Request/session objects - Best Practice

Similar Messages

• ADF Faces : session timeout best practice

  hi
  I made these small modifications to the web.xml file in the SRDemoSample application:
  (a) I changed the login-config from this ...
    <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
        <form-login-page>infrastructure/SRLogin.jspx</form-login-page>
        <form-error-page>infrastructure/SRLogin.jspx</form-error-page>
      </form-login-config>
    </login-config>... to this
    <login-config>
      <auth-method>BASIC</auth-method>
    </login-config>(b) I changed the session-timeout to 1 minute.
    <session-config>
      <session-timeout>1</session-timeout>
    </session-config>Please consider this scenario:
  (1) Run the UserInterface project of the SRDemoSample application in JDeveloper.
  (2) Authenticate using "sking" and password "welcome".
  (3) Click on the "My Service Requests" tab.
  (4) Click on a "Request Id" like "111". You should see a detail page titled "Service Request Information for SR # 111" that shows detail data on the service request.
  (5) Wait for at least one minute for the session to timeout.
  (6) Click on the "My Service Requests" tab again. I see the same detail page as in (4), now titled "Service Request Information for SR #" and not showing any detail data.
  question
  What is the best practice to detect such session timeouts and handle them in a user friendly way in an ADF Faces application?
  thanks
  Jan Vervecken

  Hi,
  no. Here's the content copied from a word doc:
  A frequent question on the JDeveloper OTN forum, and also one that has been asked by customers directly, is how to detect and graceful handle user session expiry due to user inactivity.
  The problem of user inactivity is that there is no way in JavaEE for the server to call the client when the session has expired. Though you could use JavaScript on the client display to count
  down the session timeout, eventually showing an alert or redirecting the browser, this goes with a lot of overhead. The main concern raised against unhandled session invalidation due to user
  inactivity is that the next user request leads to unpredictable results and errors messages. Because all information stored in the user session get lost upon session expiry, you can't recover the
  session and need to start over again. The solution to this problem is a servlet filter that works on top of the Faces servlet. The web.xml file would have the servlet configured as follows
  1.     <filter>
  2.         <filter-name>ApplicationSessionExpiryFilter</filter-name>
  3.         <filter-class>
  4.             adf.sample.ApplicationSessionExpiryFilter
  5.         </filter-class>
  6.         <init-param>
  7.             <param-name>SessionTimeoutRedirect</param-name>
  8.             <param-value>SessionHasExpired.jspx</param-value>
  9.         </init-param>
  10.     </filter>
  This configures the "ApplicationSessionExpiryFilter" servlet with an initialization parameter for the administrator to configure the page that the filter redirects the request to. In this
  example, the page is a simple JSP page that only prints a message so the user knows what has happened. Further in the web.xml file, the filter is assigned to the JavaServer Faces
  servlet as follows
  1.     <filter-mapping>
  2.             <filter-name>ApplicationSessionExpiryFilter</filter-name>
  3.             <servlet-name>Faces Servlet</servlet-name>
  4.         </filter-mapping>
  The Servlet filter code compares the session Id of the request with the current session Id. This nicely handles the issue of the JavaEE container implicitly creating a new user session for the incoming request.
  The only special case to be handled is where the incoming request doesn't have an associated session ID. This is the case for the initial application request.
  1.     package adf.sample;
  2.     
  3.     import java.io.IOException;
  4.     
  5.     import javax.servlet.Filter;
  6.     import javax.servlet.FilterChain;
  7.     import javax.servlet.FilterConfig;
  8.     import javax.servlet.ServletException;
  9.     import javax.servlet.ServletRequest;
  10.     import javax.servlet.ServletResponse;
  11.     import javax.servlet.http.HttpServletRequest;
  12.     import javax.servlet.http.HttpServletResponse;
  13.     
  14.     
  15.     public class ApplicationSessionExpiryFilter implements Filter {
  16.         private FilterConfig _filterConfig = null;
  17.        
  18.         public void init(FilterConfig filterConfig) throws ServletException {
  19.             _filterConfig = filterConfig;
  20.         }
  21.     
  22.         public void destroy() {
  23.             _filterConfig = null;
  24.         }
  25.     
  26.         public void doFilter(ServletRequest request, ServletResponse response,
  27.                              FilterChain chain) throws IOException, ServletException {
  28.     
  29.     
  30.             String requestedSession =   ((HttpServletRequest)request).getRequestedSessionId();
  31.             String currentWebSession =  ((HttpServletRequest)request).getSession().getId();
  32.            
  33.             boolean sessionOk = currentWebSession.equalsIgnoreCase(requestedSession);
  34.           
  35.             // if the requested session is null then this is the first application
  36.             // request and "false" is acceptable
  37.            
  38.             if (!sessionOk && requestedSession != null){
  39.                 // the session has expired or renewed. Redirect request
  40.                 ((HttpServletResponse) response).sendRedirect(_filterConfig.getInitParameter("SessionTimeoutRedirect"));
  41.             }
  42.             else{
  43.                 chain.doFilter(request, response);
  44.             }
  45.         }
  46.        
  47.     }
  This servlet filter works pretty well, except for sessions that are expired because of active session invalidation e.g. when nuking the session to log out of container managed authentication. In this case my
  recommendation is to extend line 39 to also include a check if security is required. This can be through another initialization parameter that holds the name of a page that the request is redirected to upon logout.
  In this case you don't redirect the request to the error page but continue with a newly created session.
  Ps.: For testing and development, set the following parameter in web.xml to 1 so you don't have to wait 35 minutes
  1.     <session-config>
  2.         <session-timeout>1</session-timeout>
  3.     </session-config> Frank
  Edited by: Frank Nimphius on Jun 9, 2011 8:19 AM

• How to get Request/Session objects in a Webdynpro application

  Hi
  I am working in Enterprise Portal 7.0.
  in one of the iViews which displays a JSP page, i have set a parameter in request and session objects.
  How can i get it in my Webdynpro ABAP Application?
  Thanks & Regards
  Abhimanyu L

  hi Abhimanyu
  I believe originally access to session was deliberately not made available inside WDA.
  Growing security concerns due to misuse of session information and
  perhaps other reasons as well.
  X.509  is considered a better approach.
  This may not help you in your problem.
  But you may see a trend in WDA pushing more robust and client independent
  approaches.
  Full x.509 access should remove the need for session fiddling.
  Also when developers access such session info directly, there is a possiblity
  when they dont understand the technology exactly that they create a security hole.
  You may know how to do safely, it is however discouraged.
  Im not aware of a way to get at the session info inside the WDA framework.
  Well not without a mod to the framework.
  It may be possible without a mod, but I dont know the trick.
  If someone has a little trick... please post.
  You may need to use BSP, if your only solution requires access to the session info.
  regards
  Phil

• Request for any Best Practice document for configuring Service Parameters on CUCM 9.1.1

  Hi Team,
  Could you please send if you have any  Best Practice document for configuring Service Parameters on CUCM 9.1.1. That would really help.
  Thanks,
  Guru

  Hi
  There's no 'best practice' as such, but there are a few that I think should be default:
  Enabling CDR, On-Hook Pickup, CFwdAll Override... but really the settings are specific to the requirements of the deployment.
  Aaron

• What are default Zend Session handling best practices to prevent Cross Site Request Forgery?

  I have enjoyed the David Powers book Adobe Dreamweaver CS5 with PHP:  Training from the Source - and have put many of the examples into practice.  I have a security related concern that may be tied to the Zend::Auth example in the book.  While this is installed an working on my site:
  <?php
  $failed = FALSE;
  if ($_POST) {
    if (empty($_POST['username']) || empty($_POST['password'])) {
      $failed = TRUE;
    } else {
      require_once('library.php');
      // check the user's credentials
      try {
        $auth = Zend_Auth::getInstance();
        $adapter = new Zend_Auth_Adapter_DbTable($dbRead, 'user', 'login', 'user_pass', 'sha1(?)');
        $adapter->setIdentity($_POST['username']);
        $adapter->setCredential($_POST['password']);
        $result = $auth->authenticate($adapter);
        if ($result->isValid()) {
          $storage = $auth->getStorage();
          $storage->write($adapter->getResultRowObject(array(
            'ID', 'login',  'user_first', 'user_last', 'user_role')));
          header('Location: /member/index.php');
          exit;
        } else {
          $failed = TRUE;
      } catch (Exception $e) {
        echo $e->getMessage();
  if (isset($_GET['logout'])) {
    require_once('library.php');
    try {
      $auth = Zend_Auth::getInstance();
      $auth->clearIdentity();
    } catch (Exception $e) {
      echo $e->getMessage();
  Apparently, there is  very limited protection against Cross Site Request Forgery, where the resulting SessionID could be easily hijacked?  I am using the Zend Community edition (I have 1.11.11).     I have an observation from a client that this authentication is not up to snuff. 
  To boil it down: 
  1.  Is there a Zend configuration file that might have some settings to upgrade the Session and or authentication security basics? I'm wondering specifically about the settings in /library/Zend/session.php? Ie secure the session against a changing user IP, and invoking some other session handling stuff (time-out etc). 
  2.  If I understand it correctly, "salting" won't help with this, unless it's added/checked via a hidden POST at login time? 
  Ideally, the man himself, David Powers would jump in here - but I'll take any help I can get!
  Thanks!

  Might ask them over here.
  http://forums.asp.net/1146.aspx/1?MVC
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• Session Data - best practice

  Hi,
            We are designing a Servlet/JSP based application that has a web-tier
            separate from the middle tier.
            One of our apps have a lot of user inputs, average 500k and upto 2MB of data
            in the request.
            We do not have a way of breaking this application up (i.e the whole 2MB form
            data must be posted at ome time).
            We have 2 solutions and want to know what is the better one and wahy ...
            1. Use session and store all the information in the session.
            2. use Javascript to assemble all the data and submit it at one time.
            I prefer #2 because I don't want to use sessions and also becuase I don't
            want to use a database on the web-tier....
            Please help me explain to my cpollegues who are convinced that we have to
            use sessions to store this data..
            -JJ
            

  I'm not overly familar with Weblogic clustering, but I assume it is similar in concept to OC4J clustering. The thing that you need to be aware of is that any object stored in HttpSession needs to be completely serializable. The LibrarySession that you create/obtain for a user cannot be serialized. Thus you need to come up with a technique that allows a user to obtain the same librarysession instance from whatever store it may be across multiple requests.
  CM SDK, Files, Content Services typically achieve high availability through use of multiple midtiers with Big IP in front. Our out-of-box applications do not make use of OC4J clustering.
  thanks,
  matt.

• Kiosk Session Timeout Best Practice

  Dear All,
  I've noticed that user sessions are being timed out after about 3 hrs 20 minutes (presumably this is the default) so people coming in to work in the morning are having to start new sessions which really isn't practical with Citrix.
  The users need to be able to leave a session in the evening and then pick it up again the following morning.
  What are people using as a timeout value for Sun Ray sessions - 12 hours? 24 hours? What's the best thing to do? Will it cause problems if I have lots of sessions hanging around for that length of time?
  Many thanks.
  Chris

  Dear All,
  I've noticed that user sessions are being timed out after about 3 hrs 20 minutes (presumably this is the default) so people coming in to work in the morning are having to start new sessions which really isn't practical with Citrix.
  The users need to be able to leave a session in the evening and then pick it up again the following morning.
  What are people using as a timeout value for Sun Ray sessions - 12 hours? 24 hours? What's the best thing to do? Will it cause problems if I have lots of sessions hanging around for that length of time?
  Many thanks.
  Chris

• Session question; best practice

  Hi,
  One of our high profile application's queries/updates are served to user sessions. But we wanted to improve user query performance and reduce general database activity.
  This piece of application cause an auto refresh to execute every 60 seconds. These queries execute against order tables looking for statuses on active orders, are user specific, and in some cases are not optimally tuned producing very high database buffer get and disk read activity. On average, 1,500 executions representing various flavors of these queries are executed hourly.
  my questions are:
  1) how can we get max performance ?
  2) can we cache these queries for like every 30 secs ?
  3) how can we cache ? so that user sessions would access the cache.
  -sharma

  well, you could load the data and put it in the application scope (in memory) with a timeout time so that it's not used after however long, in which case, a request would have to go to get the newer data from the DB.

• Loading an object - best practice

  i'm currenlty loading a collection of objects and trying to
  determine which is the best way to "load" the object. Should i be
  calling set functions on the object and specifying the values or
  should i simply call a load function on the object and pass it the
  data through parameters. The data that i would be sending via
  params would be an xml object. My reasoning for the second method
  of loading is to blackbox the object...basically throw a data
  object into a load function and the object itself would know how to
  parse the data and set its own properties.
  thoughts?

  anyone?

• Consuming web services in a jsr 168 portlet best practices.

  I am building portlets (jsr 168 api in Websphere Portal 6.0 using web service client of Rational). Now needed some suggestions on caching the web services data on the portlet. We have a number of portlets (somewhere around 4 or 5) on a portal page which basically rely on a single wsdl Lotus Domino Web Service.
  Is there a way I can cache the data returned by webservice so that I dont make repeated calls to the webservice on every portlet request. Any best practices/ideas on how I could do avoid multiple web service calls would be appreciated ?

  Interestingly, as it often happens with Oracle portal, this has started working without me doing anything special.
  However, the session events my listener gets notified of are (logically, as this portlet works via WSRP) different from user sessions. The problem I'm trying to solve now is that logging off (in SSO) doesn't lead to those sessions being destroyed. They only get destroyed after timeout specified in my web.xml (<session-config><session-timeout>30</session-timeout></session-config>). On the other hand, when they do expire, the SSO session may still be active, in which case the user gets presented with the infamous "could not get markup" error message. The latter is unacceptable in our case, so we had to set session-timeout to a pretty high value.
  So the question is, how can we track when the user logs off. We have found the portal.wwctx_sso_session$ and portal.WWLOG_ACTIVITY_LOG1$ (and ...2$) tables, but no documentation for them. However, the real problem with using those tables is that there's no way we could think of to match the portlet sessions with SSO sessions/actions listed in the tables. (Consider situation when someone logs in from two PCs.)
  Any ideas?

• Is construction of webi directly in production a best practice?

  with bex-query and universes well consolidated and tested by a IT group,
  can be considered the construction of webis directly in production without going through test and quality a Business Objects best practice?
  is possible allow end-users (non IT personal) construct this webis?
  Is there a document of good practices that SAP made this recommendation?.
  thanks in advance by the answer.
  Ramón Mediero

  If universe and all has been tested and signed-off; also end user are familiar with Webi report development and they want their ad-hoc reports instead of pre-developed report set; There will be no issue to allowing end user to develop the Webi reports in production. However there we have to take care of few points like
  > need to check where report creation in production's public folder is feasible or not ? If yes how? is we need to create separate folders for individual user or what else ? and if No then what will be alternative like they can create in favorite folder?
  > also we need to take control on number of report that users will create. however may be users will create so many reports with huge amount of data refreshes and etc and PROD will face performance issues etc etc...
  like this there can be so many considerations needs to consider
  Hope this will give u some idea...
  Vills

• Best practice ?  send Object to request or desired pieces of data?

  Newbie to this style of programming...
  Is the best practice to put the customer object in the session or request object and allow jsp's to declare and instantiate the customer object out of the session/request (then use whatever getters are needed to properly display the desired data)?
  Or would it be better to send the customer ID, Name, address etc as a string to the session/request object and just have the JSP declare the strings & instantiate from the session/request object(thus keeping more complicated java code out of the jsp)?
  Thanks for the help in advance!

  Doesn't this result in more code? If we send the object, we need code to declare and instantiate the object, then use the getters to get the data to display.
  If I just send the necessary data, I just need to declare a string = request.getParameter... or just display the request.getParameter.
  I actually like the concept of sending the object, it seems cleaner and less likely to result in servlet changes down the road, but i want to make sure there is not some other reason NOT to do this.

• Best Practices: request scope + forward vs. session scope + redirect

  Hi,
  I'm wondering what everyone's opinion is on using different scopes in my situation. I have an application where users login and have a few separate items they can update via forms. My application can go one of two ways:
  1) Each item that users can update has its own session object that is created and destroyed as necessary. Each session object has a bunch of get and set methods. The annoying part is creating and destroying all the different session objects, but I can redirect the user to a readable URL each time.
  2) Each item uses the request scope, which means I don't have to take care of different session objects, but I have to forward the user from a servlet to a JSP file, and the URL becomes meaningless to the user (since there was no redirect).
  Is one way clearly better, or more widely used?
  Thanks.

  Having a bookmarkable url will be a good thing in the users point of view

• Best practice - caching objects

  What is the best practice when many transactions requires a persistent
  object that does not change?
  For example, in a ASP model supporting many organizations, organization is
  required for many persistent objects in the model. I would rather look the
  organization object up once and keep it around.
  It is my understanding that once the persistence manager is closed the
  organization can no longer be part of new transactions with other
  persistence managers. Aside from looking it up for every transaction, is
  there a better solution?
  Thanks in advance
  Gary

  problem with using object id fields instead of PC object references in your
  object model is that it makes your object model less useful and intuitive.
  Taking to the extreme (replacing all object references with their IDs) you
  will end up with object like a row in JDBC dataset. Plus if you use PM per
  HTTP request it will not do you any good since organization data won't be in
  PM anyway so it might even be slower (no optimization such as Kodo batch
  loads)
  So we do not do it.
  What you can do:
  1. Do nothing special just use JVM level or distributed cache provided by
  Kodo. You will not need to access database to get your organization data but
  object creation cost in each PM is still there (do not forget this cache we
  are talking about is state cache not PC object cache) - good because
  transparent
  2. Designate a single application wide PM for all your read-only big
  things - lookup screens etc. Use PM per request for the rest. Not
  transparent - affects your application design
  3. If large portion of your system is read-only use is PM pooling. We did it
  pretty successfully. The requirement is to be able to recognize all PCs
  which are updateable and evict/makeTransient those when PM is returned to
  the pool (Kodo has a nice extension in PersistenceManagerImpl for removing
  all managed object of a certain class) so you do not have stale data in your
  PM. You can use Apache Commons Pool to do the pooling and make sure your PM
  is able to shrink. It is transparent and increase performance considerably
  One approach we use
  "Gary" <[email protected]> wrote in message
  news:[email protected]...
  >
  What is the best practice when many transactions requires a persistent
  object that does not change?
  For example, in a ASP model supporting many organizations, organization is
  required for many persistent objects in the model. I would rather look the
  organization object up once and keep it around.
  It is my understanding that once the persistence manager is closed the
  organization can no longer be part of new transactions with other
  persistence managers. Aside from looking it up for every transaction, is
  there a better solution?
  Thanks in advance
  Gary

• Sessions and Controllers best-practice in JSF2

  Hi,
  I've not done web development work since last using Apache Struts for its MVC framework ( about 6 years ago now ). So bear with me if my questions does not make sense:
  SESSIONS
  1) Reading through the JSF2 spec PDF, it mentions about state-saving via the StateManager. I presume this is also the same StateManager that it used to store managed-beans that are in @SessionScoped ?
  2) In relation to session-scoped managed beans, when does a JSF implementation starts a new session ? That is, when does the implementation such as Mojarra call ExternalContext.getSession( true ) .. and when does it simply uses an existing session ( calling ExternalContext.getSession( false ) ) ?
  3) In relation to session-scoped managed beans, when does a JSF implementation invalidate a session ? That is, when does the implementation call ExternalContext.invalidateSession() ?
  4) Does ExternalContext.getSession( true ) or ExternalContext.invalidateSession() even make sense if the state-saving mechanism is client ? ( javax.faces.STATE_SAVING_METHOD = client ) Will the JSF implementation ever call these methods if the state-saving mechanism is client ?
  CONTROLLERS
  Most of the JSF2 tutorials that I have been reading on-line uses the same backing-bean when perfoming an action on the form ( when doing a POST or a GET or a post-back to the same page ).
  Is this best practice ? It looks like mixing what should have been a simple POJO with additional logic that should really be in a separate class.
  What have others done ?

  gimbal2 wrote:
  jmsjr wrote:
  EJP wrote:
  It's better because it ensures the bean gets instantiated, stuck in the session, which gets instantiated itself, the bean gets initialised, resource-injected, etc etc etc. Your way goes goes behind the scenes and hopes for the best, and raises complicated questions that don't really need answers.Thanks.
  1) But if I only want to check that the bean is in the session ... and I do NOT want to create an instance of the bean itself if it does not exist, then I presume I should still use ExternalApplication.getSessionMap.get(<beanName>).I can't think of a single reason why you would ever need to do that. Checking if a property of a bean in the session is populated however is far more reasonable to me.In my case, there is an external application ( e.g. a workflow system from a vendor ) that will open a page in the JSF webapp.
  The user is already authenticated in the workflow system, and the external system from the vendor sends along the username and password and some parameters that define what the request is about ( e.g. whether to start a new case, or open an existing case ). There will be no login page in the JSF webapp as the authentication was already done externally by the workflow system.
  Basically, I was think of implementing a PhaseListener that would:
  1) Parse the request from the external system, and store the relevant username / password and other information into a bean which I store into the session.
  2) If the request parameter does not exist, then I go look for a bean in the session to see if the actual request came from within the JSF webapp itself ( e.g. if it was not triggered from the external workflow system ).
  3) If this bean does not exist at all ( e.g. It was triggered by something else other than the external workflow system that I was expecting ) then I would prefer that it would avoid all the JSF lifecycle for the current request and immediately do a redirect to a different page ( be it a static HTML, or another JSF page ).
  4) If the bean exist, then proceed with the normal JSF lifecycle.
  I could also, between [1] and [2], do a quick check to verify that the username and password is indeed valid on the external system ( they have a Java API to do that ), and if the credentials are not valid, I would also avoid all the JSF lifecycle for the current request and redirect to a different page.