Jsessionid cookie value being reused?

Similar Messages

• WAS4 HttpSession.getId() != JSESSIONID cookie value

  Question: Should the session identifier value assigned to the JSESSIONID cookie by the servlet container be the exact same value returned by calling HttpSession.getId()?
  IBM's WebSphere Application Server (AEs) Version 4.0.x (WAS4) does not return the same value. The session identifier value assigned to the JSESSIONID cookie is 27 characters long, but the value returned by HttpSession.getId() only returns 23 characters. More precisely it is the last 23 characters of the 27 character value assigned to the JSESSIONID cookie.
  WAS4 is supposed to support Sun's Java Servlet Specification Version 2.2. In my opinion, it does not fully 100% support this specification because of what I just stated above.
  I would like to hear the Java Servlet Developer Community's opinion on this. Especially you Java Servlet Specification people and Sun.
  Here is the API documentation for HttpSession.getId().
  ===================================
  getId()
  public java.lang.String getId()
  Returns a string containing the unique identifier assigned to this session. The identifier is assigned by the servlet container and is implementation dependent.
  Returns: a string specifying the identifier assigned to this session
  ===================================
  Full HttpSession API documentation found at: http://java.sun.com/products/servlet/2.2/javadoc/javax/servlet/http/HttpSession.html
  Sun's Java Servlet Specification V2.2 documentation:
  ftp://ftp.java.sun.com/pub/servlet/22final-182874/servlet2_2-spec.pdf

  UPDATE: The value of the JSESSIONID cookie is not 27 characters long, its 30 characters long. the lenght of the value returned by HttpSession.getId() is still only 23 characters long. IBM has inserted 4 characters in the front and 3 characters in the back.
  30 != 23

• Unable to recreate JSESSIONID cookie in Internet Explorer

  Hello All,
  (Running  CF Version: 9,0,0,251028,   Windows 2008 Server,  IIS-7)
  I am using the code below to expire the JSESSIONID cookie that is generated by CF because CF does not set the "HTTPOnly" and "Secure" cookie attributes by default when the JSESSIONID is initially created .  I am then recreating the JSESSIONID cookie with the required attributes.
  This works great for all browsers EXCEPT Internet Explorer!
  When the code below runs in Internet Explorer, the JSESSIONID cookie does become expired as it should as seen in the 1st line of the function below.  However, The script after that fails to recreate the JSESSIONID in Internet Explorer.  this is driving me nuts because it works like a charm in ALL other browsers.
  I am aware of the solution which involves setting these attributes in an xml configuration file on the CF server.  However that solution is not an option for me.  I am forced to use the method below to setup my secure/httponly JSESSIONID cookie.  Any ideas would be greatly appreciated!!!
  <cffunction name="OnSessionStart" output="false" access="public" description="I fix the sessionid">  
           <cfcookie name="JSESSIONID" expires="now"/>              
         <cfscript> 
            var.HTTPOnly = "HTTPOnly";
            var.domain = cgi.server_name;       
            var.path = "/";
            var.secure = "Secure;";                         
            var.response = getPageContext().getResponse();              
            var.header = "JSESSIONID" & "=" & session.sessionid & ";domain=." & var.domain & ";path=" & var.path & ";" & var.secure & var.HTTPOnly;
            var.response.setHeader("SET-COOKIE", var.header);             
          </cfscript>       
          <cfreturn />
    </cffunction>

  Below is the responseHeader dump (from IE9).
  Looks the exact same in FireFox and Chrome.  However,  a cfdump of the cookie scope will reveal (JSESSIONID=), nothing, zip, zilch, nada in IE9. Since the JSESSIONID cookie value is empty or null, a login attempt will result in a flash of the screen and the user is never logged in.
  While a cfdump of Firefox and Chrome happily display a valid JSESSIONID cookie value and allow users to login to my application just fine.
  (Note:  The secure attribute is intentionally turned off due to my non-ssl dev pc.)
  Cache-Control
  no-cache, no-store, must-revalidate
  Connection
  close
  Content-Type
  text/html; charset=UTF-8
  Date
  Sat, 10 Sep 2011 19:35:08 GMT
  Explanation
  OK
  Http_Version
  HTTP/1.0
  SET-COOKIE
  struct
  1
  JSESSIONID=843032102a51ca7bfa0f60831221c8642e45;domain=.localhost;path=/;HTTPOnly
  2
  JSESSIONID=843032102a51ca7bfa0f60831221c8642e45;path=/
  3
  JSESSIONID=;expires=Fri, 10-Sep-2010 19:35:08 GMT;path=/
  Server
  JRun Web Server
  Status_Code
  200
  X-Frame-Options
  deny
  X-XSS-Protection
  1; mode=block
  expires
  {ts '2011-09-10 15:35:08'}
  pragma
  no-cache
  Thanks for the help!
  Neil

• No JSESSIONID cookie found in log-in response

  The below code keeps throwing the "No JSESSIONID cookie found in log-in response"
  Public Sub Establish()
  If Not sessionId Is Nothing Then
  Destroy()
  End If
  CheckUsernamePassword()
  Dim req As HttpWebRequest
  req = WebRequest.Create(GetLogInURL())
  req.Headers.Add("UserName", username)
  req.Headers.Add("Password", password)
  req.CookieContainer = New CookieContainer
  Dim resp As HttpWebResponse
  resp = req.GetResponse()
  If resp.StatusCode = System.Net.HttpStatusCode.OK Then
  cookie = resp.Cookies("JSESSIONID")
  If cookie Is Nothing Then
  Throw New Exception("No JSESSIONID cookie found in log-in response!")
  End If
  sessionId = cookie.Value
  End If
  End Sub
  Any help on what I can do for this would be appreciated. Thanks.

  Hi,
  a VB Class for managing Session..
  __________________________________________ START OF FILE __________________________________________
  Imports System
  Imports System.Net
  Imports System.Web.Services.Protocols
  Public Class Session
  Public protocol As String = "https"
  Public server As String
  Public port As String = "443"
  Public username As String
  Public password As String
  Public sessionId As String = Nothing
  Public cookie As cookie
  Public Sub Establish()
  If Not sessionId Is Nothing Then
  Destroy()
  End If
  'Check that username and password have been specified
  CheckUsernamePassword()
  ' create a container for an HTTP request
  Dim req As HttpWebRequest
  req = WebRequest.Create(GetLogInURL())
  'username and password are passed as HTTP headers
  req.Headers.Add("UserName", username)
  req.Headers.Add("Password", password)
  'req.Headers.Add("Proxy", "proxy")
  'req.Headers.Add("Port", "80")
  ' cookie container has to be added to request in order to
  ' retrieve the cookie from the response.
  req.CookieContainer = New CookieContainer
  ' make the HTTP call
  Dim resp As HttpWebResponse
  resp = req.GetResponse()
  If resp.StatusCode = System.Net.HttpStatusCode.OK Then
  'store cookie for later...
  cookie = resp.Cookies("JSESSIONID")
  If cookie Is Nothing Then
  Throw New Exception("No JSESSIONID cookie found in log-in response!")
  End If
  sessionId = cookie.Value
  End If
  End Sub
  Public Sub Destroy()
  ' create a container for an HTTP request
  Dim req As HttpWebRequest
  req = WebRequest.Create(GetLogOffURL())
  ' reuse the cookie that was received at Login
  req.CookieContainer = New CookieContainer
  req.CookieContainer.Add(cookie)
  ' make the HTTP call
  Dim resp As HttpWebResponse
  resp = req.GetResponse()
  If resp.StatusCode <> System.Net.HttpStatusCode.OK Then
  Throw New Exception("Logging off failed!")
  End If
  ' forget current session id
  sessionId = Nothing
  End Sub
  Public Function GetURL() As String
  If sessionId Is Nothing Then
  Throw New Exception("No session has been established!")
  End If
  CheckServerPort()
  Return protocol + "://" + server + "/Services/Integration;jsessionid=" + sessionId
  End Function
  Public Function GetURL(ByVal obj As String) As String
  If sessionId Is Nothing Then
  Throw New Exception("No session has been established!")
  End If
  CheckServerPort()
  Return protocol + "://" + server + ":" + port + "/Services/Integration/" + obj
  End Function
  Private Function GetLogInURL() As String
  CheckServerPort()
  Return protocol + "://" + server + "/Services/Integration?command=login"
  End Function
  Private Function GetLogOffURL() As String
  CheckServerPort()
  Return protocol + "://" + server + "/Services/Integration?command=logoff"
  End Function
  Private Sub CheckServerPort()
  If server Is Nothing Then
  Throw New Exception("Server not specified!")
  End If
  If port Is Nothing Then
  Throw New Exception("Port not specified!")
  End If
  End Sub
  Private Sub CheckUsernamePassword()
  If username Is Nothing Then
  Throw New Exception("Username not specified!")
  End If
  If password Is Nothing Then
  Throw New Exception("Password not specified!")
  End If
  End Sub
  End Class
  __________________________________________ START OF FILE __________________________________________
  Regards,
  Gerald

• How to set cookie value in one page and retrieve in another page using setA

  How to set cookie value in one page and retrieve in another page using setActionListener?
  I have tried with following code srcpage.jspx->destpage.jspx
  srcpage.jspx
  <af:table value="#{bindings.DepartmentsView1.collectionModel}"
  var="emp" rows="#{bindings.EMPView1.rangeSize}"
  first="#{bindings.EMPView1.rangeStart}"
  emptyText="#{bindings.DepartmentsView1.viewable ? 'No rows yet.' : 'Access Denied.'}">
  <af:column sortProperty="EmployeeName" sortable="false"
  headerText="Cookie Testing">
  <af:commandLink text="#{emp.EmployeeName}" action="success">
  <af:setActionListener from="#{emp.EmployeeName}"
  to="#{cookie}"/>
  </af:commandLink>
  </af:column>
  </af:table>
  espage.jspx
  <af:outputText value="Test Cookie Value: #{cookie}"/>
  ,Here Test Cookie Value prints the following instead of its original String value
  {JSESSIONID=javax.servlet.http.Cookie@7da288, oracle.uix=javax.servlet.http.Cookie@399f62}
  I have passed employee name "Robert" to cookie in srcpage.jspx,but it prints "JSESSIONID....." instead of "Robert" in destpage.jspx
  Thanks in advance
  Kalee

  Hi,
  "cookie" is a reserved name. If you want to write to a session scope attribute called "cookie" then you have to call #{sessionScope.cookie}. If you want to use EL to set and read from cookies then you will have to use
  #{cookie.cookieName}
  Note that #{cookie} writes to and returns a map
  check this: http://www.informit.com/articles/article.aspx?p=30946&seqNum=7
  Frank

• My site changes cookie to store user options; worked in v3 but broke in v5/6. How do I change cookie value now?

  Some 8 months ago, I started saving user options in my cookie; as user changed options, my php code change the cookie value. I work normally with Camino, but verify with Firefox (V. 3). An associate with a newer MacBook Pro, with Firefox V. 5, tried my site and reported that the option change 'did not take'. I tried using my V.3, and everything worked. Realizing that I should be on V. 6, I upgraded today, and myself verified that the 'new' cookie value is NOT being saved. Rather, a second cookie is being created but with WITH NO VALUE. Result: old cookie has old option value; new cookie has no value. I tried also with Safari, and got this same result. So, there must be a way to update a cookie value, just unknown to me. Please advise as to new/proper header(s) to send from my server to change cookie value.

  Make sure that the cookies are created for the proper path.
  A good place to ask questions and advice about web development is at the mozillaZine Web Development/Standards Evangelism forum.<br />
  The helpers at that forum are more knowledgeable about web development issues.<br />
  You need to register at the mozillaZine forum site in order to post at that forum.
  See http://forums.mozillazine.org/viewforum.php?f=25

• Setting the cookies value

  hi,
  when i do, submiting the page i'm able to set the cookie value.I'm not getting any messages. But the Same time when i call the proceudre with parameters from the URL i'm not able to store the cookie value.
  It display's the message like this and the value is not stored in the cookies
  Content-type: text/html Set-Cookie: emp_no=9999X; path=/;
  my code is :
  owa_util.mime_header('text/html',FALSE);
       owa_cookie.send('emp_no',UPPER(lv_emp_no),null,'/',null,null);
  owa_util.http_header_close;
  How do i solve this problem?
  Thanks

  Hi,
  Here are a couple of things you can try:
  1) remove the following line because it shouldn't be necessary:
  the_cookie.num_vals :=0;2) remove the following line because the owa_cookie.send will automatically replace any existing cookie:
       owa_cookie.remove('emp_no',the_cookie.vals(1),null);3) try capturing the cookie value in a local variable and printing it (after htp.body, of course) to see if it is working correctly.
  4) enable the browser to prompt you when a cookie is being set so that you can verify whether it is being set or not.
  HTH,
  Ashesh Parekh
  Oracle9iAS Product Management
  hi,
  Something like this...
  Code
  PROCEDURE checkLogin ( emp_no in varchar2 default NULL) IS
       pv_check_f      BOOLEAN ;
  the_cookie      owa_cookie.cookie;
  BEGIN
  pv_check_f := FUN_EMP_PASSWORD(UPPER(emp_no) ) ;
  IF NOT pv_check_f THEN
       v_msg := 'Sorry Log on denied';
       RAISE EMP_ERROR;
       END IF ;
  the_cookie.num_vals :=0;
  the_cookie:= owa_cookie.get('emp_no');
  if the_cookie.num_vals= 0 then
            owa_util.mime_header('text/html',FALSE);
            owa_cookie.send('emp_no',UPPER(emp_no),null,'/',null,null);
            owa_util.http_header_close;
       else     
            owa_util.mime_header('text/html',FALSE);
       owa_cookie.remove('emp_no',the_cookie.vals(1),null);
            owa_cookie.send('emp_no',UPPER(emp_no),null,'/',null,null);
  owa_util.http_header_close;
  end if;
  htp.p('<script language="javascript">
  window.location="http://www...URL";
  </script>');
       htp.formclose;
  EXCEPTION
       WHEN EMP_ERROR THEN
       Pageheader;
  Procedurename.Banner('Login denied');
  htp.fontOpen('red','Arial Narrow');
  htp.header(3,lv_msg);
  loginagain;
  htp.fontClose;
  htp.centeropen;
       htp.br;
       htp.p('<INPUT type="button" value="Back" onClick="history.back()">');
       htp.br;
       htp.centerclose;
  pagefooter;
  END checkLogin;
  calling the Procedure "checklogin" with the parameter emp_no from the URL like this
  "http://....:8810/dir/Packname.checkLogin?emp_no=9ABCDS".
  Waiting for ur replay.
  Thanks.

• Static cookie Value

  Can anybody telle me the purpose of the number (56) in the following statement:
  56 static cookie-value "R355972695" rserver HQCHECOM01

  Hi Regent,
  It does seem to be the line number but it increase by 8 for every entry. Couldn't find anything else for that number.
  switch/Admin(config-sticky-cookie)# do sh running-config sticky test
  Generating configuration....
  sticky http-cookie jsessionid test
    8 static cookie-value "R1" rserver r1
    16 static cookie-value "R2" rserver r2
    24 static cookie-value "R3" rserver r3
    32 static cookie-value "R4" rserver r4
    40 static cookie-value "R5" rserver r5
    48 static cookie-value "R6" rserver r6
    56 static cookie-value "R7" rserver r7
  Regards,
  Kanwal

• Share JSESSIONID cookie between 2 contexts

  Hi all,
  I am trying to share the JSESSIONID cookie between 2 contexts on the same virtual server.
  www.evador.ca/a and www.evador.ca/b
  I tried to put the following in my sun-web.xml:
  <session-config>
  <cookie-properties>
  <property name="cookieDomain" value=".evador.ca";>
  <description>The domain for which the cookie is valid.</description>
  </property>
  <property name="cookiePath" value="/" />
  </cookie-properties>
  </session-config>
  With Firefox I can look at the cookies created. There is only one JSESSIONID with path / and domain .evador.ca. But even with these encouraging info I cannot see the cookie in both contexts...
  I have an another cookie for localization purposes (That I create my self) called lang and believe it or not this works:
  langCookie.setMaxAge(Integer.MAX_VALUE);
  langCookie.setPath("/");
  langCookie.setDomain(domainName);
  response.addCookie(langCookie);
  What am I doing wrong?
  Thank you,
  Luc
  Edited by: lucbard on Dec 7, 2007 2:55 PM

  Servlet specification mentions:
  SRV.7.3 Session Scope
  HttpSession objects must be scoped at the application (or servlet context) level.
  The underlying mechanism, such as the cookie used to establish the session, can be
  the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container.
  You cannot share a cookie between 2 contexts.

• Change JSESSIONID Cookie Name

  Can anyone provide a means for changing the JSESSIONID cookie name in IWS 6 to something else?
  I can not locate a mechanism for doing this anywhere.

  Thankyou Sultal for the response.
  Actually we are migrating the application server from Weblogic5.1 to Sun application server 8.2. The client is a mobile client and it sends the Cookie as 'JSESSIONID=session_id_val&WeblogicSession=session_id_val' as parameters, not as request header.It worked fine for Weblogic5.1 but not in Sun Application Server.
  To make it clear :
  Weblogic           :     request.getsession(false) = sessionObj@value
  Sun Application Server      :     request.getsession(false) = null
  Sun Application Server      :     request.getParameter("JSESSIONID") = session_id_val
  In the Weblogic5.1 we have set the cookie & session parameters in the weblogic.properties file as:
  weblogic.httpd.session.cookies.enable=true
  weblogic.httpd.session.cookie.name=WebLogicSession
  weblogic.httpd.session.neverReadPostData=false
  weblogic.httpd.session.timeoutSecs=120
  In case of Sun application server , JSESSIONID is not coming as a cookie , request.getsession(false) is returning null value.Is there a way to initialize the session with JSESSIONID request parameter?

• Proving prepared statements are being reused

  How can I prove that a prepared statement from a JDBC driver is being reused / pooled ?
  What essentially I want to do is to have prepared statements reused to reduce hard parsing ... but I also need to prove that the statements are being reused. If I query the statement in V$SQLAREA, the column PARSE_CALLS does not seem to be distinguish between hard parse and soft parse:
  http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96536/ch3204.htm#1126299
  I am only interested for now in proving the just ONE statement is being reused ... which mean that the number of hard parses is very low compared to the number of soft parses for that ONE statement.
  Regards,
  jms
  Message was edited by:
  jms

  Hi,
  No, parse calls is all soft and hard parse together. What you would see, if used absolutely correctly, would be 1 hard parse per session and many executions.
  But since v$sql is obviously not linked to v$session other than at the time of exection, you see the aggregated parse calls and executions for each cursor. So what you should see is parse calls go up relatively slowly to the number of exections.
  However, you can see soft and hard parses using the v$sesstat and v$statname views so you can see soft and hard parses on a session by session basis, be these are again aggregated, so you can't see soft / hard counts per cursor, only the total for a session.
  What I see a lot of the time is they don't get it quite right, so hard parses is low but soft parses are high, so they are still parsing when they don't need to, but at least they are binding and using shareable SQL, which is a step in the right direction.
  When I say 'they', it is a generic reference to all Java/.Nyet programmers writing front end code where they just don't 'get' parsing and binding because it's just too complicated and hey, SQL Server isn't like this...!
  HTH
  Chris

• Disable jsessionid cookie in obiee 11g

  Hi All,
  How to disable creation of "jsessionid" cookie in a web browser.
  is something we can do from weblogic side? Appreciate our help.
  Thanks
  Ram

  Hi All,
  How to disable creation of "jsessionid" cookie in a web browser.
  is something we can do from weblogic side? Appreciate our help.
  Thanks
  Ram

• Field Values being changed in the flat file on Application Server

  Hi All,
  I am loading a flat file(.CSV) from Application server. The file has some characteristic fields, for ex: CNUM of type Char, length 20. But it has got the value which is of 10 char length, say XYZ1234XAB. When I load the same fiel from client workstation, the load was successful but when I load it from Application server, the load has failed and the error is Invalid/Hex. characteristics for this record and many such records.
  When I checked the file on the application server the value 'XYZ1234XAB' is being displayed as 'XYZ1234XAB   #' and it is also being loaded with '#'. This is the cause of the error.
  Why is the value being changed on the application server? What can I do to overcome this?
  Thanks,
  RPK.
  Message was edited by:
          RPK

  Hi Ganesh,
  I have already loaded data to my ODS and when activating it is giving error "Value 'XYZ123XABC   #' (hex. '123456....') of characteristic CNUM contains invalid chara".
  I also have some lower case char in some of the records for the same field. The file is huge and cannot change the file, infact I have many such files. Is there any other way to overcome this?
  Thanks,
  RPK

• Create the JSESSIONID cookie with the secure flag

  Hello,
  I wonder if it is possible, through UCM or Weblogic configurations, to automatically create the JSESSIONID cookie used when a user is logged on with the secure flag?
  I have not found any parameters so far that could allow this.
  Thanks in advance!

  We have public Websites running on UCM/SiteStudio which are only accessible through SSL by visitors. The aim is that every cookies should be secure to be sure that they are not transmitted in plain text to our server.
  We thus would like to find a way to put the secure flag on JSESSIONID to avoid any case of session hijacking.
  Thanks.
  Edited by: Leo-G on 17 juil. 2012 23:57

• Double Quotes In LOV Return Value Being Replaced With &qu ot; By APEX 4

  My company recently upgraded our development and test boxes to APEX 4.0.2, which we have been wanting for a while now. We discovered that since the upgrade some of our checkboxes and radio groups no longer work as expected. What I mean by this is that the return values being checked for were not correct, and on several occasions we received PL/SQL errors related to numeric to character conversion issues.
  After debugging some it turns out that we have the following LOV query for one of our Checkboxes:
  select
  statement d,
  stmt_id || '" title="&P20_FORM_STMT. ' || statement || '.' r
  from
  stmts
  The return value for the LOV is setup so that it would return a 508 compliant checkbox. We were told we needed a title for each value of a checkbox or radio group to be 508 compliant. These titles must also be relevant to the selection being made, hence the substitution string being used in the return value.
  What I discovered in all of this is that APEX 3.2 did not convert the double quotes in our return value to &qu ot;, but APEX 4.0.2 does. This causes the value of any given checkbox or radio group to look like the following:
  value="1&qu ot; title=&qu ot;This is the statement that I have made."
  And what we are looking for, and what APEX used to do is this:
  value="1" title="This is the statement that I have made."
  Does anyone know a way to prevent APEX from converting the double quotes to &qu ot;, or is there a way to insert an element attribute for each checkbox or radio group value that contains a substitution string?
  Thanks in advance!
  Pastey

  ryansun wrote:
  4.2.1
  Hi,
  I have a classic report, which has a count column that is hyperlinked. using the standard apex column hyperlink option. In that we have the option of passing values. I noticed that when I am passing a value which has "/" in it, it replaces the / with & #x2F;
  I have created a application item which I am populating with the report column.
  Because of which I cannot use that value in the report query.
  Any suggestions?Yes. Don't pass string values in URLs. Especially where it is possible for these strings to contain URI reserved or APEX sensitive characters. This might work for a while but your application can be broken months from now by users including a "&" or ":" in data that gets passed as a URL parameter. Whilst it is possible to escape strings to make them URL- and APEX parameter-safe, it is much better practice to avoid the problem altogether.
  Exposing data in the URL may also introduce security vulnerabilities. Also note that the maximum length of a URL in Microsoft Internet Explorer is about 2KB, which can easily be exceeded by throwing a few string values at it.
  Only use discrete alphanumeric key values as URL parameters. In target pages/regions, use these key values to retrieve the required data using item source attributes and processes.