp";
// body = "HM/HMConsoleHome.jsp";
HMMainView hmMain = (HMMainView) result;
HMMainViewJob[] jobs = hmMain.getJobs();
for (int i = 0; i < jobs.length; i++){
%>
Jobs: <%=jobs.jobTitle%>
<%I have not run this through a debugger yet. I don't have immediate access to a debugger to run it through, most of the development is simply done in vi. I was hoping any problem in the code would jump out at someone. I've been staring at it too long.
I'll try to get a debugger set up.
Thanks
Maybe you are looking for
-
Hi Ingo and others, I have two situations and need your input I have configured the SNC between BOBJ and SAP by exchange of certificates. I am able to create Universe thru a connection as u201Cuse SSO when refreshing the report on runtimeu201D Or by
-
Pny StorEDGE 64gb sd card not reading
I bought a PNY StorEDGE 64gb sd card to have removeable storage but my Mac book pro wont read it. My Macbook is only 3 months old.
-
Problem in enque replication service
Hi Team, we got followinf error in ERS service huxp0034:/tmp# tail -f hacmp_fail* 2012/02/25 18:16:00 -- Remote node huxp0035 maybe down 2012/02/25 18:16:00 -- Abandoning attempts to start replicated enqueue processes 2012/02/25 18:16:00 -- Start
-
Pardon the simplicity of the question but we had a question arise that I am unable to find a solution in previous posts or in guides and I am not a programmer. Customer wrote their scritping for UCCX 7 in Java because they had requirements for mut
-
R12 DMZ login page hangs after some time
Node 1: Database 10.2.0.3 Node 2: internal Application Node 3: External Application - currently not exposed to the internet, we are testing opening the URL internally. Followed DOC I: 380490.1 - in order to achieve the External node. The Database and