Maintaining Session, NO Cookies

Hello:
Environment: Apache/9iAS, Oracle DB, Unix OS.
Issue: Maintain user session when Cookies are NOT allowed.
What are the options to maintain a session on a load balancing (Apache, multiple web servers) environment and client side cookies are not allowed?
Please address security, not losing sessions in your suggestions.

repost

Similar Messages

  • Please help me-it's urgent,maintaining session and security using cookies.

    hi folks,
    i presently developing a web site for an engineering colleege ,i am facing prob in maintaining the session using cookies,and destroying a cookie and keeping security to the user,There are four links on my webpage ,including a logout link,when i click the other links other than the logout,it works perfectly,and when i click the logout link,i am not able to disable the cookie and still able to visit previous pages by clicking the back button.please give a suggestion as such to disable the cokie and maintain the security for my web site.
    Thank u....

    Try out this login if it helps you.
    Create a bean that stores some String value. Then make a object of this bean using the useBean tag with session scope when a user logs in. Store the name of the user in the bean and also set the same name value in the Session object. Then on every JSP page compare the value set in the session object with the bean variable (which will be having a session scope). If the value match, then the JSP page output must be displayed to the user. Then on the logout link, invalidate the session object using the invalidate() method of the session class. As a result now when you will try to navigate back to the old JSP page, null will be returned to you when you will try to retrive the name value from the session object. And since this null will not match with the value in the bean, you should not proceed further with generating the output. Hope this help
    Nirav ([email protected])

  • Maintaining session both with cookies and jservsessionid

    Can the same session be maintained both with cookies and jservsessionid?
    If not, does anybody know how to link a request without cookie to an existing session? Can that be achieved by means of just the sessionid?
    Thanks,
    Modulab

    repost

  • Maintaining Session State

    Hello,
    Does anyone know how to maintain session and application variables through server restarts? I want to be able to shutdown and startup my Tomcat server without having the users lose their session and application variables (and consequently, their data and login state).
    Any ideas?
    Thanks!
    -David

    I dont think its possbile since stopping and restarting gets new sessions. Only way that I would know would be to use cookies.
    But then again i dont like the idea of saving passwords in cookies

  • Sticky session without cookie is broken

    Hi,
    I need help from you guys to confirm this is something not supported by newer version of Coldfusion any more.
    Background:
    This is for a mobile on-deck site of a carrier in Australia. The carrier append an unique ID (a 10 digit number) by HTTP header to each handset’s http request to the Coldfusion server. Our Coldfusion code saved this ID in a variable called request.uid. Considering that not all handsets support cookie, we turned off client cookies and instead use the following code to tell the Coldfusion server that a CFID and CFTOKEN has been passed to it in query string. No CFID and CFTOKEN were actually passed in the query string. We just used our code to pretend a CFID and CFTOKEN were passed (the actual value was not set by Coldfusion server but externally by our code) . This code had been working for years which enabled us not to depend on client cookies and CFID/CFTOKEN in query string to maintain sessions for on-deck mobile sites. However, this code started not to work after we applied a coldfusion hotfix 2 (http://kb2.adobe.com/cps/403/kb403781.html) in September on coldfusion 8.0.1. Every request will start a new session rather than stick to the same session after that.
    <cfset url.cfid = "#request.uid#">
    <cfset url.cftoken = 0>
    <cfapplication name="hww_#request.site_id#" sessionmanagement="Yes"
                    setclientcookies="No" sessiontimeout="0.1" applicationtimeout="0.1">
    Can someone please verify that the above logic is not supported by new versions of Coldfusion anymore?
    Thanks.

    OK that's interesting.  I had found your technique would not work if the value for request.uid was not numeric, but otherwise works fine (on CF 8.0.1).
    My test rig is thus:
    <!--- Application.cfm --->
    <cfset request.uid = "9999999999">
    <cfset request.site_id = "fakeIdToken">
    <cfset url.cfid = "#request.uid#">
    <cfset url.cftoken = 0>
    <cfapplication name="hww_#request.site_id#"
        sessionmanagement="Yes"
        setclientcookies="yes"
        sessiontimeout="#createTimeSpan(0,0,20,0)#"
        applicationtimeout="#createTimeSpan(0,2,24,0)#">
    <cfparam name="session.ts" default="#now()#">
    <cfdump var="#url#" label="url">
    <cfdump var="#request#" label="request">
    <cfdump var="#session#" label="session">
    <cfdump var="#CGI#" label="CGI">  
    And then I hit another page in the same dir.
    With any numeric value of request.uid, sessio.ts sticks.  For non-numerics, it's ignored and CF creates its own CFID/CFTOKEN.
    Are you sure about your UID values?
    Adam

  • Cisco ace Load balancer not maintaining session persistence

    Hi All,
    We have observed from the IIS logs on the internal webservers that loadbalancer is not maintaining session persistence for two specific request for the internal servers.
    https://123.xyz.com/Webresource.axd
    https://123.xyz.com/ScriptResource.axd
    Error
    Webresource.axd : 500
    Scriptresource.axd: 404
    Session persistence is maintained for all other requests hitting loadbalancer.
    Issue is observerd on hits for these two specified components. WebResource.axd and ScriptResource.axd are Http Handlers used by ASP.NET and Ajax to add client-side scripting to the outgoing web page.
    For e.g /WebResource.axd d=t2GXfySdqWmJ-lZSI0KVbw2&t=634868473645172160 is valid for server 1 and return 200 response but the same request is seen on few other servers where the response is 404 even though load balancer cookie is same. This means that if the request for the both the axd contains a valid decrypter and it connects to the right server then the response seen is 200.
    The url passed by the user contains d and t parameters when are unique for each user session.
    Solution tried:
    Accessed website via another VIP without http redirect rule but could not see difference.
    Tried to match machine key across all servers : Failed . Could see the ‘d’ value different for each server.
    Load balancer VIP :
    x.x.x.x
    redirect: http > https
    SSL Offload : ON
    Poool:
    WEB1
    WEB2
    WEB3
    WEB4
    WEB5
    All servers listening on port 80
    sticky config:
    sticky ihttp-cookie cookie1 vip-1.1.1.1-80-stickyfarm
      cookie insert browser-expire
      replicate sticky
      serverfarm vip-1.1.1.1_80
    sticky http-cookie cookie1 vip-farm:1.1.1.1:443
      cookie insert browser-expire
      replicate sticky
      serverfarm farm:1.1.1.1:443
    Has anyone else come across similar issue?
    Can you plese check if there is any config on cisco ace that will ensure that session persistence is maintained for these 2 requests.
    Thank you for all the help.
    regards,
    Sangram

    Hello Sangram,
    We would need simultanous packet traces before and after the ACE to get to the root cause of this issue so I would recommend that you open a cisco tac case for more in depth troubleshooing of this issue.
    Joel Lamousnery
    CCIE R&S - 36768
    Engineer, Customer Support
    Technical Services

  • Maintain session in JSP frame

    Hi,
    I am having trouble in maintaining session in jsp frames. -
    Here is sample code
    parent.jsp
    <HTML>
    <HEAD>
    <LINK rel=stylesheet type="text/css" href="defaults.css">
    <TITLE>abc</TITLE>
    <%     
         String checkAmount = "100.00";
         session.setAttribute("checkAmount", checkAmount);
         System.out.println("checkAmount in ppmain"+session.getAttribute("checkAmount"));
    %>
    <FRAMESET rows="235,*" frameborder="no" >     
    <FRAME NAME="pptop" SRC="top.jsp" frameborder=0 scrolling=no noresize >
    <FRAME NAME="ppbottom" SRC="bottom.jsp" frameborder=0 scrolling=no marginwidth=0 marginheight=0 noresize>
    </FRAMESET>
    </HTML>
    top.jsp -
    <HTML>
    <HEAD>
    <LINK rel=stylesheet type="text/css" href="defaults.css">
    <TITLE>top</TITLE>
    <%     
    System.out.println("session in top "+session);
    System.out.println("checkAmount in top "+session.getAttribute("checkAmount"));
    %>
    </HTML>
    It is not able to retain session in the top.jsp ( in SOP for session I get different session ID in parent.jsp and top.jsp
    This Works well in local but when gets deployed to WAS6 server troubles starts.
    Any help is appreciated.
    Thanks

    When you create URLs, you might want to try using JSTL to rewrite them:
    <FRAME NAME="pptop"
           SRC="<c:url value='top.jsp'/>"
           frameborder=0
           scrolling=no
           noresize >
    <FRAME NAME="ppbottom"
           SRC="<c:url value='bottom.jsp'/>"
           frameborder=0
           scrolling=no
           marginwidth=0
           marginheight=0
           noresize>Or you can use:
    SRC='<%= response.encodeURL("top.jsp") %>'

  • Regarding maintaining session in flex

    Hello,
              I am developing a flex application which is using jsp for database connectivity. I am using HTTP request for connecting to jsp page and passing and retrieving parameters. Now I wanted to ask how can I maintain session in flex so that I can know which client has logged into the system and on the basis of that can assign privileges to the client. Is it possible in flex and how?Reply needed urgently.
    Thanks in advance.

    Hi a.bhavika,
    There is not specifically any session management in Flex as it runs everything on the client side if at all you want to mainatain you can maintain it on the server side. ...and I think for your case I dont think you need any session managemenet as at the time of login only you can identify which user has logged in to the syetem and based on the user logged in you can load all the previleges of that particular user in the Flex application.
    Check out the links below for your understanding...
    http://www.forta.com/blog/index.cfm/2006/9/24/flex-and-session-state-management
    http://www.assembla.com/wiki/show/romoz/Session_Management_in_Flex
    Thanks,
    Bhasker

  • Maintain session in Multiple soap calls

    Hi Experts,
    We have an requirement which runs 2 synchronous calls.
    1st synchronous cal is for validating user credentials and
    2nd synchronous call (for successful log in) for uploading data in R/3 system.
    The main task is to maintain session(ex: time 15 mins) .
    1st synchronous call looks like Mobile Application (soap sender)<--->PI<----->(Soap receiver)Active Directory.
    2nd synchronous call looks like Mobile Application (Soap sender)<--->PI<----->(Proxy)R/3 system.
    can you pls let me know how can I achieve this requirement and
    how to maintain session ID, session (is it in PI or in third party) and from where to maintain session.
    Thanks in Adv..

    I am calling multiple web service apis from my bpel process on the same link. The Web services are written such that I always have to call a "login" api first which creates a context that's maintained throughout the session. Thus subsequent ws calls have to be made in the same session because all the other web service apis require the context to be present.
    You can think of this as a stateful SessionBean (sort of).
    The question is does bpel support this?

  • Setting secure on session management cookie only in production

    I am faced with the following:
    In our developmentcycle we deliver full application exports to an acceptation environment and after testing to a production environment.
    However, only our production site does HTTPS. Development and acceptation only do HTTP.
    In production we have to set the "secure"flag on the session management cookie.
    We would like to set this flag in our deployment scripts.
    So,
    Is there an API we could use to set the "Secure" flag in the APEX metadata using SQL*Plus?

    hi
    ->Use request.getParameter(String s) to recieve the infomation from the html page into your servlet.for storing session specific info go for
    session.setAttribute(vble,value;
    hope it'll solve your problem.

  • Maintaining Sessions through Multiple Servlets and Contexts

    Hi,
    I have a webapplication that works like this:
    * User connects to a login servlet on HTTPS
    * Users information is authenticated on HTTPS
    * An object is stored in the session for other servlets to validate the users access
    * Authenticated users are forwarded to an HTTP page where the session is used to make sure they were granted access
    My problem is this....Since I create the session in an HTTPS context, when I am in the HTTP context, I am unable to access the session and constantly get NULL. Is there any way that I can access the session from an HTTP context?

    What you can do is, just login using HTTPS and switch over to HTTP
    and then store data in session.That is true, but what I want in the session is basically a flag on whether or not the user was granted access. I would much rather set all that up on the secure line, and then just access it from the unsecure ones...
    For example, you are creating session using the
    http://testdev:port/index.jsp page.
    If access the same page(with hostname)
    http://10.300.20.18:8080/index.jsp, you can't get the session even
    though both are same web server and same web application. Because the
    browser treats it different sessionI think if you use my above solution with the explicit passing of the jsessionid, you can move from one domain to another and still maintain session. Not positive on that though...

  • Maintaining session in portal

    Hi,
    I want to maintain session expire time in portal for my iViews both Porta components and Web Dynpro. Where can I set this value.
    Please let me know
    Thanks
    Bobby M

    Hi,
       I'm sorry. Messed it up Go through Web Dynpro application needs to never expire..
    Regards,
    Satyajit.
    Message was edited by:
            Satyajit Chakraborty

  • XSQL Session and Cookies

    Hi, Steven,
    I have a question about cookies parameters in include-parameters.
    When set the following in my xsql file:
    <xsql:set-session-param name="current_user" value="{@sessionid}"/>
    <xsql:include-param name="mode"/>
    <xsql:include-request-params/>
    In the xml output, it looks like this.
    <request>
    <parameters>
    </parameters>
    <session/>
    <cookies/>
    </request>
    How come the session and cookies values are not appeared in XML file? However, if I reload the xsql file, the session and cookies values are there. Any idea what might be wrong or it is what should be?
    Thanks in advance.
    Julie Zhu

    I'd expect the cookies not to show up until the page request after the one in which they are set. This is correct since setting the cookies is something that's done on the response. Reading the cookies is reading them from the request.
    Regarding the session variables, it's
    always important to say what Web Servlet / Servlet Engine you're using XSQL with. Perhaps the setting of Servlet session variables behaves differently on different servers.

  • Maintain session

    I have a client side java program running. It is to comunicate with a web server using HTTP. How do I maintain session in my java program in the client machine. I have no access to the web server.
    java.net.URL and java.net.HttpURLConnection are not maintaining session, tough allow me to transact. It creates a new session for every hit.
    help!!!
    Trijoy
    [email protected]

    Hello Darted,
    I have a small task ahead. My boss hates logging in userid and passwords every time he logs ont a site, which he dose 10-15 times a day. Due to session timeouts, he has to repeat the login process.
    The requirement is that, I should have a process running, that will maintain the session throughout the day by hitting the URL every 18 mins or so..(session timeout is of 20 mins), and when he writes the URL the old session is maintained.
    The process is such that it sends data over http to the server. The data is accepted only for the live and valid session. At present we are sending it through a form (post). If the state can be maintained in the java applet, swing or whatever, we will remove the HTML form and will automate the process of form sending.
    I am looking for a mechanism which emulates a browser, i.e. maintain the session till it gets time out or browser is closed.... only I want to avoid using a browser and refreshing it every time and want to implement it thru java so that I can have control over it.
    Thanks
    Trijoy
    PS. Any help in design, source code, suggestion is highly appreciated

  • PPR and session timeout cookie

    Scott,
    Is there anyway of getting the PPR functionality to update the session timeout cookie whenever a PPR request is made???
    Thanks..

    I am using your session timeout function from otn.
    I am using it to timeout after a set period of inactivity, every time the page is redrawn the cookie time is updated.
    I am calling this function from the 'Session Verify Function' field in the authentication scheme, and initially setting the cookie on login.
    I believe that the cookie only gets updated when the page is re-drawn and the Session Verify Function is run??
    On a PPR request only part of the page is refreshed, the page header remains unaffected, which means the user can be active on a page without refreshing the timeout value on the cookie?
    (Not a major problem, but would be nice to be able to update the cookie on a PPR request as well)
    Thanks..

Maybe you are looking for

  • How do I organize my otr shows in itunes?

    Old Time Radio shows are becoming increasingly popular.  However, there dosen't seem to be a category set asside in itunes for organizing them.  I have been using the music categories.  Is there a way to add OTR files as a set of files the way TV sho

  • Error -50 when trying to share with media browser?

    I'm attempting to burn a dvd in idvd for the first time. When I click media browser under share in imovie 08, I'm fist told that there's missing media. A source clip is not available. Although I hear it (audio) in both the project and in the source m

  • No "Artwork" tab for all songs in a album.

    For whatever reason, I've never been able to apply album art to this one album I have. Just today I noticed that these songs do not have an Artwork tab when their info is read. This is the only album that has had this happen, and there really isn't a

  • How to download cc audition to 2nd computer

    What are the steps necessary in downloading cc audition to a 2nd computer?

  • Audio Books and the error message " class not registere

    I trying to download an library audio book to my player. I get the error message "class not registered" and the transfer sto ps. I have downloaded and intall the new firmware May 24, 2006 and the files that I'm trying to transfer is just a protected