Server side session management

Similar Messages

• How to delete the server side sessions

  Hi All,
  I have a wireless application and it is accessed through ptg/rm gateway from a PDA browser. Oracle wireless AS gives default login page (when the application is accessed through ptg/rm gateway) and when user login, user information session might get stored in server side (I am not sure, if any one can pls clarify me on this also?).
  Now i have a requirement, in which my application user should get 'logoff' button in each and every page of my application. When he clicks on this button the user information session should get invalidated, so that even if the user goes back to the application (using back button of the browser) he should not able to enter the application. (This is same as any std. login/logout page logic).
  Invalidating the session which resides in client side is easy (By using session.invalide()), but how can i delete the session which resides on the server side??? Whether is it possible??
  If yes then how can i do it.
  Any help will be very usefull.
  Thanks well in adavance.
  Shrikant

  Shrikant:
  Shouldn't it be easy to invalidate the server sided sessions? Right before invalidating the client side session, send a message to the server, which should call its session.invalidate() after it has obtained the current session. If desired, a message can be sent back to the browser informing user that server side session has been deleted.

• Server-side connection pooling for clients in different VM's

  We have a need to centeralize our connection pool manger.
  Is there a server-side connection pooling manger product to allow multiple clients running in different VM's to connect to and share connection objects to the same Database?
  e.g. An applet, and a swing and a servlet/web app application all running in different VM's will connect to this central connection pool manager and share connection objects to the same DB.
  We are using connection pooling for all of our applications but each application is maintaining its own connection pool and it is becomming a nightmare to manage and configure each one.
  Also, we have to have at a miniumum one connection open per application to access the database regardless of wether we are using connection pool or not. This means that 100 apps(running in different VM's) will use at minimum 100 connections... where all of these 100 apps will do just fine with just 10-15 connections.
  while back we used T3 server but can't find this product on BEA web site any more.
  does jdbc 2.2 or 3.0 have any server side pool management specs outlined?
  Please HELP as we can't afford anymore licensing fees for our company.
  oh.. We can't open and close connections on each query as they will be slow.
  any suggestions greatly appreciated.

  if i understand you question, i don't think this is possible, since the Connection interface (and basically all of the related jdbc interfaces) aren't Serializable.. so they can't be sent over the wire to your client(s).
  However, you could feasibly write some server side connection pool, and some server side facade which will allow clients to submit queries (either SQL String's or however you want to do it - obviously a more elegant solution involves a series of classes which dynamically create sql based on query criteria), then the server can grab a connection, execute the query, cycle through the results and populate some result object of your creation and send that back over the wire to your client(s).
  .

• Multiple room management -- best practice -- server side http api update?

  Hi Folks, 
  Some of the forum postings on multiple room management are over year old now.  I have student/tutor chat application which has been in the wild for 5 months now and appears to be working well.  There is a single tutor per room, multiple chats and soon to be a whiteboard per student, which is shared with the tutor in a tabbed UI. 
  It is now time to fill out the multiple tutor functionality, which I considered and researched when building, but did not come to any conclusions.   I'm leaning towards a server side implementation.  Is there an impending update to the http api?
  Here is what I understand to be the flow:
  1) server side management of who is accessing the room
  2) load balance and manage the room access 1 time user and owner session from the server side
  3) for my implementation, a tutor will need to login to the room, in order for it to be available
  4) Any reconnection would in turn need to be managed by the server side, and is really a special case of room load balancing.
  My fear is that at some point I'm going to need access to the number of students in the room or similar and this is not available, so that I'll need client functionality, which will need update the server side manager.
  As well, I'm concerned about delays on the server side access to which might create race conditions in a re-connect situation.  User attempts to reconnect, but server side manager thinks that the user is already connected.
  Surely this simple room management has been built, does anyone have any wisdom they can impart?  Is there any best practice guidance or any samples?
  Thanks,
  Doug

  Hi Raff, Thanks a ton for the response.
  I wasn't clear on what I was calling load balancing.  What I mean by this is room assignment for student clients.  We have one tutor per room.  There are multiple students per room, but each is in their own one-on-one chat with the tutor.
  I'm very much struggling with where to do the room assignment / room managemnt, on the server side or on the client side (if that is even possible).  In my testing it is taking upwards of 10 seconds minimum to get a list of rooms (4 virtually empty rooms) and to query the users in a single room (also a minimum of users/nodes in the queried room).   If after this point, I 'redirect' the student to the least full room, then the student incurs the cost of creating a new session and logging into the room.  As well I intend to do a bit of xml parsing, and other processing, so that 10 seconds is likely to grow.
  Would I see better performance trying to do this in the client?
  As far as the server side, at what point does a room go to 'not-active'?
  When I'm querying the roomList, I am considered one of the 'OWNER' users in the UserLists.  At what point can it be safe to assume that I have left the room? 
  Is there documentation on the meaning and lifecycle of the different status codes?  not-active,  not-running, and ok?  Are there others?
  How much staleness can I expect from the server-side queries?
  As far as feature set, the only thing that comes to mind is xpath and or wild card support for getNode() but i think this was mentioned in other posts.
  Regarding the reconnection issues, I am timing out the student after inactivity, and this is probably by and large the bulk of my reconnect use cases.  This and any logout interaction from the student presents a use case where I  may want reassign the student return to the same room as before.  I can envision scenarios of a preferred tutor if available etc.  In this case, I'll need to know list of rooms.  In terms of reconnection failover, this is not not a LCCS / FMS issue.
  Thanks again for responding.

• Bw web report plugin http session hangs at the server side

  Hi,
  I am having problems when closing the browser of a BW web report. After I closed the browser by going File->close, I ran SM04 and found out the Plugin HTTP session hangs at the server side.
  How can we terminate the Plugin HTTP session at the server side when user closes the internet browser?
  I did implement a logoff function at my web template, if user clicks on the logoff, the Plugin HTTP session is terminated at server side correctly. But As you know, 50% of time user will close the report by closing the internet browser instead of clicking the logoff. That leaves lots of hanging Plugin HTTP sessions at our server side.
  By the way, we actived our BEX service at the SICF.
  Thanks for help!
  JA

  Hi
  If you want to avoid a blank page with logoff button, add opener=0
  <a href="<SAP_BW_URL CMD='LOG_OFF' ~command='logoff'
  >" onClick="javascript:window.close(opener=0);">Log off</a>
  If you want to close the session via X, use this code:
  create a sapscript function
  function closeSession()
  logoff()
  window.unload=CloseSession()
  However, the Plugin HTTP session isn't killed.
  Regards

• How to get session.maintain property on server side?

  Is there a way to trap javax.xml.rpc.session.maintain property on the server side in JAX-RPC compliant web service implementation? I would like to know if the client has enabled session.maintain property to true (which false by default). If not, can I specify the web service to be of "Application" or "Session" scope during deployment time? It used to be the case for Apache SOAP processor. I do not see any mention of that in the JAX-RPC spec.
  Thanks for any pointers.
  -Anirban.

  When I first started to work with JAXRPC I had questions about how web services maintained session across multiple calls and also if it was
  possible to maintain session across multiple web services. I downloaded
  the JAXRPC runtime implementation source code and tell you what I found.
  There is a HttpClientTransport class that handles the actual HttpConnection to the server. It checks to see if maintain session is
  set to true or false. If it is set to true it appends the JSESSIONID to the header variables of the request.
  The very first call gets a response back with header variable
  Set-Cookie: JSESSIONID=blahblahblah
  The HttpClientTransport looks for it and if it finds it takes the cookie and stores it somewhere. Every call after that will check to see if session maintain is true or false. If true, it will send
  the header:
  Cookie: JSESSIONID=blahblahblah
  Hope that helps.
  Mike

• Font management from the server-side

  In the process of creating Breacrumbs for our website
  redesign, the Graphics Designer would like to use a special fonts.
  We already know that this font will not be installed on most of
  user client-side. She though about creating graphics to represents
  the navigation (breadcrumbs) but I ask myself if we can use the
  Font Management from the Coldfusion Administrator. I have no
  experience with this feature and have not find interesting
  information about it from the web.
  Is it possible to use a font installed on the server-side
  through CSS so the client/web-user will see the text with that
  font?

  You could use WEFT, but it is still limited to certain
  browsers.
  http://www.microsoft.com/typography/web/embedding/weft3/
  Bitstream has something to , but again, is limited
  http://bitstream.com/

• Plugin based Web Service with session management

  I am trying to make a web service in java with jax-ws that should support extensions to the service without rebuilding the project. I thought it might be possible to make a standard web service and the let each plugin create their own service, making the client side plugin point to both the standard service and the plugin specific one. This way I could have user management and such in the standard service and the more plugin specific one in an other service. The problem is though, how do I make a common session for all the services? All services are running at the same server and on the same domain name.
  I checked the HTTP headers and found out that the JSESSIONID was changing when I created a new port on the client side. I was trying to implement a SOAPHandler to edit the cookie in the HTTP header, hoping that this will lead to the same session across the services. But found it hard. It was no problem reading the "Set-cookie" header, setting the cookie on the new requests was harder, as the CookieJar object seems to be internal [1]. And the MessageContext.HTTP_REQUEST_HEADERS wasn't created at the time my handlers run. Is there an easy solution to this?
  I am not sure if my idea is a good solution to the main problem, and all other ideas are more than welcome. I hope it is possible to extend the features of my server without rebuilding the project. If anything is unclear, feel free to ask :)
  [1] com.sun.xml.internal.ws.client.http.CookieJar

  Adhir_Mehta wrote:
  Could you explain plug in scenario with one example?Ok. We have not chosen exactly how to do this, but the idea is that someone may be able to extend the functionality of our server without rebuilding the project. We thought of something like a jar file with a implementation of some abstract classes. It should at least only be necessary to redeploy the project into the web container. The problem is; how do we let the plugins extend our web interface? One solution we thought of was to let each plugin have it's own service and dynamicly link to the plugin services from the main service that we provide as standard in our server. This way we may have some kind of plugin support on the clients as well, making the client side plugins know what kind of service it needs on the server side and thus extending the functionality all together.
  Hope that explains our scenario. Feel free to comment and add new ideas :)
  Regarding session management, its not advisable to manage the session in web services since that way it will become non interoperable.The documentation we found regarding sessions and jax-ws was all doing sessions with HTTPSessions, and to let the web container handle that.
  On the server side
      @Resource
      private WebServiceContext wsContext;
      private HttpSession getSession() {
          MessageContext mc = wsContext.getMessageContext();
          return ((javax.servlet.http.HttpServletRequest)mc.get(MessageContext.SERVLET_REQUEST)).getSession();
      HttpSession session = getSession();
      session.setAttribute("User", user);On the client side
  ((BindingProvider)port).getRequestContext().put(BindingProvider.SESSION_MAINTAIN_PROPERTY,true);Do you have other standard options for us on how to do session management? All ideas are more than welcome

• Disabling session management in BlazeDS

  I am relatively new to BlazeDS. We are mainly using RemoteObject service of BlazeDS and server side code is not using any sessions.
  Is it safe to assume that application is going to work fine if it put on multiple web servers and a HTTP load balancer is used. I saw on this post that disabling session management can not be done if message service is used but as I mentioned we are using Remote service only.
  If disabling session management is fine then can you pls. elaborate how to disable it on BlazeDS.
  -Amit

  I am relatively new to BlazeDS. We are mainly using RemoteObject service of BlazeDS and server side code is not using any sessions.
  Is it safe to assume that application is going to work fine if it put on multiple web servers and a HTTP load balancer is used. I saw on this post that disabling session management can not be done if message service is used but as I mentioned we are using Remote service only.
  If disabling session management is fine then can you pls. elaborate how to disable it on BlazeDS.
  -Amit

• Server side override

  Since the documents created in ifs don't inherit the ACL of the folder, I wrote
  a server side override. I tested with the JDeveloper, everything worked fine,
  a file of right ACL is created with my testing program. Then I moved the
  java class (S_TieFolderPathRelationship.class) to
  custom_classes/oracle/ifs/server and my testing program to
  $ORACLE_HOME/9ifs/myclasses (I created this directory myself). Everything also
  runs fine in the server side if I have the right classpath. However, if I
  upload a file to the ifs through webui or winui, The
  S_TieFolderPathRelationship.class in the custom_class is not being called,
  since the ACL is not right. Does anyone have any idea on this?
  Thanks,
  Jean

  The following is what I have implemented before (Change the ACL to its parent). It runs good.
  import java.io.FileInputStream;
  import java.io.FileNotFoundException;
  import java.io.IOException;
  import java.util.Date;
  import javax.mail.Session;
  import javax.mail.internet.MimeMessage;
  import javax.mail.internet.InternetAddress;
  import oracle.ifs.common.*;
  import oracle.ifs.beans.*;
  import oracle.ifs.management.domain.IfsServer;
  import oracle.ifs.adk.mail.IfsTransport;
  import oracle.ifs.adk.filesystem.*;
  public class MY_iFS_Agent extends IfsServer implements IfsEventHandler
       public static void main(String[] args) throws Exception
            // Verbose exception messages on.
            IfsException.setVerboseMessage(true);
            // Construct a parameter table from the command-line arguments.
            ParameterTable pt = new ParameterTable(args, "parameterfile");
            // Extract some additional parameters required for standalone operation.
            String serviceName = pt.getString("IFS.SERVER.Service");
            String schemaPassword = "ifssys";
            // Start a service against which to run a Notification Agent.
            LibraryService.startService(serviceName, schemaPassword);
            // Construct, initialize, and start the Notification Agent.
            MY_iFS_Agent agent = new MY_iFS_Agent();
            agent.initialize("MY_iFS_Agent", serviceName, schemaPassword, pt, null, LEVEL_HIGH);
            agent.start();
  public MY_iFS_Agent() throws IfsException
  super();
  public void run()
  try
  log(IfsServer.LEVEL_MEDIUM, "Start MY_iFS_Agent request");
  // Ensure a connection.
  connectSession();
  // Enable event listening.
  enableEventListening();
  while (!stopRequested())
  try
  // Handle any status changes firsts.
  handleRequests();
  // Process events.
  processEvents();
  // Wait for something to do.
  waitServer();
  catch (Exception e)
  log(IfsServer.LEVEL_MEDIUM, "Exception" + " in handle loop; continuing:");
  log(IfsServer.LEVEL_MEDIUM, e.getMessage());
  } // End the while loop.
  catch (IfsException e)
  // Exception that takes us out of the run loop;
  // this will cause a stop.
  log(IfsServer.LEVEL_MEDIUM, "IfsException" + " in run(): ");
  log(IfsServer.LEVEL_MEDIUM, e.toLocalizedString(getSession()));
  catch (Exception e)
  log(IfsServer.LEVEL_MEDIUM, "Exception" + " in run(): ");
  log(IfsServer.LEVEL_MEDIUM, e.getMessage());
       * Gets whether suspend/resume is supported.
       * @return                    true
       public boolean supportsSuspendResume()
            return true;
  * Handles the suspend request. Subclasses can override this to
  * perform custom tasks as part of a Suspend request.
  protected void handleSuspendRequest() throws IfsException
  log(IfsServer.LEVEL_MEDIUM, "Suspend request");
  // Disable event listening.
  disableEventListening();
  * Handles the resume request. Subclasses can override this to
  * perform custom tasks as part of a Resume request.
  protected void handleResumeRequest() throws IfsException
  log(IfsServer.LEVEL_MEDIUM, "Resume request");
  // Re-enable event listening.
  enableEventListening();
  * Performs post-run tasks.
  public void postRun()
  log(IfsServer.LEVEL_MEDIUM, "postRun");
  try
  // Disable event listening.
  disableEventListening();
  // Disconnect our session.
  disconnectSession();
  catch (Exception e)
  log(IfsServer.LEVEL_MEDIUM, "Exception" + " in postRun:");
  log(IfsServer.LEVEL_MEDIUM, e.getMessage());
  * Enables listening for events
  public void enableEventListening() throws IfsException
  LibrarySession session = getSession();
  try
  log(IfsServer.LEVEL_MEDIUM, "Enabling MY_iFS_Agent listening....");
  // Register for events on all PublicObject classes
  Collection c = session.getClassObjectCollection();
  //"true" in the argument means registering for all the objects of PublicObjects
  session.registerClassEventHandler((ClassObject)c.getItems(Folder.CLASS_NAME), true, this);
  session.registerClassEventHandler((ClassObject)c.getItems(Document.CLASS_NAME), true, this);
  log(IfsServer.LEVEL_MEDIUM, "Enabled MY_iFS_Agent listener!!");
  catch (IfsException e)
  log(IfsServer.LEVEL_MEDIUM, "IfsException" + " enabling Event Listening; re-throwing:");
  log(IfsServer.LEVEL_MEDIUM, e.toLocalizedString(session));
  throw e;
  catch (Exception e)
  log(IfsServer.LEVEL_MEDIUM, "Exception" + " enabling Event Listening; re-throwing:");
  log(IfsServer.LEVEL_MEDIUM, e.getMessage());
  // throw "agent unable to enable event listening"
  throw new IfsException(46002, e);
  * Disables listening for VersionDescription events
  * @nopub
  public void disableEventListening()
  LibrarySession session = getSession();
  try
  // Deregister for events on objects of VersionDescription class.
  Collection c = session.getClassObjectCollection();
  session.deregisterClassEventHandler((ClassObject)c.getItems(Document.CLASS_NAME), true, this);
  session.deregisterClassEventHandler((ClassObject)c.getItems(Folder.CLASS_NAME), true, this);
  catch (Exception e)
  log(IfsServer.LEVEL_MEDIUM, "Exception" + " disabling Event Listening:");
  log(IfsServer.LEVEL_MEDIUM, e.getMessage());
  * Handles events. This queues the events for processing by
  * the main agent thread.
  public void handleEvent(IfsEvent event)
  // Just queue the event and signal the main thread to process.
  // The only tasks that should be performed in this method
  // are any quick filtering.
  try
  //Only handle the event generated by the creation of an object.
  if (event.getEventType() == IfsEvent.EVENTTYPE_CREATEINSTANCE)
  queueEvent(event);
  log(IfsServer.LEVEL_MEDIUM, "Event received for Create");
  catch (Exception e)
  log(IfsServer.LEVEL_MEDIUM, "Exception" + " at handleEvent");
  log(IfsServer.LEVEL_MEDIUM, e.getMessage());
  * Processes the de-queued event. This sends an e-mail to the original owner
  * of the versioned document if the new version is created by a different user.
  public void processEvent(IfsEvent event) throws IfsException
  try
  Long id = event.getId();
  int eventType = event.getEventType();
  int eventSubType = event.getEventSubtype();
  PublicObject po = getSession().getPublicObject(id);
  if (po != null)
  switch (eventType) {
  case IfsEvent.EVENTTYPE_CREATEINSTANCE:
  log(IfsServer.LEVEL_MEDIUM, "Processing Create event for a " + po.getClassObject().getName() + " object." );
  PublicObject [] parentFolderList = po.getLeftwardRelationshipObjects("FolderPathRelationship");
  oracle.ifs.beans.Folder parentFolder = null;
  //IfsFileSystem fs=new IfsFileSystem(po.getSession());
  //Folder[] parentFolders=fs.getParents(po);
  if(parentFolderList.length>0) {
  //Change the object owner if it is not the same as its parent
  parentFolder = (oracle.ifs.beans.Folder) parentFolderList[0];
  DirectoryUser parentOwner = parentFolder.getOwner();
  DirectoryUser childOwner = po.getOwner();
  log(IfsServer.LEVEL_MEDIUM, (po.getCreator()).getDistinguishedName() + " created a new object" );
  //if (((parentFolder.getOwner()).getDistinguishedName()).equals("system"))
  // log(IfsServer.LEVEL_MEDIUM, "ACL and Owner wasn't updated to the system's subfolder" );
  //else
  if (!childOwner.equals(parentOwner)) po.setOwner(parentOwner);
  //Change the object Acl if it is not the same as its parent
  AccessControlList parentAcl = parentFolder.getAcl();
  AccessControlList childAcl = po.getAcl();
  if (!childAcl.equals(parentAcl)) po.setAcl(parentAcl);
  //log the result
  //log(IfsServer.LEVEL_MEDIUM, (parentFolder.getOwner()).getDistinguishedName() );
  log(IfsServer.LEVEL_MEDIUM, "ACL and Owner is updated to its parent" );
  else
  log(IfsServer.LEVEL_MEDIUM, "The parent list of current object is empty: Check MY_IFS_Agent.java");
  break;
  case IfsEvent.EVENTTYPE_FREE:
  log(IfsServer.LEVEL_MEDIUM, "Free the current object");
  break;
  default:
  log(IfsServer.LEVEL_MEDIUM, "Event: "+IfsEvent.EVENTTYPE_CREATEINSTANCE);
  break;
  catch (Exception e)
  log(IfsServer.LEVEL_MEDIUM, "Exception" + " at processEvent");
  log(IfsServer.LEVEL_MEDIUM, e.getMessage());

• How to handle Back button, Browser Refresh problem at server side.

  Hi Friends,
  How to handle Back button, Browser Refresh problem at server side in java?.
  I am able to trace that,
  request.getHeader("ACCEPT") is returning value- */*
  when the browser was refreshed and returning different MIME types
  for all other actions from browser.
  I have doubt, will the above solution works always for all servers,browsers?.
  Please also specify any solution to handle back button at server side?.
  Thanks in Advance.
  Venkat..

  I'm sorry I don't think tht's the right solution for
  the above question....
  We must be aware that whatever scripting methdologies
  we either javascript/vbscript would executed @
  client(browser) side not @ server side....
  Dud If U get a good solution keep me updated.....
  THANKS & REGARDS,
  RAHULMy dear friend ...
  the bad news is that u simply cant disable or add any listener to the back button of the browser.
  When u hit the back button of ur browser the URL gets re-executed. So in case u have a JSP then the history.forward() is the best solution. [only if the page doesnt get expired similar to secure https sites]
  Now dont say that user can have javascript disabled ...those users will have a pretty touch time browsing websites since javascripts r used extensively by almost all websites.
  But in case u have an action.do or servlet call then u need to manage it using a session variable since the request will be sent to the server rather than client.
  For multiple form submittion issues read the following article in javaworld...
  Client vs. server solutions
  Different solutions can solve this multiple form submission situation. Some transactional sites simply warn the user to wait for a response after submitting and not to submit twice. More sophisticated solutions involve either client scripting or server programming.
  In the client-only strategy, a flag is set on the first submission, and, from then on, the submit button is disabled based on this flag. While appropriate in some situations, this strategy is more or less browser dependent and not as dependable as server solutions.
  For a server-based solution, the Synchronizer Token pattern (from Core J2EE Patterns) can be applied, which requires minimal contribution from the client side. The basic idea is to set a token in a session variable before returning a transactional page to the client. This page carries the token inside a hidden field. Upon submission, request processing first tests for the presence of a valid token in the request parameter by comparing it with the one registered in the session. If the token is valid, processing can continue normally, otherwise an alternate course of action is taken. After testing, the token resets to null to prevent subsequent submissions until a new token is saved in the session, which must be done at the appropriate time based on the desired application flow of control.
  for more details refer :
  http://www.javaworld.com/javaworld/javatips/jw-javatip136.html
  Hope u got the idea.
  FYI I have been using both these ideas in my credit card payment gateway project. This concept has worked really well.

• Tomcat Session Management

  Hello.
  I have a question about how Tomcat performs session managment that I can't quite seem to find an answer for.
  When you put data into a session, such as a logonid, is the session data sent back to the client and stored in the cookie, or is it kept on the server side (in memory?) and accessed via the sessionid when the user returns? If you use WebScarab or achilles to watch the traffic, it doesn't appear that the data goes back to the client. (Which is a good thing for security). Just wanted to confirm that.
  Thanks very much.

  I'm not sure but I think the listener is only called when a user session is Created or Destroyed.
  What we did:
  1. on Create, stored the newly created user session in a vector in the Application Session.
  2. on Destroy (User session timeout or user logs off), remove the session from the vector.
  We maintained the list to see who was online and too see when they last made a server request:
  long last_access_x_seconds_ago = System.currentTimeMillis() - userSession.getLastAccessedTime();The userSession comes from the vector list in the application session. The method getLastAccessedTime(); is a default session method, there are some others that you might find useful...
  HTH.
  ps. My nick/name is Munyul ... HTH = Hope This Helps :p

• SSL connection between Dist Auth UI Server and Access Manager

  Hi,
  I have a Dist Auth UI Server installed in Web Server 7 and working properly, but now i want to configure it to talk with Access Manager with a secure port.
  I have configured Access Manager (also deployed in Web Server 7) in a secure port (443). I have requested and installed the server certificate in the Access Manager Web Server instance and also the root entity certificate.
  My question is: how must i configure the UI Server to communicate with the Access Manager Server in a secure way and trust the certificate that the WS of the AM presents ?
  Regards,

  There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
  The solution for these customers was the following:
  => AM server/client side:
  Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
  => AM client (UWC) side:
  - Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
  <sun-web-app>
     <property name="encodeCookies" value="false"/>
     <session-config>
        <session-manager/>
     </session-config>
     <jsp-config/>
  <property name="allowLinking" value="true" />
  </sun-web-app>Regards,
  Shane.

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• Error while saving a workflow via sharepoint designer: Server-side activities have been updated. You need to restart SharePoint Designer to use the updated version of activities.

  While saving a workflow using SharePoint designer on a SharePoint site, I get the following error: 
  Server-side activities have been updated. You need to restart SharePoint Designer to use the updated version of activities.
  Steps to recreate error:
  Login to the WFE server hosting IIS and workflow manager, open SharePoint Designer 2013 and login to a SharePoint site.
  Access the list using SharePoint Designer 2013, in the workflow section, click new workflow. 
  In the new workflow dialog, enter workflow details, click save (see screenshot below).
  Error message is displayed as below:
  After restarting SharePoint Designer, the saved workflow is not seen in the site/workflows or list/workflow section.
  Workaround
  When the above steps are repeated while accessing the site via SPD from any other box besides the WFE/Workflow manager host server, the error is not encountered and its possible to save/publish workflows.
  Notes
  Workflow Manager 1.0 is installed.
  The site has been registered with Workflow manager using Register-SPWorkflowService
  cmdlet.
  Any clue on why is this happening?

  Hi Vivek,
  Please close your SharePoint Designer application, clear/delete the cached files and folders under the following directories from your server installed SharePoint Designer, then check results again.
  <user profile>\appdata\roaming\microsoft\SharePoint Designer\ProxyAssemblyCache
  <user profile>\appdata\local\microsoft\websitecache\<sitename>
  http://www.andreasthumfart.com/2013/08/sharepoint-designer-2013-server-side-activities-have-been-updated/
  Thanks
  We are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.