Session cookie question?
This is a really stupid question but i need the answer lol is a session cookie and a session the same thing? if not whats different and which is better to use to see if a user is logged on my site?
A "session" is stored in memory on the server and is bound to a specific "sessionId". The sessionId is stored in a cookie by default. When the browser submits the cookie the webserver can use that value to link an existing session to that client.
Similar Messages
-
I wan't to know how to maintain session or cookie in a wap application.
As far as I know wap doesn't support(certainly current version) cookie.
my scenario is user login(i wan't to save its user id in the session)
He choose a brand then category then sku then enter sales from a input box.
I wan't tosave the sale with userid(i don't wan't to pass user id to each page)
So what can i do.
Please help as I am a new bie to WAPA "session" is stored in memory on the server and is bound to a specific "sessionId". The sessionId is stored in a cookie by default. When the browser submits the cookie the webserver can use that value to link an existing session to that client.
-
How to Set up HTTPOnly and SECURE FLAG for session cookies
Hi All,
To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
I have found the below solutions.
For setting up the HTTPOnly for the session cookies.
1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
this.sessioncookie.httponly = true;
For setting up the secure flag for the session cookies.
2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
this.sessioncookie.secure = "true"
Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
Your timely help is well appreciated.
Thanks in advance.BKBK wrote:
Abdul L Koyappayil wrote:
BKBK wrote:
You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
I couldnt understand this. I mean how are you relating this with my question.
When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
Name:
JSESSIONID
Content:
782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
Domain:
xyz.abc.pqr.com
Path:
Send for:
Any kind of connection
Accessible to script:
No (HttpOnly)
Created:
Wednesday, September 3, 2014 2:25:10 AM
Expires:
When the browsing session ends
BKBK wrote:
2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
BKBK wrote:
3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea?? -
Can portal session cookies be used between two data centers
OAS generates the following header information and session information for my application. However when I need to failover the originating OAS datacenter into my hot stand-by for maintenance or upgrades, the OAS in the other datacenter responds with a 503 web error. We are using Akamai's GTM to manage the liveness of the datacenter, so we would need the hot stand-by OAS portal in that datacenter to return a 302 error code. Is there some method that we can add to our portal application which would always return a 302 error code.
See header information collected through wfetch. The 503 error is caused by the hot stand-by data center not accepting or recognizing the cookie. Both OAS datacenters are IDENTICAL in Oracle levels, application levels, web servers, portals and OS patches.
resolve hostname "170.107.183.32"WWWConnect::Connect("170.107.183.32","80")\nsource port: 2182\r\n
GET /portal/pls/portal/PORTAL.wwsec_app_priv.login?p_requested_url=%2Fportal%2Fpls%2Fportal%2FPORTAL.home&p_cancel_url=%2Fportal%2Fpls%2Fportal%2FPORTAL.home HTTP/1.1\r\n
Accept: */*\r\n
Accept-Language: en-us\r\n
Accept-Encoding: gzip, deflate\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)\r\n
Host: www.thomson-pharma.com\r\n
Connection: Keep-Alive\r\n
Cookie: ORA_WX_SESSION="10.225.8.30:80-1#2"; portal=9.0.3+en-us+us+AMERICA+3D66674E7EED0801E04400144F41424E+BBAA98EEB32D58C086231A8D6CBE2E5D402D89B0E79D83A18C668BB0CA7417B4044DEA389C8B50DD37D9272A24B4753B22F29978861DE14503F8B9BEDC2014654B26A434CF074F4D8749B88610ADADF5084A90ADBF749E2A; DATACENTER=EAGAN\r\n
\r\n
HTTP/1.1 503 Service Unavailable\r\n
Cache-Control: private\r\n
Content-Type: text/html\r\n
Set-Cookie: ORA_WX_SESSION="10.237.138.33:80-1#2"\r\n
Set-Cookie: portal=; expires=Wednesday, 27-Dec-95 05:29:10 GMT; path=/\r\n
Connection: Keep-Alive\r\n
Keep-Alive: timeout=5, max=999\r\n
Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=208440262161,0)\r\n
Content-Length: 710\r\n
Date: Fri, 26 Oct 2007 14:58:07 GMT\r\n
\r\n
Thanks -JohnHi John,
This question is probably more appropriate in one of the Portal forums, but perhaps you can take a look at the information in section C.5 Configuring the Portal Session Cookie in Appendix C of the Portal Configuration guide.
Here is a link: http://download.oracle.com/docs/cd/B14099_19/portal.1014/b19305/cg_app_c.htm#sthref1907
Regards,
Peter -
Air + Ipad + RemoteObject problem with session cookies
I am making Air version for IPad of a Flex application.
My flex application needs session from an secured enterprise proxy, without that session none remoteObject requests can pass the proxy and reach blazeDS.
My solution for flex works fine: calling an enterprise servlet at application´s startup to obtain a cookie session. I use a POST call to the servlet using URLRequest (sending the user and password parameters), the servlet responds with a message with a session cookie, and from that point, without me having to code anything more, my flex application get that cookie with the session that automatically is loaded in my browser cookie stack, and that transparently is used from all my subsequents remoteObjects calls in the flex application.
In my Adobe Air Ipad version, this just does not work, the session or is not storaged or is not attached with subsequent remoteObjects requests.
- I´m forcing request.manageCookies = true
- I´m working with the IOS simulator (Is there any difference for cookies with a real Ipad device?)
- I´m using Flex 4.6.0, Air 3.5, IOS 6, Ipad 3, BlazeDS 4.0, Java 6 BackEnd.
.. What´s the problem/difference with Air+Ipad from the flex version?Hi BalusC ,
Thanks for your detailed response. I have a question about this comment you noted..
"Terrible. Just keep the bean request scoped. "
I changed the bean to request and now have this issue.
<rich:dataGrid id="membersInZipcode" value="#{membersInZipcode.arrayListOfSearch4Member}"
var="membersInZipcode" columns="5" elements="20">
<f:facet name="footer">
<rich:datascroller></rich:datascroller>
</f:facet>
</rich:dataGrid>
</h:form> I am using a request bean to hold the search parms that loads the bean. This works great.
The problem is when I use the rich:datascroller for the next page.
It goes back to the bean and the request scope bean is empty. This holds the search values.
How do I put this back into the request after each process??
Question 2..
"Those settings only applies on the current request, i.e. the JSP file itself. Images are obtained by separate and independent requests. You need to set the headers on those requests as well. You can use a filter for this."
I have never set a filter ...how do I do it? Do you have a link for an example of this filter setup?
Thanks Again
Phil -
Hi all,
I'm hitting a restriction or security feature(?) of Safari in iOS. One of our Apex applications is a page that runs in an iframe on a site. Apex is installed on a server inside our own network and is accessable via dns: office.ourcorp.com (fake name, just to clearify the situation). We have a couple of different brands, that all have their own domains: brand1.com, brand2.com etc. All of these sites open the apex page inside an iframe.
That all works beautifully in all browsers, except in Safari in iOS. in iOS, the apex page isn't showing. It seams it's because of the session cookie Apex sets. Safari can't set an cookie from another domain (a cross domain cookie). Is there a possibility to turn off the session cookie?(ORA_WWV_APP_xxx)?
I also tried to set the 'cookie domain' option inside the authentication scheme to one of the domain names for our brands, but it still doesn't show up.
Does someone has a sollution?I tried to do that. If you read my very first post in this thread, specifically "If I try to set a cookie in the page sentry function, it is breaking at the redirect line. Also, I don't think page sentry is the right place to set a cookie since it executes at every page.", I tried to set a cookie but it is throwing an error at the page.
I think all these complication is because I dont have a login page and I am using a HTTP header variable to validate the user. Given that, where should I set the cookie?
I also tried to do this:
- create an appliaction item called 'testuser'
- create an application computation to run 'before header' which sets the value of this to my HTTP header variable.
- When I retrieve the app item 'testuser' from a page, it is getting the correct value. But when I use this in the authentication scheme, it is returning null. Any idea why??
I know I am throwing a lot of questions. That is because I am trying a lot of approaches and each of them is posing a new set of challenges. I am actually looking for alternative ways to do what I am looking to do.
Thanks.
Shuba -
Session cookie - Servername info - can it be done in the application code
HI all,
Scenario:
2 managed servers in a cluster. Application is deployed on the cluster.
Requirement:
Application needs to send a cookie to the user with server info.
Question is regarding session cookies. Can the application retrieve the server name (for example ManagedServer1) from which that request has been processed and send to the user in the cookie.?
Request->process->Response with cookie containig the server name it was process by.
Can it be done in the application code?
/SR
Edited by: Shashi_sr on Feb 4, 2011 4:37 AMHi SR,
You can get the server name using the following technique:
/* Getting the Server name from System Property */
String serverName=System.getProperty("weblogic.Name");
/* Adding the value of the Server Name in the Cookie*/
response.addCookie("serverName",serverName);Like you can see by yourself using the JPS utility how WLS sets its server name as a system property using the following link
Topic: Using Jps.exe to distinguish WLS ProcessIDs And Server Name
http://middlewaremagic.com/weblogic/?p=2291
Regards,
Ravish Mody
http://middlewaremagic.com/weblogic/
Come, Join Us and Experience The Magic… -
Authentication & Session Management questions
Hi. Apex 2.2.1. I'm going crazy trying to set up authentication for my application. I'd appreciate any pointers. My scenario is
Siteminder intercepts all calls to the application
User authenticates with Siteminder
If authenticated, Siteminder sets HTTP_SM_USER in the header
If not authenticated, then APEX is never called
Pull the user out of the header
Create a session if needed
Log the user in if needed
Redirect the user to the request page
I've followed the example that I've found in the forum and set up a page sentry function to create a session when the user first comes in. After that I try to verify that the session belongs to them. That's not working because wwv_flow_custom_auth_std.get_username never returns a value. I think that's because I'm not logging the user in to APEX. I can't figure out the difference between wwv_flow_custom_auth_std.post_login and wwv_flow_custom_auth_std.login. (it probably doesn't help that I inherited the application from some consultants that left a year ago and there is no documentation on it or even APEX here at my site).
MikeThanks, Scott. The problem is that it seems to keep looping. You can see from the log that it creates the session, then invalidates it, then creates it, etc.
Mike
debug log
384 1000 Enter 604 - 1 user MDHENDER session NOT valid
384 4000 session is NOT valid
384 4100 dn_network_id is acct\mdhender
384 5000 creating a new session
384 5010 created new session
384 6000 setting up follow up url
384 6010 follow up url is 604:1:
384 7000 register new session
384 7010 registered session
384 9000 clean exit
385 1000 Enter 604 - 1 user MDHENDER session valid
385 3000 session is valid 1707655438517376
385 3010 authenticated user MDHENDER cookie
385 3100 marker
385 3200 marker
386 1000 Enter 604 - 1 user MDHENDER session NOT valid
386 4000 session is NOT valid
386 4100 dn_network_id is acct\mdhender
386 5000 creating a new session
386 5010 created new session
386 6000 setting up follow up url
386 6010 follow up url is 604:1:
386 7000 register new session
386 7010 registered session
386 9000 clean exit
387 1000 Enter 604 - 1 user MDHENDER session valid
387 3000 session is valid 2743127946937676
387 3010 authenticated user MDHENDER cookie
387 3100 marker
387 3200 marker
Here is the code
<code>
CREATE OR REPLACE FUNCTION lmf_siteminder_page_sentry RETURN BOOLEAN IS
vAuthenticatedUsername VARCHAR2(512);
vCurrentSessionId NUMBER;
vDeclaredUser VARCHAR2(512);
vLogFlag VARCHAR2(1);
vMaxIdleMinutes NUMBER := 15;
vNextPage VARCHAR2(1024);
vTransNo NUMBER;
PROCEDURE log_msg(vFlag in varchar2,
vTransNo in number,
vSeqNo in number,
vMessage in varchar2) is
pragma autonomous_transaction;
BEGIN
IF vFlag = 'Y' THEN
insert into sm_debug_log
(transno, seqno, msg)
values
(vTransNo, vSeqNo, vMessage);
commit;
END IF;
EXCEPTION
WHEN OTHERS THEN
rollback;
raise;
END;
-- determine if the siteminder user is authorized
FUNCTION CheckAuthorizedUser(vUserName in varchar2) return boolean is
vDeclaredUser VARCHAR2(512);
BEGIN
-- verify that the user is supposed to have access to the application.
-- a quick check of the authorized users table will settle that question
select dn_network_id
into vDeclaredUser
from user_authorization
where UPPER(network_id) = UPPER(vUserName);
return true;
EXCEPTION
WHEN OTHERS THEN
return false;
END;
-- if the session cookie's user matches our authenticated user then
-- return true
FUNCTION CheckCookieUser(vUserName in varchar2) return boolean is
BEGIN
IF vAuthenticatedUsername = wwv_flow_custom_auth_std.get_username THEN
return true;
END IF;
return false;
END;
FUNCTION URLRedirect(vUrl IN varchar2) return boolean is
BEGIN
log_msg(vLogFlag, vTransNo, 9999, 'redirect => ' || vUrl);
owa_util.redirect_url(vUrl, true);
wwv_flow.g_unrecoverable_error := true;
return false;
END;
BEGIN
BEGIN
select debug, sm_seq_no.nextval
into vLogFlag, vTransNo
from sm_settings;
EXCEPTION
WHEN OTHERS THEN
vLogFlag := 'N';
END;
-- get authenticated user from siteminder. APEX may expect it
-- to be upper case
vAuthenticatedUsername := UPPER(lmf_siteminder_user());
IF wwv_flow_custom_auth_std.is_session_valid THEN
log_msg(vLogFlag,
vTransNo,
1000,
'Enter ' || v('APP_ID') || ' - ' || v('APP_PAGE_ID') ||
' user ' || nvl(vAuthenticatedUsername, '*null*') ||
' session valid');
ELSE
log_msg(vLogFlag,
vTransNo,
1000,
'Enter ' || v('APP_ID') || ' - ' || v('APP_PAGE_ID') ||
' user ' || nvl(vAuthenticatedUsername, '*null*') ||
' session NOT valid');
END IF;
-- no surprise here - let anyone view a page flagged as public
IF htmldb_custom_auth.current_page_is_public THEN
log_msg(vLogFlag, vTransNo, 1010, 'current page is public');
return true;
END IF;
-- redirect all unauthorized users to our no-access page
IF not CheckAuthorizedUser(vAuthenticatedUsername) THEN
-- send the user to our unathorized page
log_msg(vLogFlag,
vTransNo,
1100,
'unable to find dn_network_id for authenticated user ' ||
lmf_siteminder_user());
log_msg(vLogFlag,
vTransNo,
1110,
'try a redirect to ' || '/pls/apex/f?p=' || v('APP_ID') ||
':105:' || vCurrentSessionId || ':');
return URLRedirect('/pls/apex/f?p=' || v('APP_ID') || ':105:' ||
vCurrentSessionId || ':');
END IF;
-- use the current session if it is valid and assigned to
-- our authenticated user
IF wwv_flow_custom_auth_std.is_session_valid THEN
vCurrentSessionId := wwv_flow_custom_auth_std.get_session_id_from_cookie;
log_msg(vLogFlag,
vTransNo,
3000,
'session is valid ' || vCurrentSessionId);
log_msg(vLogFlag,
vTransNo,
3010,
'authenticated user ' || vAuthenticatedUsername || ' cookie ' ||
wwv_flow_custom_auth_std.get_username);
-- if the session cookie's user matches our authenticated user then
-- accept it and proceed with displaying the page
IF CheckCookieUser(vAuthenticatedUsername) THEN
wwv_flow_custom_auth.define_user_session(p_user => vAuthenticatedUsername,
p_session_id => vCurrentSessionId);
return true;
END IF;
log_msg(vLogFlag, vTransNo, 3100, 'marker');
-- the names do not match. assume that someone hijacked the session.
-- invalidate it and bump them out
-- Unset the session cookie and redirect back here to take other branch
wwv_flow_custom_auth_std.logout(p_this_flow => v('APP_ID'),
p_next_flow_page_sess => v('APP_ID') || ':' ||
nvl(v('APP_PAGE_ID'),
0) || ':' ||
vCurrentSessionId);
wwv_flow.g_unrecoverable_error := true;
log_msg(vLogFlag, vTransNo, 3200, 'marker');
-- tell APEX that we are not pleased
return false;
END IF;
log_msg(vLogFlag, vTransNo, 4000, 'session is NOT valid');
-- we did not have a valid session so verify that the user is supposed
-- to access our application. a quick check of the authorized users
-- table will settle that question for us
BEGIN
select dn_network_id
into vDeclaredUser
from user_authorization
where UPPER(network_id) = vAuthenticatedUsername;
log_msg(vLogFlag, vTransNo, 4100, 'dn_network_id is ' || vDeclaredUser);
EXCEPTION
WHEN NO_DATA_FOUND THEN
-- send the user to our unathorized page
log_msg(vLogFlag,
vTransNo,
4900,
'unable to find dn_network_id for authenticated user ' ||
vDeclaredUser);
log_msg(vLogFlag,
vTransNo,
4910,
'try a redirect to ' || '/pls/apex/f?p=' || v('APP_ID') ||
':105:' || vCurrentSessionId || ':');
return URLRedirect('/pls/apex/f?p=' || v('APP_ID') || ':105:' ||
vCurrentSessionId || ':');
END;
-- create new session
log_msg(vLogFlag, vTransNo, 5000, 'creating a new session');
wwv_flow_custom_auth.define_user_session(p_user => vAuthenticatedUsername,
p_session_id => wwv_flow_custom_auth.get_next_session_id);
log_msg(vLogFlag, vTransNo, 5010, 'created new session');
wwv_flow.g_unrecoverable_error := true;
-- set cookie
-- set the followup URL to page 1
log_msg(vLogFlag, vTransNo, 6000, 'setting up follow up url');
vNextPage := to_char(wwv_flow.g_flow_id) || ':1:';
log_msg(vLogFlag, vTransNo, 6010, 'follow up url is ' || vNextPage);
--wwv_flow_custom_auth.remember_deep_link(p_url => vNextPage);
--log_msg(vLogFlag, vTransNo, 6020, 'completed follow up url');
--IF owa_util.get_cgi_env('REQUEST_METHOD') = 'GET' THEN
-- wwv_flow_custom_auth.remember_deep_link(p_url => 'f?' ||
-- wwv_flow_utilities.url_decode2(owa_util.get_cgi_env('QUERY_STRING')));
--ELSE
-- wwv_flow_custom_auth.remember_deep_link(p_url => 'f?p=' ||
-- to_char(wwv_flow.g_flow_id) || ':' ||
-- to_char(nvl(wwv_flow.g_flow_step_id,
-- 0)) || ':' ||
-- to_char(wwv_flow.g_instance));
--END IF;
-- register new session with the application
log_msg(vLogFlag, vTransNo, 7000, 'register new session');
if 0 < 1 then
wwv_flow_custom_auth_std.post_login(p_uname => vAuthenticatedUsername,
p_flow_page => vNextPage);
log_msg(vLogFlag, vTransNo, 7010, 'registered session');
else
wwv_flow_custom_auth_std.login(P_UNAME => vAuthenticatedUsername,
P_PASSWORD => 'dummy',
P_SESSION_ID => v('APP_SESSION'),
P_FLOW_PAGE => v('APP_ID') || ':1');
log_msg(vLogFlag, vTransNo, 7011, 'registered session');
end if;
if 0 > 1 then
owa_util.mime_header('text/html', FALSE);
owa_cookie.send(name => 'LOGIN_USERNAME_COOKIE',
value => vAuthenticatedUsername,
expires => null,
path => '/',
secure => 'yes');
owa_cookie.send(name => 'HTMLDB_IDLE_SESSION',
value => to_char(sysdate + (vMaxIdleMinutes / 1440),
'DD-MON-YYYY HH24:MI:SS'),
expires => null,
path => '/',
secure => 'yes');
end if;
log_msg(vLogFlag, vTransNo, 9000, 'clean exit');
-- tell htmldb engine to quit
return false;
EXCEPTION
WHEN OTHERS THEN
return false;
END;
</code> -
Problem Changing session cookie name
Hi,
I am running Weblogic 5.1 service sp 6
I attempted to change the name of the weblogic
session cookie by modifying the following
parameter in weblogic.properties
weblogic.httpd.session.cookie.name=MyCookie
I also noticed that even if I hust uncomment the line
weblogic.httpd.session.cookie.name=WebLogicSession
my application seems to timeout within a few minutes.
However, when I do this I noticed that my session times out within 5
minutes.
I have my timeout set with
weblogic.httpd.session.timeoutSecs=14400
Thanks,
BillI have 2 diff app on one app server. If I change it for the app server, it will be applied to all applications that are running on this server. Right?
In the servlet specification is written :
The name of the session tracking cookie must be JSESSIONID.
My question is : Is there is a possible workaround to change session coockie name on application level, not on app server level? -
Configuring Session Cookie Name in Portal DAD
I have some questions about the proper way to specify the Session Cookie Name (PlsqlSessionCookieName) in the Portal DAD.
Here's a description of the environment: There are 2 portal servers (portal1, portal2) and 2 infrastructure servers (infra1, infra2). portal1 is tied directly to infra1, and portal2 is tied to infra2. A hardware load-balancer directs traffic from a URL "www.companyname.com" to either portal1 or portal2. The infrastructure databases are kept in synch via a nightly export/import. There is no clustering.
What should I set the Session Cookie Names to in the Portal DADs? Should they be left blank and thus default to the DAD name? If not, should they be set to identical (both to "portal") or unique values ("portal1" and "portal2")?
I have read the dads.README file, the notes in the Edit DAD page in Enterprise Manager, and some other documentation and I am confused as to the proper settings.
Thanks!
BrianIt looks like distinct session cookie names are needed.
Please refer to Oracle HTTP Server Administrator's Guide 10g Release 2 (10.1.2), Section 8 Understanding Modules. Seach for PlsqlSessionCookieName. -
We are setting the weblogic cookie with a session time out of 30 minutes. If we close the browser and come back to the website before the 30 minute timeout, a new session is being created. Why isn't the original session being picked up? This creates the problem of having 'dead' sessions floating in the java heap for 30 minutes until the timeout expires. Any recommendations on how to retrieve a session that is still active?
Bill,
The WebLogic Session ID is stored in a non-persistent cookie so as soon as you close your browser, the client loses the cookie. Without this, there is no way for WebLogic to know that it is, in fact, the same client.
I suppose that it might be possible to hack together a solution that retrieves the Session ID from the request that creates the session and write a persistent cookie with the session id in it. But then, you would need to always check for the existance of this persistent cookie before allowing a new session to be created and, if it exists, use sendRedirect to re-direct the request to the old session. Of course, there is no way
for you to know whether the session in question has timed out until you attempt to access it via the browser.
If you absolutely require this functionality (I would like to understand why), then I would recommend that you implement this without relying on the HttpSession and use a database to store the information...
Hope this helps,
Robert
Bill Nelson wrote:
We are setting the weblogic cookie with a session time out of 30 minutes. If we close the browser and come back to the website before the 30 minute timeout, a new session is being created. Why isn't the original session being picked up? This creates the problem of having 'dead' sessions floating in the java heap for 30 minutes until the timeout expires. Any recommendations on how to retrieve a session that is still active? -
Session Cookie JSESSIONID - can this be re-named?
Hello
We are currently implementing EP7 within our organisation. We are going to use the IBM Tivoli Access Manager (TAM) to Single Sign On to the Portal. This I have working OK. I have a problem where 99% of the times certain content does not appear. I keep getting an error from TAM mentioning that there was an unexpected error.
I have read the following from the IBM site http://www-1.ibm.com/support/docview.wss?uid=swg21288017 where they mention that modifying the cookie name JSESSIONID on websphere portal to "JSESSIONID2" will fix the problem. I want to implement a similar change on EP7. I want to change the name of the session cookie JSESSIONID to something else - like JSESSIONID2. My question is - is this possible. If so then how would you go about it. I have checked everywhere in Visual Administrator and have been unsuccessful so far.
Points will be awarded for useful information.
Thanks in Advance
RajdeepShow us the page, please.
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.dreamweavermx-templates.com
- Template Triage!
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
http://www.macromedia.com/support/search/
- Macromedia (MM) Technotes
==================
"RTalbott" <[email protected]> wrote in
message
news:esscul$p9m$[email protected]..
> Hi experts,
> I have a template with a div designated as an editable
region.
>
> In a page linked to the template, when I cut and paste
from a Word
> document,
> into the Code Window, or when I try to edit in the Code
Window,
> Dreamweaver
> tells me that I have tried to make changes to a region
that is not
> editable,
> and that if I update the template later, my changes will
disappear. The
> message asks if that's okay.
>
> Even if I say yes, DW sometimes deletes my changes when
I click on the
> Design
> Window.
>
> If I cut and paste or edit in the Design Window
directly, DW does not
> object.
>
> Is this normal? I think it should not be, based on the
fact that this
> behavior is very awkward, and also, the problem seemed
to have disappeared
> in
> the past, perhaps when I closed and re-opened DW. It has
reappeared in my
> current session.
>
> Any ideas as to what's going on, and how to fix it if it
is abnormal?
>
> Thanks so much for any advice
> Richard
> -
A customer of mine asked me about session cookie security.
Questions are :
. session id randmoness
. session id length
. events producing session end (timeouts, navigation outside etc..)
. HTTP maximim header length
Could someone provide me informations/documentation about such questions ?
Tks
TullioAgain, you still did not mention if you are generalizing or speaking of a specific product and version. Since you posted your question in the "Forms" area, I guess we will assume you are referring to Forms. However, without the version information some of the info might vary. I guess in any case, you (or your customer) should try testing the product of choice as most Oracle products are free for download.
<br>
Session Id Length should be long at least 20 random characters" <br>
<blockquote><font color="blue">Here is an example of what is generated for Forms 10.1.2.3 (other versions may vary):<br>
<i>jsessionid=<b>9c1253bde83b0ed66ae9687525ef3536f960c8a0f40aa4fa14179b30656e1ea3</b></i><br>
</font></blockquote>
Http header should be less than 2100 characters<br>
<blockquote><font color="blue">This will likely depend on exactly which
product version is being used. Also, it will depend on exactly
which "header" information is being considered as part of the
count. For example, are you include all request and response
data. Are you including any of the body data? Also consider
that the host name and url parameters are part of these exchanges
too. So the total amount of characters in my environment would
likely differ from yours simply because of a difference in my host name
and parameters that I pass to call my app. In doing just a couple of
simple tests using a basic tool like ieHTTPheaders and run it against
Forms 10.1.2.3 on my local machine, I can see that the total can range
from around 1000 up into over 2000. So the exact header size is
something you would need to test based on the app and environment to
include the product version.</font><br>
</blockquote>
Session timout should be 15 minutes <br>
<blockquote><font color="blue">The concept of "session timeout" will
vary depending on what exactly we are talking about. There are
Forms sessions, db sessions, http sessions, java sessions, etc.
For the most part, all of these sessions times are configurable.
The only exception is the actually application itself. In other
words, Forms, by design is intended to be living. Meaning, it will
never die unless you kill it. You would need to program in to
your app exactly when you want its session to be destroyed. If you
wanted to destroy the app based on user inactivity, you would need to
use a Java Bean in order to perform a clean exit. Any other method
would result in an ugly termination. An example (unsupported
demo) of such a bean is available on OTN in the Forms download area.
As for the other session configurations, they are documented in the product docs.</font><br>
</blockquote>
<br> -
Credential session cookie and smartphone
hi,
it seems session cookies for authentification doens't work with opera on Windows mobile6.5 and safari on iphone3gs.Browsers prompt me with AD authentification and .....blank page. It works with ie in wm6.5
Do you already seen that before?Thanks. I stumbled across the post while researching this. I didn't really think of it as being the same thing, but I do see how it is relevant to my question. I am considering writing a very basic custom module to do what the standard one does,
but ignore certain requests. I feel like this has probably already been done a dozen times before, so if anyone knows of anything on GitHub or Codeplex, that would be very helpful information.
Is there any guide out there on writing modules in such as way as to add them to the ApplicationInsights.config the way the official Microsoft modules are configured (ie. by tape name in the XML File)? -
I want to disable the use of cookies in WLS 4.5, and set the following
weblogic.httpd.session.cookies.enable=false
In WLS 4.5 sp7, this correctly prevents the server from using cookies
for session-tracking, forcing the extraction of the session id from a
rewritten URL.
However, for WLS 4.5 sp11 cookies are still sent from the server
Is this a known issue ?
joI want to disable the use of cookies in WLS 4.5, and set the following
weblogic.httpd.session.cookies.enable=false
In WLS 4.5 sp7, this correctly prevents the server from using cookies
for session-tracking, forcing the extraction of the session id from a
rewritten URL.
However, for WLS 4.5 sp11 cookies are still sent from the server
Is this a known issue ?
jo
Maybe you are looking for
-
No data in last 10 seconds.......
Hi, when I tried to connect with my friend, theres always a message.....no data received in the last 10 seconds..........and we cant video....chat what could be the cause and solution for this? thanks in advance Andre
-
PDF sent from SAP 4.6C only shows the first 10 pages
Since a few weeks a spoolrequest that is produced by a job contains more than 10 pages. This report is automatically converted to pdf and mailed to an external recipient, but the pdf only contains the first 10 pages. When I look into this spool reque
-
Contacts not appearing in imessage banner
I just moved to Australia from the US and got an Australian sim card. When I text my friends in the US, their contact information shows up within the message portal but when they respond, the banner and notification in the lock screen display their p
-
Hi Team , Purchase order header status is " Finally closed " , we have one line and delivery is pending . Now is there any way to receive the item , because we can not open the finally closed PO . Thanks Kiran
-
SharePoint 2010 Calendar Webpart
Hi Team, I have a SharePoint 2010 Calendar View webpart and I want to hide/disable the weekends (saturday, sunday). Please let me know the plausible solution for the same. Regards Sourabh Soni