Retrieving session cookie

Similar Messages

• Apex session cookie in Safari

  Hi all,
  I'm hitting a restriction or security feature(?) of Safari in iOS. One of our Apex applications is a page that runs in an iframe on a site. Apex is installed on a server inside our own network and is accessable via dns: office.ourcorp.com (fake name, just to clearify the situation). We have a couple of different brands, that all have their own domains: brand1.com, brand2.com etc. All of these sites open the apex page inside an iframe.
  That all works beautifully in all browsers, except in Safari in iOS. in iOS, the apex page isn't showing. It seams it's because of the session cookie Apex sets. Safari can't set an cookie from another domain (a cross domain cookie). Is there a possibility to turn off the session cookie?(ORA_WWV_APP_xxx)?
  I also tried to set the 'cookie domain' option inside the authentication scheme to one of the domain names for our brands, but it still doesn't show up.
  Does someone has a sollution?

  I tried to do that. If you read my very first post in this thread, specifically "If I try to set a cookie in the page sentry function, it is breaking at the redirect line. Also, I don't think page sentry is the right place to set a cookie since it executes at every page.", I tried to set a cookie but it is throwing an error at the page.
  I think all these complication is because I dont have a login page and I am using a HTTP header variable to validate the user. Given that, where should I set the cookie?
  I also tried to do this:
  - create an appliaction item called 'testuser'
  - create an application computation to run 'before header' which sets the value of this to my HTTP header variable.
  - When I retrieve the app item 'testuser' from a page, it is getting the correct value. But when I use this in the authentication scheme, it is returning null. Any idea why??
  I know I am throwing a lot of questions. That is because I am trying a lot of approaches and each of them is posing a new set of challenges. I am actually looking for alternative ways to do what I am looking to do.
  Thanks.
  Shuba

• Session Cookie in Servlet

  Hi all
  I have a issue please answer me.
  If users disabled cookies.( other than session cookies)
  how i should dynamically switch session cookies.
  and how i can generate session cookies in servlet?
  thanks
  yashvant

  If the user has cookies disabled (session, since persistent ones are rarely used for maintaining session state with a browser), then most containers will attempt 'url-rewriting' and insert the session uid there (in the URL). That should work even if cookies are disabled. In order to access a session, you simply call HttpServletRequest#getSession(). If no session exists, one will be created, else the existing one will be retrieved. The J2EE container will send either a cookie in the response or re-write the URL. You don't have to do anything special.
  - Saish

• Session cookie - Servername info - can it be done in the application code

  HI all,
  Scenario:
  2 managed servers in a cluster. Application is deployed on the cluster.
  Requirement:
  Application needs to send a cookie to the user with server info.
  Question is regarding session cookies. Can the application retrieve the server name (for example ManagedServer1) from which that request has been processed and send to the user in the cookie.?
  Request->process->Response with cookie containig the server name it was process by.
  Can it be done in the application code?
  /SR
  Edited by: Shashi_sr on Feb 4, 2011 4:37 AM

  Hi SR,
  You can get the server name using the following technique:
  /* Getting the Server name from System Property */
  String  serverName=System.getProperty("weblogic.Name");
  /* Adding the value of the Server Name in the Cookie*/
  response.addCookie("serverName",serverName);Like you can see by yourself using the JPS utility how WLS sets its server name as a system property using the following link
  Topic: Using Jps.exe to distinguish WLS ProcessIDs And Server Name
  http://middlewaremagic.com/weblogic/?p=2291
  Regards,
  Ravish Mody
  http://middlewaremagic.com/weblogic/
  Come, Join Us and Experience The Magic…

• How to Set up HTTPOnly and SECURE FLAG for session cookies

  Hi All,
  To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
  I have found the below solutions.
  For setting up the HTTPOnly for the session cookies.
  1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.httponly = true;
  For setting up the secure flag for the session cookies.
  2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.secure = "true"
  Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
  <cfapplication setclientcookies="false" sessionmanagement="true" name="test">
  <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
    <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
    <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
  </cfif>
  But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
  Your timely help is well appreciated.
  Thanks in advance.

  BKBK wrote:
  Abdul L Koyappayil wrote:
  BKBK wrote:
  You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
  I couldnt understand this. I mean how are you relating this with my question.
  When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
       If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
  Name:
  JSESSIONID
  Content:
  782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
  Domain:
  xyz.abc.pqr.com
  Path:
  Send for:
  Any kind of connection
  Accessible to script:
  No (HttpOnly)
  Created:
  Wednesday, September 3, 2014 2:25:10 AM
  Expires:
  When the browsing session ends
  BKBK wrote:
  2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
  Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
       I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
  BKBK wrote:
  3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
  It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
       I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

• Weblogic.httpd.session.cookies.enable not working in WLS4.5 sp 11 ?

  I want to disable the use of cookies in WLS 4.5, and set the following
  weblogic.httpd.session.cookies.enable=false
  In WLS 4.5 sp7, this correctly prevents the server from using cookies
  for session-tracking, forcing the extraction of the session id from a
  rewritten URL.
  However, for WLS 4.5 sp11 cookies are still sent from the server
  Is this a known issue ?
  jo

  I want to disable the use of cookies in WLS 4.5, and set the following
  weblogic.httpd.session.cookies.enable=false
  In WLS 4.5 sp7, this correctly prevents the server from using cookies
  for session-tracking, forcing the extraction of the session id from a
  rewritten URL.
  However, for WLS 4.5 sp11 cookies are still sent from the server
  Is this a known issue ?
  jo

• Can portal session cookies be used between two data centers

  OAS generates the following header information and session information for my application. However when I need to failover the originating OAS datacenter into my hot stand-by for maintenance or upgrades, the OAS in the other datacenter responds with a 503 web error. We are using Akamai's GTM to manage the liveness of the datacenter, so we would need the hot stand-by OAS portal in that datacenter to return a 302 error code. Is there some method that we can add to our portal application which would always return a 302 error code.
  See header information collected through wfetch. The 503 error is caused by the hot stand-by data center not accepting or recognizing the cookie. Both OAS datacenters are IDENTICAL in Oracle levels, application levels, web servers, portals and OS patches.
  resolve hostname "170.107.183.32"WWWConnect::Connect("170.107.183.32","80")\nsource port: 2182\r\n
  GET /portal/pls/portal/PORTAL.wwsec_app_priv.login?p_requested_url=%2Fportal%2Fpls%2Fportal%2FPORTAL.home&p_cancel_url=%2Fportal%2Fpls%2Fportal%2FPORTAL.home HTTP/1.1\r\n
  Accept: */*\r\n
  Accept-Language: en-us\r\n
  Accept-Encoding: gzip, deflate\r\n
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)\r\n
  Host: www.thomson-pharma.com\r\n
  Connection: Keep-Alive\r\n
  Cookie: ORA_WX_SESSION="10.225.8.30:80-1#2"; portal=9.0.3+en-us+us+AMERICA+3D66674E7EED0801E04400144F41424E+BBAA98EEB32D58C086231A8D6CBE2E5D402D89B0E79D83A18C668BB0CA7417B4044DEA389C8B50DD37D9272A24B4753B22F29978861DE14503F8B9BEDC2014654B26A434CF074F4D8749B88610ADADF5084A90ADBF749E2A; DATACENTER=EAGAN\r\n
  \r\n
  HTTP/1.1 503 Service Unavailable\r\n
  Cache-Control: private\r\n
  Content-Type: text/html\r\n
  Set-Cookie: ORA_WX_SESSION="10.237.138.33:80-1#2"\r\n
  Set-Cookie: portal=; expires=Wednesday, 27-Dec-95 05:29:10 GMT; path=/\r\n
  Connection: Keep-Alive\r\n
  Keep-Alive: timeout=5, max=999\r\n
  Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=208440262161,0)\r\n
  Content-Length: 710\r\n
  Date: Fri, 26 Oct 2007 14:58:07 GMT\r\n
  \r\n
  Thanks -John

  Hi John,
  This question is probably more appropriate in one of the Portal forums, but perhaps you can take a look at the information in section C.5 Configuring the Portal Session Cookie in Appendix C of the Portal Configuration guide.
  Here is a link: http://download.oracle.com/docs/cd/B14099_19/portal.1014/b19305/cg_app_c.htm#sthref1907
  Regards,
  Peter

• Session Cookies Being Overwritten Browsing From SSL to Non SSL

  I have created a bug report for this issue as well.
  Please note I am using J2EE session variables so keep that in mind.
  I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.
  For example:
  Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".
  Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".
  Here's the problem:
  Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.
  Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.
  Steps to Reproduce:
  1. Clear your cookies.
  2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
  3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.
  This behavior changed in ColdFusion 10. ColdFusion 9 did not overwrite the session cookie.
  Has anyone else experience this?

  Deleting and re-adding my account seems to have fixed it.  I think when I initially added my Google Talk account, it was by using the "Add Jabber Account" under 10.6 or something.  Now, when I re-added my account, I notice both "Google Talk" and "Jabber" are options, so my thought here is that Jabber and Google Talk options are no longer quite the same thing.

• How to create a session cookie on demand

  Hi,
  I search the web but couldn't find anything related to creating session cookies on demand. I want to create a session cookie storing encrypted user tokens when there is none, for example, when the first page is called.
  The encryption part is OK, but I want how can I intercept every call to a set of pages and create the session cookie if it doesn't exist.
  I'm using ADF, of course, and Weblogic.
  Anyone can provide some examples or source code?
  Thanks.

  Cookies are accessible via the http request and response, there you can add new cookies and or change existing ones.
          ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
          HttpServletResponse response = (HttpServletResponse) ectx.getResponse();
          // get existing cookies
          Cookies [] cookies =((HttpServletRequest)ectx.getRequest()).getCookies();
          // create and set a new one
          Cookie cookie = new Cookie( "key", "value" );
          response.addCookie( cookie );This code should work in a bean. After setting the cookie you need to implement a servlet filter or a page phase listener where you check the requested url and then check for your cookie.
  Timo

• CFID and CFTOKEN Being Deleted from Session Cookie

  I can't believe that no one else has run into this - but I
  have found nothing on the internet.
  When I copy a piece from a web page that is generated by my
  coldfusion server, and paste it into a word document, the session
  cookie is altered, and the CFID and CFTOKEN information is deleted,
  so I lose my login. Recently, I've developed a problem on a
  different application - when I open a word document that is stored
  on the server, using CFCONTENT, same thing happens - the cookie is
  altered, CFID and CFTOKEN are deleted, and I lose my login.
  I'm tearing my hair out. Has anyone seen this behaviour, any
  ideas as to why this would occur? Any ideas as to how to get around
  it?

  Here's my CFAPPLICATION tag:
  <cfapplication name="DashBoard"
  clientmanagement="Yes"
  sessionmanagement="Yes"
  setclientcookies="Yes"
  clientstorage="cookie"
  loginstorage="session"
  sessiontimeout="#CreateTimeSpan(0, 0, 30, 0)#">
  Not sure what you mean by application sections. It's one
  application.
  I don't refer to the cookie in any other way. It's there only
  to do what CF does with it - maintain the information that's used
  to find the session.

• Retrieving Session bean object in a Servlet from FacesContext Object

  Hi,
  I added code in a servlet to retrieve Session bean object from the Faces Context object. I don't know what the problem was, but when I am accessing the application from two different machines and I am trying to retrieve the value from the session object in the servelet it is giving the value what I set into the session bean on one machine browser into another machine browser. Just I want to know the code which I had included in the servlet is correct or not.
  This is the code I am using in my servelt:
  1) To get the Faces context object
  protected FacesContext getFacesContext(HttpServletRequest request, HttpServletResponse response) {
       FacesContext facesContext = FacesContext.getCurrentInstance();
       if (facesContext == null) {
            //System.out.println("Current context was null...creating one now");
            FacesContextFactory contextFactory =
                 (FacesContextFactory)FactoryFinder.getFactory(FactoryFinder.FACES_CONTEXT_FACTORY);
            LifecycleFactory lifecycleFactory =
                 (LifecycleFactory)FactoryFinder.getFactory(FactoryFinder.LIFECYCLE_FACTORY);
            Lifecycle lifecycle = lifecycleFactory.getLifecycle(LifecycleFactory.DEFAULT_LIFECYCLE);
            facesContext =
                 contextFactory.getFacesContext(request.getSession().getServletContext(), request, response, lifecycle);
            //Set using our inner class
            InnerFacesContext.setFacesContextAsCurrentInstance(facesContext);
            //set a new viewRoot, otherwise context.getViewRoot returns null
            UIViewRoot view = facesContext.getApplication().getViewHandler().createView(facesContext, "ContextName");
            facesContext.setViewRoot(view);
       return facesContext;
  2) Code to get the session bean:
  Utils utilsBean = (Utils) getFacesContext(request, response).getApplication().getVariableResolver().resolveVariable (getFacesContext(request, response), "utils");
  Edited by: Ramesh_Pappala on Nov 8, 2007 9:25 AM

  Ramesh_Pappala wrote:
  Hi Raymond,
  Thank you for the reply and can you please send the code No, I cannot do that.
  what you are talking about to get the bean from session through servelet session map so that I can use that one check whether it is working fine in my application or not.
  Thanks.

• APEX Security: Multiple session cookies in one browser

  Hi all,
  I use mozilla firefox as web browser. When I open a new tab and enter the APEX application url I will be redirected to the login page. After successfully login I receive the session id and the browser the session cookie WWV_CUSTOM-F....
  When I now open the next browser tab and enter the APEX application url I will be redirected to the login page. After successfully login I receive the new session id and the browser the session cookie WWV_CUSTOM-F... with new content. My session from the first browser tab will be killed, because the session cookie for this session was deleted/replaced by the session cookie from the second tab.
  Is it possible to have multiple APEX sessions opened in one browser in multiple tabs?
  Regards

  Hi PaulP,
  it's simple.
  Unzip bsApex2 http://www.betasoftware.it/codice/bsApex2.zip
  If not installed, install Microsoft .NET Framework 4 Client Profile.
  Configure bsApex.exe.config
  <?xml version="1.0" encoding="utf-8" ?>
  <configuration>
    <appSettings>
      <!-- Application Title -->
      <add key="aTitolo" value="Apex Desktop by Beta Software snc" />
      <!-- Short application title -->
      <add key="aTitoloBreve" value="Apex Desktop" />
      <!-- Window height -->   
      <add key="aAltezza" value="960" />
      <!-- Window width-->
      <add key="aLarghezza" value="1200" />
      <!-- Close botton text -->
      <add key="aChiudi" value="Close" />
      <!-- Print botton text -->
      <add key="aStampa" value="Print" />
      <!-- Application icon-->
      <add key="aIcona" value="bsApex.ico" />
      <!-- Client -->
      <add key="aCliente" value="Apex Community" />
      <!-- Application address -->
      <add key="aIndirizzo" value="http://apex.oracle.com/pls/otn/f?p=23873:1" />
    </appSettings>
  </configuration>Run bsApex.exe, that's all.
  Regards,
  Gianluigi

• Problem retrieving Session variables in Flex from Coldfusion

  For about a year I've been using a cfc that allows me to remote call from within Flex to retrieve session-level variables.  I much prefer this to using FlashVars because with the remote call the session values don't show up in the page source.
  This was working fine when I was using an Application.cfm file to manage my Coldfusion pages.  However when I switched to using an Application.cfc file, the cfc stopped working.  Neither the cfc or the cfm file contain any code to manage these session variables (they are set in other pages), so the only real difference seems to be changing from Application.cfm to Application.cfc.
  Any thoughts why?  Thanks.

  Ok, this is resolved.
  The problem seems to have been related to the scope of Application.cfc and Application.cfm.  The directory which contained the cfc files had an Application.cfm controlling the session, while the directory with the pages that included the flex swf files had an Application.cfc file.  Apparently these two don't talk to each other.
  The solution is to use either Application.cfc or Application.cfm files, but not to mix them.  In other words, use either -- but be consistent.

• Air + Ipad + RemoteObject problem with session cookies

  I am making Air version for IPad of a Flex application.
  My flex application needs session from an secured enterprise proxy, without that session none remoteObject requests can pass the proxy and reach blazeDS.
  My solution for flex works fine: calling an enterprise  servlet at application´s startup to obtain a cookie session. I use a POST call to the servlet using URLRequest (sending the user and password parameters), the servlet responds with  a message with a session cookie, and from that point, without me having to code anything more, my flex application get that cookie with the session that automatically is loaded in my browser cookie stack, and that transparently is used from all my subsequents remoteObjects calls in the flex application.
  In my Adobe Air Ipad version, this just does not work, the session or is not storaged or is not attached with subsequent remoteObjects requests.
  - I´m forcing request.manageCookies = true
  - I´m working with the IOS simulator (Is there any difference for cookies with a real Ipad device?)
  - I´m using Flex 4.6.0, Air 3.5, IOS 6, Ipad 3, BlazeDS 4.0, Java 6 BackEnd.
  .. What´s the problem/difference with Air+Ipad from the flex version?

  Hi BalusC ,
  Thanks for your detailed response. I have a question about this comment you noted..
  "Terrible. Just keep the bean request scoped. "
  I changed the bean to request and now have this issue.
              <rich:dataGrid id="membersInZipcode" value="#{membersInZipcode.arrayListOfSearch4Member}"
                          var="membersInZipcode" columns="5" elements="20">                       
              <f:facet name="footer">
                  <rich:datascroller></rich:datascroller>
              </f:facet>
          </rich:dataGrid>
          </h:form>  I am using a request bean to hold the search parms that loads the bean. This works great.
  The problem is when I use the rich:datascroller for the next page.
  It goes back to the bean and the request scope bean is empty. This holds the search values.
  How do I put this back into the request after each process??
  Question 2..
  "Those settings only applies on the current request, i.e. the JSP file itself. Images are obtained by separate and independent requests. You need to set the headers on those requests as well. You can use a filter for this."
  I have never set a filter ...how do I do it? Do you have a link for an example of this filter setup?
  Thanks Again
  Phil

• Setting secure flag on weblogic (5.1) session cookie.

  Hello All,
            I need to set secure flag on weblogic session cookie. I am not able to
            find any property in weblogic.properties file to set the secure flag for
            session cookie.
            Does anybody has any idea how to achieve this.?
            Thanks
            Nitin
            

  The best way to reduce GC is to change you application to use less memory. Serious.
  There are a number of JVM options for GC. I can't tell you what will work best
  for your application.
  25 seconds is way too long for a GC. Is the OS paging? You may wish to invest
  in additional memory.
  Mike Reiche
  vijendran <[email protected]> wrote:
  Hi,
  I am running a load test which will simulate 100 users. when i tried
  to simulate i found that GC is happening often even though i set the
  heap to 512 MB., and that too some time it takes upto 25 secs. for a
  GC to complete. Please advise on how to increase the performance for
  more number of users (without clustering weblogic) and to avoid GC happening
  often.
  Regards
  Vijendran