Session Cookie in Servlet

Hi all
I have a issue please answer me.
If users disabled cookies.( other than session cookies)
how i should dynamically switch session cookies.
and how i can generate session cookies in servlet?
thanks
yashvant

If the user has cookies disabled (session, since persistent ones are rarely used for maintaining session state with a browser), then most containers will attempt 'url-rewriting' and insert the session uid there (in the URL). That should work even if cookies are disabled. In order to access a session, you simply call HttpServletRequest#getSession(). If no session exists, one will be created, else the existing one will be retrieved. The J2EE container will send either a cookie in the response or re-write the URL. You don't have to do anything special.
- Saish

Similar Messages

How to create a session cookie on demand

Hi,
I search the web but couldn't find anything related to creating session cookies on demand. I want to create a session cookie storing encrypted user tokens when there is none, for example, when the first page is called.
The encryption part is OK, but I want how can I intercept every call to a set of pages and create the session cookie if it doesn't exist.
I'm using ADF, of course, and Weblogic.
Anyone can provide some examples or source code?
Thanks.

Cookies are accessible via the http request and response, there you can add new cookies and or change existing ones.
        ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
        HttpServletResponse response = (HttpServletResponse) ectx.getResponse();
        // get existing cookies
        Cookies [] cookies =((HttpServletRequest)ectx.getRequest()).getCookies();
        // create and set a new one
        Cookie cookie = new Cookie( "key", "value" );
        response.addCookie( cookie );This code should work in a bean. After setting the cookie you need to implement a servlet filter or a page phase listener where you check the requested url and then check for your cookie.
Timo

Air + Ipad + RemoteObject problem with session cookies

I am making Air version for IPad of a Flex application.
My flex application needs session from an secured enterprise proxy, without that session none remoteObject requests can pass the proxy and reach blazeDS.
My solution for flex works fine: calling an enterprise servlet at application´s startup to obtain a cookie session. I use a POST call to the servlet using URLRequest (sending the user and password parameters), the servlet responds with a message with a session cookie, and from that point, without me having to code anything more, my flex application get that cookie with the session that automatically is loaded in my browser cookie stack, and that transparently is used from all my subsequents remoteObjects calls in the flex application.
In my Adobe Air Ipad version, this just does not work, the session or is not storaged or is not attached with subsequent remoteObjects requests.
- I´m forcing request.manageCookies = true
- I´m working with the IOS simulator (Is there any difference for cookies with a real Ipad device?)
- I´m using Flex 4.6.0, Air 3.5, IOS 6, Ipad 3, BlazeDS 4.0, Java 6 BackEnd.
.. What´s the problem/difference with Air+Ipad from the flex version?

Hi BalusC ,
Thanks for your detailed response. I have a question about this comment you noted..
"Terrible. Just keep the bean request scoped. "
I changed the bean to request and now have this issue.
 <rich:dataGrid id="membersInZipcode" value="#{membersInZipcode.arrayListOfSearch4Member}"
 var="membersInZipcode" columns="5" elements="20">
 <f:facet name="footer">
 <rich:datascroller></rich:datascroller>
 </f:facet>
 </rich:dataGrid>
 </h:form> I am using a request bean to hold the search parms that loads the bean. This works great.
The problem is when I use the rich:datascroller for the next page.
It goes back to the bean and the request scope bean is empty. This holds the search values.
How do I put this back into the request after each process??
Question 2..
"Those settings only applies on the current request, i.e. the JSP file itself. Images are obtained by separate and independent requests. You need to set the headers on those requests as well. You can use a filter for this."
I have never set a filter ...how do I do it? Do you have a link for an example of this filter setup?
Thanks Again
Phil

Session management in servlet

Hi,
I am using OC4J Server.
I know the session in servlet can be managed with cookies. In addition, the session can be managed in HTTP session of OC4J. And How about the URL rewriting? Does it mean there are 3 methods to keep track of the servlet session. What are the difference of them. I am quite confused.
Thanks in advance

I see. Thanks.
So it means there are two kinds of cookies, permanent cookies and session cookies.
session cookies are used to store the session information.
I have another question. I want to write a permanent cookies to the browser and get it again even if the browser is closed.
The source code is like:
Cookie cookie = new Cookie(cookieName, cookieValue);
response.addCookie(cookie);
Then I try to write some cookies in the browser, close the browser and open the browser again and I try to retreive the cookies using the following codes but the cookies disappear.
Cookie[] cookies = request.getCookies()
if (cookies != null && cookies.length > 0) {
for (int i = 0; i < cookies.length; i++) {
Cookie cookie = cookies;
Is this the correct way to store and retrieve permanent cookies?
thanks in advance

How to secure session cookie

Iam using iPlanet 6.0SP6 in NT 4.0.
I would like to make the session cookie JSESSIONID to be transfer only on secure connection.
Then, I make the change to web-apps.xml as below
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE vs PUBLIC "-//Sun Microsystems, Inc.; iPlanet//DTD Virtual Server Web Applications 6.0//EN"
"http://developer.iplanet.com/webserver/dtds/iws-webapps_6_0.dtd">
<vs>
<session-cookie is-secure="true"></session-cookie>
</vs>
After that, I restart the iplanet web server and load the page with I.E. again. I see that the cookie is still passed with non-secure mode.
Is there any wrong with my web-apps.xml?

Janice,
Thanks for your help.
When I use the below web-apps.xml, I can make the cookie in secure session.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE vs PUBLIC "-//Sun Microsystems, Inc.; iPlanet//DTD Virtual Server Web Applications 6.0//EN"
"http://developer.iplanet.com/webserver/dtds/iws-webapps_6_0.dtd">
<vs>
<web-app uri="/" dir="d:/java/docroot" enable="true">
<session-manager class="com.iplanet.server.http.session.IWSSessionManager">
<init-param>
<param-name>maxSessions</param-name>
<param-value>16000</param-value>
</init-param>
<init-param>
<param-name>timeOut</param-name>
<param-value>7200</param-value>
</init-param>
<init-param>
<param-name>reapInterval</param-name>
<param-value>30</param-value>
</init-param>
<init-param>
<param-name>maxValueSize</param-name>
<param-value>8192</param-value>
</init-param>
</session-manager>
<session-cookie is-secure="true"/>
</web-app>
</vs>
However, when I configure more on the web applicaiton with the web.xml, I check that the cookie no more secure.
THe web.xml is
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<display-name>Trade Info Exchange</display-name>
<description>
Trade Info Exchange
</description>

<servlet>
<servlet-name>Login</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Login</servlet-name>
<url-pattern>/Login</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Fmenu</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.FmenuServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Fmenu</servlet-name>
<url-pattern>/Fmenu</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Fcontent</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.FcontentServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Fcontent</servlet-name>
<url-pattern>/Fcontent</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Express</servlet-name>
<servlet-class>com.chase.apps.express.servlet.EXPRESS2</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Express</servlet-name>
<url-pattern>/EXPRESS2</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>AppControl</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.AppControlServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AppControl</servlet-name>
<url-pattern>/AppControl</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>errorPage</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.errorPage</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>errorPage</servlet-name>
<url-pattern>/errorPage</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>LoginFail</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.LoginFailServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginFail</servlet-name>
<url-pattern>/LoginFail</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Logout</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.LogoutServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Logout</servlet-name>
<url-pattern>/Logout</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>ChangePwdWarning</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.ChangePwdWarningServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ChangePwdWarning</servlet-name>
<url-pattern>/ChangePwdWarning</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>ChangePwd</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.ChangePwdServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ChangePwd</servlet-name>
<url-pattern>/ChangePwd</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>ReLoginDialog</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.ReLoginDialog</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ReLoginDialog</servlet-name>
<url-pattern>/ReLoginDialog</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>TradeTrackProcessSearch</servlet-name>
<servlet-class>chase.app.tt.servlet.ProcessSearchServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TradeTrackProcessSearch</servlet-name>
<url-pattern>/TradeTrackProcessSearch</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>TradeTrackSearchScreen</servlet-name>
<servlet-class>chase.app.tt.servlet.SearchScreenServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TradeTrackSearchScreen</servlet-name>
<url-pattern>/TradeTrackSearchScreen</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>TradeTrackMain</servlet-name>
<servlet-class>chase.app.tt.servlet.MainServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/LCIMPORT</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/LCEXPORT</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/COLLIMP</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/COLLEXP</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/B2BMenu</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/B2BMain</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>ctielogin.html</welcome-file>
</welcome-file-list>
</web-app>
Pls advise how I can make the cookie secure for using the web.xml and web-apps.xml
thanks
samuel poon

What is session tracking in servlets?

Hi ,
I'm studying servlets I don't have the clear idea about session tracking and Why and where we need to use it. Can any one say about this.....
Thanks in advance,
Maheshwaran Devaraj

Well Mheshpmr session tracking in servlets is very important...There are a number of problems that arise from the fact that HTTP is a "stateless" protocol. In particular, when you are doing on-line shopping, it is a real annoyance that the Web server can't easily remember previous transactions. This makes applications like shopping carts very problematic: when you add an entry to your cart, how does the server know what's already in your cart? Even if servers did retain contextual information, you'd still have problems with e-commerce. When you move from the page where you specify what you want to buy (hosted on the regular Web server) to the page that takes your credit card number and shipping address (hosted on the secure server that uses SSL), now let me tell you, how does the server remember what you were buying?
Well There are three typical solutions to this problem.
1. Cookies. You can use HTTP cookies to store information about a shopping session, and each subsequent connection can look up the current session and then extract information about that session from some location on the server machine. This is an excellent alternative, and is the most widely used approach. However, even though servlets have a high-level and easy-to-use interface to cookies, there are still a number of relatively tedious details that need to be handled:
* Extracting the cookie that stores the session identifier from the other cookies (there may be many, after all),
* Setting an appropriate expiration time for the cookie (sessions interrupted by 24 hours probably should be reset), and
* Associating information on the server with the session identifier (there may be far too much information to actually store it in the cookie, plus sensitive data like credit card numbers should never go in cookies).
2. URL Rewriting. You can append some extra data on the end of each URL that identifies the session, and the server can associate that session identifier with data it has stored about that session. This is also an excellent solution, and even has the advantage that it works with browsers that don't support cookies or where the user has disabled cookies. However, it has most of the same problems as cookies, namely that the server-side program has a lot of straightforward but tedious processing to do. In addition, you have to be very careful that every URL returned to the user (even via indirect means like Location fields in server redirects) has the extra information appended. And, if the user leaves the session and comes back via a bookmark or link, the session information can be lost.
3. Hidden form fields. HTML forms have an entry that looks like the following: <INPUT TYPE="HIDDEN" NAME="session" VALUE="...">. This means that, when the form is submitted, the specified name and value are included in the GET or POST data. This can be used to store information about the session. However, it has the major disadvantage that it only works if every page is dynamically generated, since the whole point is that each session has a unique identifier.
Servlets provide an outstanding technical solution: the HttpSession API. This is a high-level interface built on top of cookies or URL-rewriting. In fact, on many servers, they use cookies if the browser supports them, but automatically revert to URL-rewriting when cookies are unsupported or explicitly disabled. But the servlet author doesn't need to bother with many of the details, doesn't have to explicitly manipulate cookies or information appended to the URL, and is automatically given a convenient place to store data that is associated with each session.

Passing Session info between servlets

We are running WebLogic 5.1, sp 4 and Apache 1.3 on Solaris 2.6 and we are
 successfully proxying requests to the server. But we are unable to pass
 session information between servlets. We are NOT using URL encoding. We are
 instead using cookies. We believe our configuration is correct because the
 BEA example session servlet works. Does anyone have any recommendations or
 suggestions?
 Thank you,
 Jorge
 Jorge A. Martin
 Systems Analyst
 The Kinetic Group
 1950 Stemmons Freeway, Suite 3040
 Dallas, Texas 75207


This is a basic misunderstanding of how Java Works:
String name +r = request.getParameter(name +r);1) You can't use a + on the left part of an assignment operation - it must be a plain variable reference. This isn't like JavaScript where you have an eval(...) capability.
2) Your Strings are being defined inside the For Loop, which means they will leave scope once the loop ends and you won't be able to refer to them anymore.
3) Is there already a String value named 'name' which you are using in getParameters(name+r)? You should probably use getParameter("name"+r) instead.
What you want to do is either put the values in an array so they are easy to access:
String name[] = new String[value1];Then loop through the parameters to assign values:
for(int r = 0; r< value1; r++) { //Start at 0 to value1-1 because arrays are 0 based.
String nameParam = "name"+ (r+1);
name[r] = request.getParameter(nameParam);Now I can access the names in order:
name1 via name[0]
name2 via name[1]
name3 via name[2]
etc...Before going any further I would stop working on Servlets and go back to some good Basic Java Tutorials and books until you get a better grasp of how the language works.

Session managing testing servlets

I am running two 5.1 sp1 servers in a cluster using in-mem replication
 with a wl proxy server, all on NT boxes. I've written three servlets:
 Login, Logout, and Test2
 Login creates a new session if one isn't present. Logout kills the
 session if there is one present. Test2 tests for the existence of a
 session.
 -- I start the server and create a new session with the Login
 servlet.
 -- I test with Test2 servlet ( I get Test2: init) and it doesn't see
 the session I had just created.
 -- I reload Test2 and it recognizes the session OK.
 -- It recognizes the session with all subsequent calls to it as well.
 -- Killing the server and making the session failover to another
 server will make the Test2 servlet not see the session for the first
 time again (If that is the first time that the servlet is loaded on that
 particular server).
 Same happens with Logout servlet. It seems that when a servlet is
 initially loaded on a server it doesn't see sessions already present but
 it picks up that info on all subsequent loads. What can I do to make
 sure all my servlets see all the sessions all the time (otherwise this
 failover demo I'm doing is quite useless).
 Thanks, Timur


 Prasad Peddada wrote:
 > Timur Maltaric wrote:
 >
 > > Say I had two servers in the cluster to begin with. Sessions were created and killed as users logged on and off.
 > > One server dies suddenly and one is left operating in the cluster. Shouldn't this one that is operating be able to
 > > correctly handle any new sessions that will be created?
 >
 > Yes.
 >
 > From your earlier mail:
 >
 > The log attached to an earlier message shows that Login servlet starts a new session, and writes a cookie. Good.
 > Requesting Test2 doesn't read that cookie and returns session = null. Requesting Test2 again reads the cookie
 > correctly and gets the correct session information.
 >
 > From the log files:
 >
 > Tue May 30 10:17:42 EDT 2000:<D> <ServletContext-General> Found servlet for Virtual Path: '/Test2'
 > Tue May 30 10:17:42 EDT 2000: <ServletContext-General> ServletRequestImpl: ServletPath: /Test2
 > Tue May 30 10:17:42 EDT 2000:<D> <ServletContext-General> Invoking servlet
 > Tue May 30 10:17:42 EDT 2000:<D> <ServletContext-General> Checking ACL: weblogic.servlet.Test2
 > Tue May 30 10:17:42 EDT 2000: <ServletContext-General> Parsing cookies
 > Tue May 30 10:17:42 EDT 2000: <ServletContext-General> ServletRequestImpl: Found cookie:
 > javax.servlet.http.Cookie@b8f4916
 > Tue May 30 10:17:42 EDT 2000: <ServletContext-General> ServletRequestImpl: SessionID:
 > OTPNVO0XpIhya1eIDpzrNar9gwDuzpm198DEKR9ho5uhKqSfIOis7UdLQ0773aTGodGkgNoKH0A3|-5241978140997784602/168297227/6/7001/7001/7002/7002/7001/-1|NONE|-5241978140997784602
 > found in cookie
 > Tue May 30 10:17:42 EDT 2000: <ServletContext-General> ServletRequestImpl: Trying to find session:
 > OTPNVO0XpIhya1eIDpzrNar9gwDuzpm198DEKR9ho5uhKqSfIOis7UdLQ0773aTGodGkgNoKH0A3|-5241978140997784602/168297227/6/7001/7001/7002/7002/7001/-1|NONE|-5241978140997784602
 >
 > Contrary to what you said the weblogic server is reading your session. All the requests are in the same session.
 The first time (notice time) that the request is made for Test2 weblogic server is NOT reading the session info. Second request for Test2 (one you quoted) is OK.
 Why?:
 Tue May 30 10:17:13 EDT 2000:<D> <ServletContext-General> Found servlet for Virtual Path: '/Test2'
 Tue May 30 10:17:13 EDT 2000: <ServletContext-General> ServletRequestImpl: ServletPath: /Test2
 Tue May 30 10:17:13 EDT 2000:<D> <ServletContext-General> Invoking servlet
 Tue May 30 10:17:13 EDT 2000:<D> <ServletContext-General> Checking ACL: weblogic.servlet.Test2
 Tue May 30 10:17:13 EDT 2000: <ServletContext-General> Parsing cookies
 Tue May 30 10:17:13 EDT 2000: <ServletContext-General> ServletRequestImpl: Get query parameter: WebLogicSession found value: null
 Tue May 30 10:17:13 EDT 2000: <ServletContext-General> ServletRequestImpl: SessionID not found
 Tue May 30 10:17:13 EDT 2000: <ServletContext-General> Test2: init
 >
 > Contact support if you have a reproducible test case and we will go from there.
 I am contacting support.
 >
 >
 > I don't think it matters how many servers are in the cluster because none are really failing. Correct me if I'm wrong.
 >
 > True.
 >
 > - Prasad
 >
 > >
 > > Timur
 > >
 > > Prasad Peddada wrote:
 > >
 > > > If you have only one server in the cluster how do you expect it to failover and retrieve your session
 > > > information.
 > > >
 > > > - Prasad
 > > >
 > > > Timur Maltaric wrote:
 > > >
 > > > > There was only one server running in the cluster when these requests were made. That shouldn't be a problem
 > > > > though.
 > > > >
 > > > > Timur
 > > > >
 > > > > Prasad Peddada wrote:
 > > > >
 > > > > > The same cookie is being sent five times as you can see. Are you sure your clustering is
 > > > > > working. I don't think the servers are recognizing each other. Do you have two servers
 > > > > > running when you made these requests.
 > > > > >
 > > > > > C:\TEMP>grep
 > > > > > "OTPNVO0XpIhya1eIDpzrNar9gwDuzpm198DEKR9ho5uhKqSfIOis7UdLQ0773aTGodGkgNoKH0A3|-5241978140997784602/16829722
 > > > > >
 > > > > > 7/6/7001/7001/7002/7002/7001/-1|NONE|-5241978140997784602" weblogic.log | wc -l
 > > > > > 5
 > > > > >
 > > > > > - Prasad
 > > > > >
 > > > > > Timur Maltaric wrote:
 > > > > >
 > > > > > > Here is a snippet from the log. Test2 doesn't recieve the cookie on first load but
 > > > > > > recieves it thereafter.
 > > > > > >
 > > > > > > Timur
 > > > > > >
 > > > > > > Prasad Peddada wrote:
 > > > > > >
 > > > > > > > I don't think domain property applies to your case. Did you try turn on the
 > > > > > > > debugging and did you notice anything wrong. When you requested Login, you should
 > > > > > > > have got a cookie that should have been passed back when you requested Test2. Do
 > > > > > > > you see that in log?
 > > > > > > >
 > > > > > > > - Prasad
 > > > > > > >
 > > > > > > > Description about domains:
 > > > > > > >
 > > > > > > > When searching the cookie list for valid cookies, a comparison of the domain
 > > > > > > > attributes of the cookie is made
 > > > > > > > with the Internet domain name of the host from which the URL will be fetched.
 > > > > > > > If there is a tail match, then
 > > > > > > > the cookie will go through path matching to see if it should be sent. "Tail
 > > > > > > > matching" means that domain
 > > > > > > > attribute is matched against the tail of the fully qualified domain name of
 > > > > > > > the host. A domain attribute of
 > > > > > > > "acme.com" would match host names "anvil.acme.com" as well as
 > > > > > > > "shipping.crate.acme.com".
 > > > > > > >
 > > > > > > > Only hosts within the specified domain can set a cookie for a domain and
 > > > > > > > domains must have at least two (2)
 > > > > > > > or three (3) periods in them to prevent domains of the form: ".com", ".edu",
 > > > > > > > and "va.us". Any domain that fails
 > > > > > > > within one of the seven special top level domains listed below only require
 > > > > > > > two periods. Any other domain
 > > > > > > > requires at least three. The seven special top level domains are: "COM",
 > > > > > > > "EDU", "NET", "ORG", "GOV", "MIL", and
 > > > > > > > "INT".
 > > > > > > >
 > > > > > > > The default value of domain is the host name of the server which generated
 > > > > > > > the cookie response.
 > > > > > > >
 > > > > > > > Timur Maltaric wrote:
 > > > > > > >
 > > > > > > > > weblogic.httpd.session.cookie.domain
 > > > > > > > >
 > > > > > > > > what does this do? What should I set it to?
 > > > > > > > >
 > > > > > > > > Prasad Peddada wrote:
 > > > > > > > >
 > > > > > > > > > Turn on the weblogic.debug.httpd=true and see if the cluster's are receiving
 > > > > > > > > > cookie's or not and try with IE as well.
 > > > > > > > > >
 > > > > > > > > > Try setting this property on the weblogic servers in the backend and see if
 > > > > > > > > > it helps.
 > > > > > > > > >
 > > > > > > > > > weblogic.httpd.session.cookie.domain
 > > > > > > > > >
 > > > > > > > > > - Prasad
 > > > > > > > > >
 > > > > > > > > > Timur Maltaric wrote:
 > > > > > > > > >
 > > > > > > > > > > I am running two 5.1 sp1 servers in a cluster using in-mem replication
 > > > > > > > > > > with a wl proxy server, all on NT boxes. I've written three servlets:
 > > > > > > > > > > Login, Logout, and Test2
 > > > > > > > > > > Login creates a new session if one isn't present. Logout kills the
 > > > > > > > > > > session if there is one present. Test2 tests for the existence of a
 > > > > > > > > > > session.
 > > > > > > > > > >
 > > > > > > > > > > -- I start the server and create a new session with the Login
 > > > > > > > > > > servlet.
 > > > > > > > > > > -- I test with Test2 servlet ( I get Test2: init) and it doesn't see
 > > > > > > > > > > the session I had just created.
 > > > > > > > > > > -- I reload Test2 and it recognizes the session OK.
 > > > > > > > > > > -- It recognizes the session with all subsequent calls to it as well.
 > > > > > > > > > >
 > > > > > > > > > > -- Killing the server and making the session failover to another
 > > > > > > > > > > server will make the Test2 servlet not see the session for the first
 > > > > > > > > > > time again (If that is the first time that the servlet is loaded on that
 > > > > > > > > > > particular server).
 > > > > > > > > > >
 > > > > > > > > > > Same happens with Logout servlet. It seems that when a servlet is
 > > > > > > > > > > initially loaded on a server it doesn't see sessions already present but
 > > > > > > > > > > it picks up that info on all subsequent loads. What can I do to make
 > > > > > > > > > > sure all my servlets see all the sessions all the time (otherwise this
 > > > > > > > > > > failover demo I'm doing is quite useless).
 > > > > > > > > > >
 > > > > > > > > > > Thanks, Timur
 > > > > > > > > >
 > > > > > > > > > --
 > > > > > > > > > Cheers
 > > > > > > > > >
 > > > > > > > > > - Prasad
 > > > > > > >
 > > > > > > > --
 > > > > > > > Cheers
 > > > > > > >
 > > > > > > > - Prasad
 > > > > > >
 > > > > > > ------------------------------------------------------------------------
 > > > > > > Name: weblogic.log
 > > > > > > weblogic.log Type: Text Document (application/x-unknown-content-type-txtfile)
 > > > > > > Encoding: base64
 > > > > >
 > > > > > --
 > > > > > Cheers
 > > > > >
 > > > > > - Prasad
 [att1.html]

Problem Changing session cookie name

Hi,
I am running Weblogic 5.1 service sp 6
I attempted to change the name of the weblogic
session cookie by modifying the following
parameter in weblogic.properties
weblogic.httpd.session.cookie.name=MyCookie
I also noticed that even if I hust uncomment the line
weblogic.httpd.session.cookie.name=WebLogicSession
my application seems to timeout within a few minutes.
However, when I do this I noticed that my session times out within 5
minutes.
I have my timeout set with
weblogic.httpd.session.timeoutSecs=14400
Thanks,
Bill

I have 2 diff app on one app server. If I change it for the app server, it will be applied to all applications that are running on this server. Right?
In the servlet specification is written :
The name of the session tracking cookie must be JSESSIONID.
My question is : Is there is a possible workaround to change session coockie name on application level, not on app server level?

How to Set up HTTPOnly and SECURE FLAG for session cookies

Hi All,
To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
I have found the below solutions.
For setting up the HTTPOnly for the session cookies.
1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
 this.sessioncookie.httponly = true;
For setting up the secure flag for the session cookies.
2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
 this.sessioncookie.secure = "true"
Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
Your timely help is well appreciated.
Thanks in advance.

BKBK wrote:
Abdul L Koyappayil wrote:
BKBK wrote:
You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
I couldnt understand this. I mean how are you relating this with my question.
When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
 If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
Name:
JSESSIONID
Content:
782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
Domain:
xyz.abc.pqr.com
Path:
Send for:
Any kind of connection
Accessible to script:
No (HttpOnly)
Created:
Wednesday, September 3, 2014 2:25:10 AM
Expires:
When the browsing session ends
BKBK wrote:
2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
 I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
BKBK wrote:
3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
 I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

Weblogic.httpd.session.cookies.enable not working in WLS4.5 sp 11 ?

I want to disable the use of cookies in WLS 4.5, and set the following
weblogic.httpd.session.cookies.enable=false
In WLS 4.5 sp7, this correctly prevents the server from using cookies
for session-tracking, forcing the extraction of the session id from a
rewritten URL.
However, for WLS 4.5 sp11 cookies are still sent from the server
Is this a known issue ?
jo

I want to disable the use of cookies in WLS 4.5, and set the following
weblogic.httpd.session.cookies.enable=false
In WLS 4.5 sp7, this correctly prevents the server from using cookies
for session-tracking, forcing the extraction of the session id from a
rewritten URL.
However, for WLS 4.5 sp11 cookies are still sent from the server
Is this a known issue ?
jo

Can portal session cookies be used between two data centers

OAS generates the following header information and session information for my application. However when I need to failover the originating OAS datacenter into my hot stand-by for maintenance or upgrades, the OAS in the other datacenter responds with a 503 web error. We are using Akamai's GTM to manage the liveness of the datacenter, so we would need the hot stand-by OAS portal in that datacenter to return a 302 error code. Is there some method that we can add to our portal application which would always return a 302 error code.
See header information collected through wfetch. The 503 error is caused by the hot stand-by data center not accepting or recognizing the cookie. Both OAS datacenters are IDENTICAL in Oracle levels, application levels, web servers, portals and OS patches.
resolve hostname "170.107.183.32"WWWConnect::Connect("170.107.183.32","80")\nsource port: 2182\r\n
GET /portal/pls/portal/PORTAL.wwsec_app_priv.login?p_requested_url=%2Fportal%2Fpls%2Fportal%2FPORTAL.home&p_cancel_url=%2Fportal%2Fpls%2Fportal%2FPORTAL.home HTTP/1.1\r\n
Accept: */*\r\n
Accept-Language: en-us\r\n
Accept-Encoding: gzip, deflate\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)\r\n
Host: www.thomson-pharma.com\r\n
Connection: Keep-Alive\r\n
Cookie: ORA_WX_SESSION="10.225.8.30:80-1#2"; portal=9.0.3+en-us+us+AMERICA+3D66674E7EED0801E04400144F41424E+BBAA98EEB32D58C086231A8D6CBE2E5D402D89B0E79D83A18C668BB0CA7417B4044DEA389C8B50DD37D9272A24B4753B22F29978861DE14503F8B9BEDC2014654B26A434CF074F4D8749B88610ADADF5084A90ADBF749E2A; DATACENTER=EAGAN\r\n
\r\n
HTTP/1.1 503 Service Unavailable\r\n
Cache-Control: private\r\n
Content-Type: text/html\r\n
Set-Cookie: ORA_WX_SESSION="10.237.138.33:80-1#2"\r\n
Set-Cookie: portal=; expires=Wednesday, 27-Dec-95 05:29:10 GMT; path=/\r\n
Connection: Keep-Alive\r\n
Keep-Alive: timeout=5, max=999\r\n
Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=208440262161,0)\r\n
Content-Length: 710\r\n
Date: Fri, 26 Oct 2007 14:58:07 GMT\r\n
\r\n
Thanks -John

Hi John,
This question is probably more appropriate in one of the Portal forums, but perhaps you can take a look at the information in section C.5 Configuring the Portal Session Cookie in Appendix C of the Portal Configuration guide.
Here is a link: http://download.oracle.com/docs/cd/B14099_19/portal.1014/b19305/cg_app_c.htm#sthref1907
Regards,
Peter

Session Cookies Being Overwritten Browsing From SSL to Non SSL

I have created a bug report for this issue as well.
Please note I am using J2EE session variables so keep that in mind.
I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.
For example:
Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".
Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".
Here's the problem:
Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.
Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.
Steps to Reproduce:
1. Clear your cookies.
2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.
This behavior changed in ColdFusion 10. ColdFusion 9 did not overwrite the session cookie.
Has anyone else experience this?

Deleting and re-adding my account seems to have fixed it. I think when I initially added my Google Talk account, it was by using the "Add Jabber Account" under 10.6 or something. Now, when I re-added my account, I notice both "Google Talk" and "Jabber" are options, so my thought here is that Jabber and Google Talk options are no longer quite the same thing.

CFID and CFTOKEN Being Deleted from Session Cookie

I can't believe that no one else has run into this - but I
have found nothing on the internet.
When I copy a piece from a web page that is generated by my
coldfusion server, and paste it into a word document, the session
cookie is altered, and the CFID and CFTOKEN information is deleted,
so I lose my login. Recently, I've developed a problem on a
different application - when I open a word document that is stored
on the server, using CFCONTENT, same thing happens - the cookie is
altered, CFID and CFTOKEN are deleted, and I lose my login.
I'm tearing my hair out. Has anyone seen this behaviour, any
ideas as to why this would occur? Any ideas as to how to get around
it?

Here's my CFAPPLICATION tag:
<cfapplication name="DashBoard"
clientmanagement="Yes"
sessionmanagement="Yes"
setclientcookies="Yes"
clientstorage="cookie"
loginstorage="session"
sessiontimeout="#CreateTimeSpan(0, 0, 30, 0)#">
Not sure what you mean by application sections. It's one
application.
I don't refer to the cookie in any other way. It's there only
to do what CF does with it - maintain the information that's used
to find the session.

APEX Security: Multiple session cookies in one browser

Hi all,
I use mozilla firefox as web browser. When I open a new tab and enter the APEX application url I will be redirected to the login page. After successfully login I receive the session id and the browser the session cookie WWV_CUSTOM-F....
When I now open the next browser tab and enter the APEX application url I will be redirected to the login page. After successfully login I receive the new session id and the browser the session cookie WWV_CUSTOM-F... with new content. My session from the first browser tab will be killed, because the session cookie for this session was deleted/replaced by the session cookie from the second tab.
Is it possible to have multiple APEX sessions opened in one browser in multiple tabs?
Regards

Hi PaulP,
it's simple.
Unzip bsApex2 http://www.betasoftware.it/codice/bsApex2.zip
If not installed, install Microsoft .NET Framework 4 Client Profile.
Configure bsApex.exe.config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
 
 <add key="aTitolo" value="Apex Desktop by Beta Software snc" />
 
 <add key="aTitoloBreve" value="Apex Desktop" />
 
 <add key="aAltezza" value="960" />
 
 <add key="aLarghezza" value="1200" />
 
 <add key="aChiudi" value="Close" />
 
 <add key="aStampa" value="Print" />
 
 <add key="aIcona" value="bsApex.ico" />
 
 <add key="aCliente" value="Apex Community" />
 
 <add key="aIndirizzo" value="http://apex.oracle.com/pls/otn/f?p=23873:1" />
</appSettings>
</configuration>Run bsApex.exe, that's all.
Regards,
Gianluigi

Session Cookie in Servlet

Similar Messages

Maybe you are looking for