JRun session id being re-used
We are using JRun 4.0 on our server in conjunction with MS
IIS 6.0 to support dynamic JSP pages and Java Serlvets. We are
using URL Encoding to support session handling. In the jrun-
web.xml file we have the following parameters to disable the use of
cookies for session handling.
<session-config>
<cookie-config>
<active>false</active>
</cookie-config>
</session-config>
With these parameters defined in the jrun-web.xml file, and
the use of response.encodeURL() function, we see that jrun
automatically appends a jsessionid=xxxxxxx parameter in the urls.
This has been working for us well since long. Recently we noticed
that these jsessionid values are being re-used by jrun for
different session instances. Which means if a user logs in to a
website at a given time and is assigned a sessionid say for e.g.
101011 and after a while the user logs out. After some time if
another user logs in, this second user is assigned the same
sessionid parameter (which has a value 101011) for handling his
session. If in case the first user has bookmarked the a page on the
website, the bookmark is going to include the sessionid parameter
(which has a value 101011) and if the first user accesses the
website from the bookmark at the same time as the second user is
logged in, the first user will get access to the second user's
session which is very unsecure.
This phenomena is referred to as session fixation and can be
used by a hijacker to get access to any other user's session. Is
there a way to prevent JRun from re-using these session id values
or to increase the time period after which JRun re-uses these
session ids.
Dax Trajero wrote:
... how do I prevent a user who's just ordered, from returning to the site and re-using the same session ref ?
Deny a returning paying(!) customer his session? Yours might be the only shop in town doing that.
If your session housekeeping is any good, then the session variables pertaining to shopping-cart, payment and delivery would have been cleared or re-initialized. Often, starting a new session means logging in again. There are a number of reasons why that can be undesirable.
I did an e-commerce course for a year, and learned some strange things. It is in fact to your advantage that a returning customer should keep his session, even after ordering.
For example, it is well known that the chances of a returning customer placing a new order is much higher when he is already logged in than when he has to log in afresh. You could test that hypothesis yourself. Psychologists have also found that e-shoppers often return to the shop to gloat at the goodies they've just ordered. You wouldn't want to deny them their gloating session, would you?
Similar Messages
-
Shopping cart - prevent same session ref being re-used after an order ?
Whenever a user enters site and new session is created, along with a unique session ref (uuid).
Various housekeeping is performed when the session expires
BUT, how do I prevent a user who's just ordered, from returning to the site and re-using the same session ref ?
What's the best solution ? Can I prematurely expire the session, or perhaps start a new one and attach this user to it ?Dax Trajero wrote:
... how do I prevent a user who's just ordered, from returning to the site and re-using the same session ref ?
Deny a returning paying(!) customer his session? Yours might be the only shop in town doing that.
If your session housekeeping is any good, then the session variables pertaining to shopping-cart, payment and delivery would have been cleared or re-initialized. Often, starting a new session means logging in again. There are a number of reasons why that can be undesirable.
I did an e-commerce course for a year, and learned some strange things. It is in fact to your advantage that a returning customer should keep his session, even after ordering.
For example, it is well known that the chances of a returning customer placing a new order is much higher when he is already logged in than when he has to log in afresh. You could test that hypothesis yourself. Psychologists have also found that e-shoppers often return to the shop to gloat at the goodies they've just ordered. You wouldn't want to deny them their gloating session, would you? -
Session Cookies Being Overwritten Browsing From SSL to Non SSL
I have created a bug report for this issue as well.
Please note I am using J2EE session variables so keep that in mind.
I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.
For example:
Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".
Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".
Here's the problem:
Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.
Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.
Steps to Reproduce:
1. Clear your cookies.
2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.
This behavior changed in ColdFusion 10. ColdFusion 9 did not overwrite the session cookie.
Has anyone else experience this?Deleting and re-adding my account seems to have fixed it. I think when I initially added my Google Talk account, it was by using the "Add Jabber Account" under 10.6 or something. Now, when I re-added my account, I notice both "Google Talk" and "Jabber" are options, so my thought here is that Jabber and Google Talk options are no longer quite the same thing.
-
Restricting particular session variables being shared
i am using weblogic 10.3.
I have an EAR with has 2 WAR in it , with session sharing enabled in the weblogic-application.xml . I understand that this will make all the variables that are added in the session to be shared by both WAR, but i want a particular variable added in the session not to shared by both WAR, it should be accessible by only WAR1.
Please help me
Zeeshan"Restricting particular session variables being shared"
You can use the 'transient' keyword for this purpose, for example,
public class Example implements Serializable {
private String replicate;
private transient String notReplicate;
}The 'replicate' attribute is replicated when the Example object is put in the session, the 'notReplicate' attribute is not. -
Portal session not being terminated. browser "unload" event
This line of code is in the portallauncher.default and eventually causes the problem:
EPCM.subscribeEvent("urn:com.sapportals.portal:browser", "unload", releaseProducerSessions);
releaseProducerSessions eventually calls a portal component
WSRPSessionRelease.. which is causing the problem.
When we upgraded from EP 6.0 to NW 2004, users started recieving the Netweaver Login Screen when they logged out and logged back in, in the same browser. We think this error occurs because NW 2004 implements Web Services Remote Portal functionality.
We are using SiteMinder as a third party session management tool.
What we found was that the Siteminder session was being killed but the Portal session was not. Therefore, when users logged back in they would see the generic Netweaver Login Screen, and they could actually just hit "enter" and continue to the portal.
A successful logoff, users clicked the logoff button, the DSM terminator was being called, thus killing the portal session, then a form was submitted redirecting the users the the siteminder loggoff page, which logs the users off siteminder.
When the logoff failed, we found that after the DSM Terminator was called
and before the page was being redirected, a portal component
(WSRPSessionRelease) was being called, which in turn, RECREATED the portal session. So the user never actually gets logged off from the portal.
We found that the WSRPSessionRelease component is set to
a "browser" "unload" event when the portallauncher.default component is first loaded. This is the same component that is being called when the user clicks the "X" to force close the browser.
Not everytime is the WSRPSessionRelase component being called before the redirect to the siteminder logg off page. Sometimes this component is called after the redirect, and we find that this is a successful loggoff.
The component is:
irj/servlet/prt/portal/prtroot/com.sap.portal.wsrp.coreconsumer.WSRPSessionReleaseHello Michael,
The 'log off' issue is a known issue with Portal since EP 6
Had faced similar issue and SAP suggests to redirect the 'log off' link to another non-SAP site...like your company intranet site.
This will help the session to break.
There are 1-2 SAP Notes on this as well.
Hope this helps.
Regards,
Ritu -
Portal session not being terminated
When we upgraded from EP 6.0 to NW 2004, users started recieving the
Netweaver Login Screen when they logged out and logged back in, in the
same browser. We think this error occurs because NW 2004 implements Web
Services Remote Portal functionality.
We are using SiteMinder as a third party session management tool.
What we found was that the Siteminder session was being killed but the
Portal session was not. Therefore, when users logged back in they would
see the generic Netweaver Login Screen, and they could actually just
hit "enter" and continue to the portal.
A successful logoff, users clicked the logoff button, the DSM terminator
was being called, thus killing the portal session, then a form was
submitted redirecting the users the the siteminder loggoff page, which
logs the users off siteminder.
When the logoff failed, we found that after the DSM Terminator was called
and before the page was being redirected, a portal component
(WSRPSessionRelease) was being called, which in turn, recreated the
portal session. So the user never actually gets logged off from the
portal.
We found that the WSRPSessionRelease component is set to
a "browser" "unload" event when the portallauncher.default component is
first loaded. This is the same component that is being called when the
user clicks the "X" to force close the browser.
Not everytime is the WSRPSessionRelase component being called before the
redirect to the siteminder logg off page. Sometimes this component is
called after the redirect, and we find that this is a successful loggoff.
The component is:
irj/servlet/prt/portal/prtroot/com.sap.portal.wsrp.coreconsumer.WSRPSessio
nReleaseHi Michael, we are facing the same error. Have you found a solution?
Thanks in advance and best regards -
Session is being torn down. Reason: User Requested
Hi,
I have an issue with a Site to site VPn using IPSec.
I have several tunnels all configured the same and this is the only one with the isssue. looks like the VPN is dropped whene remote peer pings the internal IP (172.16.30.88). Tunnel drops after 7 - 8secs.
I got this message when enabling isakmp debug :
Nov 04 17:20:32 [IKEv1]Group = 2XX.YY.140.135, IP = XX.YY.140.135, Session is being torn down. Reason: User Requested
I would really appreciate some advice about how to troubleshoot this issue, as i am new to ASA.
Here are some more logs :
Thanks in advance !
5|Nov 04 2013|16:53:19|713904|||||IP = XX.YY.140.135, Received encrypted packet with no matching SA, dropping
4|Nov 04 2013|16:53:19|113019|||||Group = XX.YY.140.135, Username = XX.YY.140.135, IP = XX.YY.140.135, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:10s, Bytes xmt: 608, Bytes rcv: 128, Reason: User Requested
5|Nov 04 2013|16:53:19|713259|||||Group = XX.YY.140.135, IP = XX.YY.140.135, Session is being torn down. Reason: User Requested
6|Nov 04 2013|16:53:19|302020|172.16.10.19|0|172.16.10.254|0|Built inbound ICMP connection for faddr 172.16.10.19/0 gaddr 172.16.10.254/0 laddr 172.16.10.254/0
6|Nov 04 2013|16:53:19|602304|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0x0864D3AB) between XX.YY.140.135 and 202.171.68.14 (user= XX.YY.140.135) has been deleted.
6|Nov 04 2013|16:53:19|602304|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0x94F43112) between 202.171.68.14 and XX.YY.140.135 (user= XX.YY.140.135) has been deleted.
5|Nov 04 2013|16:53:18|713050|||||Group = XX.YY.140.135, IP = XX.YY.140.135, Connection terminated for peer XX.YY.140.135. Reason: Peer Terminate Remote Proxy 192.168.0.0, Local Proxy 172.16.30.88
6|Nov 04 2013|16:53:18|302020|172.16.30.88|0|192.168.0.1|26299|Built outbound ICMP connection for faddr 192.168.0.1/26299 gaddr 172.16.30.88/0 laddr 172.16.30.88/0
6|Nov 04 2013|16:53:18|302020|192.168.0.1|26299|172.16.30.88|0|Built inbound ICMP connection for faddr 192.168.0.1/26299 gaddr 172.16.30.88/0 laddr 172.16.30.88/0
5|Nov 04 2013|16:53:08|713120|||||Group = XX.YY.140.135, IP = XX.YY.140.135, PHASE 2 COMPLETED (msgid=f141e93e)
6|Nov 04 2013|16:53:08|602303|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0x0864D3AB) between 202.171.68.14 and XX.YY.140.135 (user= XX.YY.140.135) has been created.
6|Nov 04 2013|16:53:08|602303|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0x94F43112) between 202.171.68.14 and XX.YY.140.135 (user= XX.YY.140.135) has been created.
5|Nov 04 2013|16:53:08|713049|||||Group = XX.YY.140.135, IP = XX.YY.140.135, Security negotiation complete for LAN-to-LAN Group (XX.YY.140.135) Responder, Inbound SPI = 0x0864d3ab, Outbound SPI = 0x94f43112
5|Nov 04 2013|16:53:08|713119|||||Group = XX.YY.140.135, IP = XX.YY.140.135, PHASE 1 COMPLETED
6|Nov 04 2013|16:53:08|113009|||||AAA retrieved default group policy (CLT_TEASOA_L2L_GroupPolicy) for user = XX.YY.140.135
6|Nov 04 2013|16:53:08|713172|||||Group = XX.YY.140.135, IP = XX.YY.140.135, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT deviceHi Florian
tunnel is coming UP?
if so and after few time is going down...sometimes could be related to sessions timeout issues.
try to configure SLA with infinite ping and see if this works.
sla monitor x
type echo protocol ipIcmpEcho sla_monitor_address interface outside_interface
frequency 5
exit
sla monitor schedule 1 life forever start-time now -
I've had my ipod shuffle (2nd generation) for a long time now and after a year and a bit of not being in use it doesn't work. When I connect it to the computer it doesn't come up. Can my ipod be charged or fixed? Please help!
That is about normal. You can maximize battery life by changing some settings. See:
Apple - Batteries - iPod
Apple will exchange your iPod for a refurbished one for with a new battery for $79. They do not fix yours.
Apple - iPod Repair price
A third-party place like the following will replace your battery for less. Google for more.
iPhone Repair, Service & Parts: iPod Touch, iPad, MacBook Pro Screens
Replace the battery yourself if you are up to it. You can purchase a replacment for about $10
iPod Touch Repair – iFixit -
Windows Server 2008 R2, Windows 7 workstations, the appdata folder is redirected to a network share at \\server\profiles and several users are unable to use bookmarks getting an error about the file being in use. I'm wondering if maybe my antivirus (Trend Micro) or my backups (Symantec) might be locking up the places.sqlite for these users? Though I don't understand why it would be for some users and not others. I can't be the first one and I'm not coming up with anything searching google endlessly. Anybody else run into this?
hello, yes this is likely caused by an external program locking access to the bookmarks/history database. you could try renaming the file in question & see if it is working when it is regenerated, this will clear bookmarks and the history though, so keep a backup...
[[Fix "The bookmarks and history system will not be functional" error message]]
http://kb.mozillazine.org/Bookmarks_history_and_toolbar_buttons_not_working_-_Firefox -
I have an email account causes the machine to hang up after being in use for a day. It only occurs on my Macbook Pro and only one particular account. The problem account works fine on my iMac and Windows Machines. I have been to the local Genius bar and through trial and error we have determined that Mail is working ok but somehow the account is causing the problem. I have used this account for years. Any ideas what is causing this?
No idea why, but one thing you may try if you have the time, is create a new user, and set up the problem mail account in the new user space. See if it causes your MBP to hang as well. That will tell you if it is something wrong with your main User, or something wrong with MBP.
Assuming this works, I'd nuke the problem account in your main user space, re-start, and reinititate the account and see if that helps.
Depening on how many email accounts you have setup, it may be necessary to nuke the whole Mail folder in your User/Library.... Hard way to get it to work, but just my idea. -
When using Airplay, the display on my tv isn't being fully used (its not taking up the full widescreen tv display). How do I fix that issue?
Intermittent issues will point to a local network/wifi issue.
Reboot ATV and router, make sure both are up to date
Try ethernet
The home sharing connection will cut out if the iMac goes to sleep. -
How to check if "create session" is being audited in the aud$
Specifically, how do the determine if "create session" is being audited? Assume audit_trail=db_extended, audit_sys_operations=true and audit_file_dest has been set. Please specifically how to check if "create session" is being audited. Thanks
SQL> connect test/test
Connected.
SQL> connect / as sysdba
Connected.
SQL> select username, action_name, to_char(timestamp,'DD/MON HH24:MI') from dba_audit_trail where action_name like 'LOG%';
USERNAME ACTION_NAME TO_CHAR(TIMESTAMP,'DD/MONHH24
TEST LOGON 10/JANV. 19:32
TEST LOGOFF 10/JANV. 19:32
SQL> select to_char(sysdate,'DD/MON HH24:MI') from dual;
TO_CHAR(SYSDATE,'DD/MONHH24:M
10/JANV. 19:33 -
How to create session and end the session in atg without using ootb
can anyone send the code for creating session(Login) and ending(Logout) session in atg without using ootb.
thankyou!It is plain simple and is plain old request.getSession(false) and then invalidate the session , but why do you want to do it separately . ATG works behind scenes to associate lot of attributes to the session when log in happens and then deassociates them when log out happens , SessionManager component is also helpful in security , can you state why exactly would you want to do it?
-
Any closer to a solution for apn in personal hotspot being fixed using 7.1
Any closer to a solution for apn in personal hotspot being fixed using 7.1
all three =)
http://www.adobe.com/devnet/flashmediaserver/articles/protecting_video_fms.pdf
regards
Leonardo França
Adobe Certified Expert Flex 3 with AIR
Adobe Certified Expert Rich Internet Application Specialist v1.0
Adobe Certified Expert Flash CS3 Professional
Certified Professional Adobe Flex 2 Developer
Adobe Certified Professional Flash MX 2004 Developer
http://www.leonardofranca.com
http://twitter/leofederal
Manager AUGDF - Adobe User Group do Distrito Federal
http://www.augdf.com.br
http://twitter/augdf
sfister escreveu:
Hello,
Our scenario is that we have an Adobe ColdFusion8 server running a portal application which will serve up SWF content from a FMS3 installation. We need to protect the SWF content from being a) downloaded to a users local machine and b) being accessed without being logged into the portal application.
Please correct me here if I am wrong - it looks like the combination of RTMPE + SWF Verification are the minimum necessary, but I am confused as to these other practices and which ones to use (or can be used on FMS and not FMIS):
1) Refererr and pageURL check validation
OR
2) IP Address validation
OR
3) White list domains
Any suggestions on the best method to accomplish this using RTMPE + SWF Verification + (1, 2, or 3)?
Thank you,
Steve
> -
I have a java application which loads a C++ dll in order to launch VB components.
Recently the VB activex components were upgraded to C# .NET.But some of the activex components referenced within the C# dlls had to be retained as is.
There were issues of the C# components not being launched since the Activex components cannot be Instantiated
in a Multi threaded Aparatment thread. Java as far as I know does not support single threaded apartments.
So we had to create a new thread in the C++ dll (which acts like the interface between Java and C#) and then
the components were launching properly.
Now the issue is that even when the forms are being called using ShowDialog, the modality is lost.
Does anybody know why this happens and a possible solution to the issue.I have a java application which loads a C++ dll in order to launch VB components.
Recently the VB activex components were upgraded to C# .NET.But some of the activex components referenced within the C# dlls had to be retained as is.
There were issues of the C# components not being launched since the Activex components cannot be Instantiated
in a Multi threaded Aparatment thread. Java as far as I know does not support single threaded apartments.
So we had to create a new thread in the C++ dll (which acts like the interface between Java and C#) and then
the components were launching properly.
Now the issue is that even when the forms are being called using ShowDialog, the modality is lost.
Does anybody know why this happens and a possible solution to the issue.
Hello,
It seems like this issue is similar to this one
ShowDialog call of a windows form is not really modal when called from a java Application.
Since we could not test it directly, I would recommend you try to call it by specifying the owner for that form.
Regards.
Carl
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. <br/> Click
<a href="http://support.microsoft.com/common/survey.aspx?showpage=1&scid=sw%3Ben%3B3559&theme=tech"> HERE</a> to participate the survey.
Maybe you are looking for
-
Trying to create a text that is on fire or more like a hot branding iron
Trying to create a text that is on fire or more like a hot branding iron
-
Best Way To Setup SGD With RSA Authentication
At the moment, I've got RSA Authentication working with SGD 4.60-911. Now under my setup, I've manually created a user profile and assigned a couple of Terminal Server sessions to it and everything is working. I'm not sure if this is the best or, mor
-
Sometimes firefox opens a blank page, just a frame and nothing else
This is on a brand new laptop, I just installed firefox 25, I have not installed any add-ins yet nor have I installed any software except windows updates, and just activated the Symantec trial. (this issue happens on my old system as well which has A
-
Repeat executed of synchronous bpel process
Repeat call in synchronous bpel process The BPEL PM Server Version is as follows: Oracle BPEL Server 版本 10.1.3.1.0 构建: 0 构建时间: Mon Oct 09 08:44:49 PDT 2006 构建类型: release 源标记: PCBPEL_10.1.3.1.0_GENERIC_061009.0802 When I run a synchronous bpel pr
-
Initiate a DATA call to a phone pstn line with N95
Dear all, At my last Nokia6600 I had no ptoblem initiating a data call to a pstn number to get a standard gsm 9.6k data line. Just got the Nokia N95 and I can not find a single way to do this. Any ideas?