Session cookie security
A customer of mine asked me about session cookie security.
Questions are :
. session id randmoness
. session id length
. events producing session end (timeouts, navigation outside etc..)
. HTTP maximim header length
Could someone provide me informations/documentation about such questions ?
Tks
Tullio
Again, you still did not mention if you are generalizing or speaking of a specific product and version. Since you posted your question in the "Forms" area, I guess we will assume you are referring to Forms. However, without the version information some of the info might vary. I guess in any case, you (or your customer) should try testing the product of choice as most Oracle products are free for download.
<br>
Session Id Length should be long at least 20 random characters" <br>
<blockquote><font color="blue">Here is an example of what is generated for Forms 10.1.2.3 (other versions may vary):<br>
<i>jsessionid=<b>9c1253bde83b0ed66ae9687525ef3536f960c8a0f40aa4fa14179b30656e1ea3</b></i><br>
</font></blockquote>
Http header should be less than 2100 characters<br>
<blockquote><font color="blue">This will likely depend on exactly which
product version is being used. Also, it will depend on exactly
which "header" information is being considered as part of the
count. For example, are you include all request and response
data. Are you including any of the body data? Also consider
that the host name and url parameters are part of these exchanges
too. So the total amount of characters in my environment would
likely differ from yours simply because of a difference in my host name
and parameters that I pass to call my app. In doing just a couple of
simple tests using a basic tool like ieHTTPheaders and run it against
Forms 10.1.2.3 on my local machine, I can see that the total can range
from around 1000 up into over 2000. So the exact header size is
something you would need to test based on the app and environment to
include the product version.</font><br>
</blockquote>
Session timout should be 15 minutes <br>
<blockquote><font color="blue">The concept of "session timeout" will
vary depending on what exactly we are talking about. There are
Forms sessions, db sessions, http sessions, java sessions, etc.
For the most part, all of these sessions times are configurable.
The only exception is the actually application itself. In other
words, Forms, by design is intended to be living. Meaning, it will
never die unless you kill it. You would need to program in to
your app exactly when you want its session to be destroyed. If you
wanted to destroy the app based on user inactivity, you would need to
use a Java Bean in order to perform a clean exit. Any other method
would result in an ugly termination. An example (unsupported
demo) of such a bean is available on OTN in the Forms download area.
As for the other session configurations, they are documented in the product docs.</font><br>
</blockquote>
<br>
Similar Messages
-
How to Set up HTTPOnly and SECURE FLAG for session cookies
Hi All,
To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
I have found the below solutions.
For setting up the HTTPOnly for the session cookies.
1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
this.sessioncookie.httponly = true;
For setting up the secure flag for the session cookies.
2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
this.sessioncookie.secure = "true"
Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
<cfapplication setclientcookies="false" sessionmanagement="true" name="test">
<cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
<cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
<cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
</cfif>
But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
Your timely help is well appreciated.
Thanks in advance.BKBK wrote:
Abdul L Koyappayil wrote:
BKBK wrote:
You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
I couldnt understand this. I mean how are you relating this with my question.
When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
Name:
JSESSIONID
Content:
782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
Domain:
xyz.abc.pqr.com
Path:
Send for:
Any kind of connection
Accessible to script:
No (HttpOnly)
Created:
Wednesday, September 3, 2014 2:25:10 AM
Expires:
When the browsing session ends
BKBK wrote:
2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
BKBK wrote:
3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea?? -
Setting secure flag on weblogic (5.1) session cookie.
Hello All,
I need to set secure flag on weblogic session cookie. I am not able to
find any property in weblogic.properties file to set the secure flag for
session cookie.
Does anybody has any idea how to achieve this.?
Thanks
Nitin
The best way to reduce GC is to change you application to use less memory. Serious.
There are a number of JVM options for GC. I can't tell you what will work best
for your application.
25 seconds is way too long for a GC. Is the OS paging? You may wish to invest
in additional memory.
Mike Reiche
vijendran <[email protected]> wrote:
Hi,
I am running a load test which will simulate 100 users. when i tried
to simulate i found that GC is happening often even though i set the
heap to 512 MB., and that too some time it takes upto 25 secs. for a
GC to complete. Please advise on how to increase the performance for
more number of users (without clustering weblogic) and to avoid GC happening
often.
Regards
Vijendran -
Iam using iPlanet 6.0SP6 in NT 4.0.
I would like to make the session cookie JSESSIONID to be transfer only on secure connection.
Then, I make the change to web-apps.xml as below
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE vs PUBLIC "-//Sun Microsystems, Inc.; iPlanet//DTD Virtual Server Web Applications 6.0//EN"
"http://developer.iplanet.com/webserver/dtds/iws-webapps_6_0.dtd">
<vs>
<session-cookie is-secure="true"></session-cookie>
</vs>
After that, I restart the iplanet web server and load the page with I.E. again. I see that the cookie is still passed with non-secure mode.
Is there any wrong with my web-apps.xml?Janice,
Thanks for your help.
When I use the below web-apps.xml, I can make the cookie in secure session.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE vs PUBLIC "-//Sun Microsystems, Inc.; iPlanet//DTD Virtual Server Web Applications 6.0//EN"
"http://developer.iplanet.com/webserver/dtds/iws-webapps_6_0.dtd">
<vs>
<web-app uri="/" dir="d:/java/docroot" enable="true">
<session-manager class="com.iplanet.server.http.session.IWSSessionManager">
<init-param>
<param-name>maxSessions</param-name>
<param-value>16000</param-value>
</init-param>
<init-param>
<param-name>timeOut</param-name>
<param-value>7200</param-value>
</init-param>
<init-param>
<param-name>reapInterval</param-name>
<param-value>30</param-value>
</init-param>
<init-param>
<param-name>maxValueSize</param-name>
<param-value>8192</param-value>
</init-param>
</session-manager>
<session-cookie is-secure="true"/>
</web-app>
</vs>
However, when I configure more on the web applicaiton with the web.xml, I check that the cookie no more secure.
THe web.xml is
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<display-name>Trade Info Exchange</display-name>
<description>
Trade Info Exchange
</description>
<!-- Define servlets that are included in the example application -->
<servlet>
<servlet-name>Login</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Login</servlet-name>
<url-pattern>/Login</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Fmenu</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.FmenuServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Fmenu</servlet-name>
<url-pattern>/Fmenu</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Fcontent</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.FcontentServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Fcontent</servlet-name>
<url-pattern>/Fcontent</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Express</servlet-name>
<servlet-class>com.chase.apps.express.servlet.EXPRESS2</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Express</servlet-name>
<url-pattern>/EXPRESS2</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>AppControl</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.AppControlServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AppControl</servlet-name>
<url-pattern>/AppControl</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>errorPage</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.errorPage</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>errorPage</servlet-name>
<url-pattern>/errorPage</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>LoginFail</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.LoginFailServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginFail</servlet-name>
<url-pattern>/LoginFail</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Logout</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.LogoutServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Logout</servlet-name>
<url-pattern>/Logout</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>ChangePwdWarning</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.ChangePwdWarningServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ChangePwdWarning</servlet-name>
<url-pattern>/ChangePwdWarning</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>ChangePwd</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.ChangePwdServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ChangePwd</servlet-name>
<url-pattern>/ChangePwd</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>ReLoginDialog</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.ReLoginDialog</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ReLoginDialog</servlet-name>
<url-pattern>/ReLoginDialog</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>TradeTrackProcessSearch</servlet-name>
<servlet-class>chase.app.tt.servlet.ProcessSearchServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TradeTrackProcessSearch</servlet-name>
<url-pattern>/TradeTrackProcessSearch</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>TradeTrackSearchScreen</servlet-name>
<servlet-class>chase.app.tt.servlet.SearchScreenServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TradeTrackSearchScreen</servlet-name>
<url-pattern>/TradeTrackSearchScreen</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>TradeTrackMain</servlet-name>
<servlet-class>chase.app.tt.servlet.MainServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/LCIMPORT</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/LCEXPORT</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/COLLIMP</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/COLLEXP</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/B2BMenu</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/B2BMain</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>ctielogin.html</welcome-file>
</welcome-file-list>
</web-app>
Pls advise how I can make the cookie secure for using the web.xml and web-apps.xml
thanks
samuel poon -
Enable secure session cookie on Sun ONE Web Server 6.1
How can I enable secure session cookie (JSESSIONID) on Sun ONE Web Server 6.1?.
For 6.0 is <session-cookie is-secure="true"/> inside the <web-app> tags in web-apps.xml but I'm not able to find this setting for 6.1.There is a fix in 6.1sp5 that enables the session cookie to be marked as secure.
See the release notes and search for 6262885 under Issues Resolved in 6.1sp5:
http://docs.sun.com/app/docs/doc/819-2479/6n4p1bdea?a=view -
How to enable secure attribute for session cookies in Sun 1 WS 6.1.. I could not find any attributes or elements to enable secure under Session Manager in sun-web.xml.
Thanks
sskAre you sure about that? I've been looking on how to do this without enabling SSL on the web server (It's behind an SSL offload device). It is possilbe to do this in 6.0, I'd be very surprised if it can not be done on 6.1.
-
APEX Security: Multiple session cookies in one browser
Hi all,
I use mozilla firefox as web browser. When I open a new tab and enter the APEX application url I will be redirected to the login page. After successfully login I receive the session id and the browser the session cookie WWV_CUSTOM-F....
When I now open the next browser tab and enter the APEX application url I will be redirected to the login page. After successfully login I receive the new session id and the browser the session cookie WWV_CUSTOM-F... with new content. My session from the first browser tab will be killed, because the session cookie for this session was deleted/replaced by the session cookie from the second tab.
Is it possible to have multiple APEX sessions opened in one browser in multiple tabs?
RegardsHi PaulP,
it's simple.
Unzip bsApex2 http://www.betasoftware.it/codice/bsApex2.zip
If not installed, install Microsoft .NET Framework 4 Client Profile.
Configure bsApex.exe.config
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<!-- Application Title -->
<add key="aTitolo" value="Apex Desktop by Beta Software snc" />
<!-- Short application title -->
<add key="aTitoloBreve" value="Apex Desktop" />
<!-- Window height -->
<add key="aAltezza" value="960" />
<!-- Window width-->
<add key="aLarghezza" value="1200" />
<!-- Close botton text -->
<add key="aChiudi" value="Close" />
<!-- Print botton text -->
<add key="aStampa" value="Print" />
<!-- Application icon-->
<add key="aIcona" value="bsApex.ico" />
<!-- Client -->
<add key="aCliente" value="Apex Community" />
<!-- Application address -->
<add key="aIndirizzo" value="http://apex.oracle.com/pls/otn/f?p=23873:1" />
</appSettings>
</configuration>Run bsApex.exe, that's all.
Regards,
Gianluigi -
Air + Ipad + RemoteObject problem with session cookies
I am making Air version for IPad of a Flex application.
My flex application needs session from an secured enterprise proxy, without that session none remoteObject requests can pass the proxy and reach blazeDS.
My solution for flex works fine: calling an enterprise servlet at application´s startup to obtain a cookie session. I use a POST call to the servlet using URLRequest (sending the user and password parameters), the servlet responds with a message with a session cookie, and from that point, without me having to code anything more, my flex application get that cookie with the session that automatically is loaded in my browser cookie stack, and that transparently is used from all my subsequents remoteObjects calls in the flex application.
In my Adobe Air Ipad version, this just does not work, the session or is not storaged or is not attached with subsequent remoteObjects requests.
- I´m forcing request.manageCookies = true
- I´m working with the IOS simulator (Is there any difference for cookies with a real Ipad device?)
- I´m using Flex 4.6.0, Air 3.5, IOS 6, Ipad 3, BlazeDS 4.0, Java 6 BackEnd.
.. What´s the problem/difference with Air+Ipad from the flex version?Hi BalusC ,
Thanks for your detailed response. I have a question about this comment you noted..
"Terrible. Just keep the bean request scoped. "
I changed the bean to request and now have this issue.
<rich:dataGrid id="membersInZipcode" value="#{membersInZipcode.arrayListOfSearch4Member}"
var="membersInZipcode" columns="5" elements="20">
<f:facet name="footer">
<rich:datascroller></rich:datascroller>
</f:facet>
</rich:dataGrid>
</h:form> I am using a request bean to hold the search parms that loads the bean. This works great.
The problem is when I use the rich:datascroller for the next page.
It goes back to the bean and the request scope bean is empty. This holds the search values.
How do I put this back into the request after each process??
Question 2..
"Those settings only applies on the current request, i.e. the JSP file itself. Images are obtained by separate and independent requests. You need to set the headers on those requests as well. You can use a filter for this."
I have never set a filter ...how do I do it? Do you have a link for an example of this filter setup?
Thanks Again
Phil -
Hi all,
I'm hitting a restriction or security feature(?) of Safari in iOS. One of our Apex applications is a page that runs in an iframe on a site. Apex is installed on a server inside our own network and is accessable via dns: office.ourcorp.com (fake name, just to clearify the situation). We have a couple of different brands, that all have their own domains: brand1.com, brand2.com etc. All of these sites open the apex page inside an iframe.
That all works beautifully in all browsers, except in Safari in iOS. in iOS, the apex page isn't showing. It seams it's because of the session cookie Apex sets. Safari can't set an cookie from another domain (a cross domain cookie). Is there a possibility to turn off the session cookie?(ORA_WWV_APP_xxx)?
I also tried to set the 'cookie domain' option inside the authentication scheme to one of the domain names for our brands, but it still doesn't show up.
Does someone has a sollution?I tried to do that. If you read my very first post in this thread, specifically "If I try to set a cookie in the page sentry function, it is breaking at the redirect line. Also, I don't think page sentry is the right place to set a cookie since it executes at every page.", I tried to set a cookie but it is throwing an error at the page.
I think all these complication is because I dont have a login page and I am using a HTTP header variable to validate the user. Given that, where should I set the cookie?
I also tried to do this:
- create an appliaction item called 'testuser'
- create an application computation to run 'before header' which sets the value of this to my HTTP header variable.
- When I retrieve the app item 'testuser' from a page, it is getting the correct value. But when I use this in the authentication scheme, it is returning null. Any idea why??
I know I am throwing a lot of questions. That is because I am trying a lot of approaches and each of them is posing a new set of challenges. I am actually looking for alternative ways to do what I am looking to do.
Thanks.
Shuba -
Invalid session cookie on High latency wan connections
Hello,
I've had users at a remote site complaining that they are getting disconnected regularly from the SGD server here and are then unable to reconnect for several minutes. The connection is a GRE tunnel over the between sites with several firewalls and proxies in between. As well, the clients are behind a NAT. This is a standalone server SGD 4.41. As a test, I set up an SGD server at the remote location and logged into it. I've been disconnected twice at random intervals with a popup dialog that says "Invalid connection Cookie" Please contact your Administrator. In the webtop browser window I attempted a refresh which resulted in a Session Expired message in the webtop message window. I login again and I see my application session still there but upon attempting to connect to it I receive the following:
Web Service Request Failed
The following fault was returned from the server
Code Client.InvalidSessionCookie
String <cookie info etc...> for admin:runCommand
In a subsequent incident I received a popup with the message: The session already has a Secure Global Desktop Client Connection
Once this popped up my webtop session was hung and I could not log back in to the SGD server until I closed my browser and restarted it.
The connection has high latency 365+ ms and is notoriously unstable. Again there are multiple firewalls and proxies between the sites that I have no access to.
Error logs show the following:
Any ideas?
bash-3.00# less jserver988_error.log
2009/06/15 20:01:50.932 (pid 988) server/soapcommands/error #1245076310932
Sun Secure Global Desktop Software (4.4) ERROR:
Invalid session cookie supplied for session 1245075516671:servername:2172620047794735723:Li4uL191c2VyL2VwZWVsZXI=.
The operation will fail.
Repeat the request with a valid session cookie.
2009/06/15 20:07:25.691 (pid 988) server/soapcommands/error #1245076645691
Sun Secure Global Desktop Software (4.4) ERROR:
Unable to write message of type webserver for servername:1245068645735:-3969341831847819217.
Request will fail.
The user should close the Secure Global Desktop Client process, end the
session and start a new session.
2009/06/15 20:07:28.867 (pid 988) server/soapcommands/error #1245076648867
Sun Secure Global Desktop Software (4.4) ERROR:
Invalid session cookie supplied for session 1245075516671:servername:2172620047794735723:Li4uL191c2VyL2VwZWVsZXI=.
The operation will fail.
Repeat the request with a valid session cookie.
2009/06/15 20:08:32.384 (pid 988) server/soapcommands/error #1245076712384
Sun Secure Global Desktop Software (4.4) ERROR:
Invalid session cookie supplied for session 6543220712367266453:servername:1245068645735:-3969341831847819217:1.
The operation will fail.
Repeat the request with a valid session cookie.Hi DalamarUK83,
"I have seen posts about disabling VMQ on the host/guest servers as there may be an issue with this model - this has had no effect at all, the issue persists after changing VMQ and restarting both the guest and the host OS."
Did you disable the feature in advanced settings of physical NICs ?
I would suggest to re-create virtual switch after disabling VMQ .
What is the make of that NIC ?
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Weblogic.httpd.session.cookies.enable not working in WLS4.5 sp 11 ?
I want to disable the use of cookies in WLS 4.5, and set the following
weblogic.httpd.session.cookies.enable=false
In WLS 4.5 sp7, this correctly prevents the server from using cookies
for session-tracking, forcing the extraction of the session id from a
rewritten URL.
However, for WLS 4.5 sp11 cookies are still sent from the server
Is this a known issue ?
joI want to disable the use of cookies in WLS 4.5, and set the following
weblogic.httpd.session.cookies.enable=false
In WLS 4.5 sp7, this correctly prevents the server from using cookies
for session-tracking, forcing the extraction of the session id from a
rewritten URL.
However, for WLS 4.5 sp11 cookies are still sent from the server
Is this a known issue ?
jo -
Can portal session cookies be used between two data centers
OAS generates the following header information and session information for my application. However when I need to failover the originating OAS datacenter into my hot stand-by for maintenance or upgrades, the OAS in the other datacenter responds with a 503 web error. We are using Akamai's GTM to manage the liveness of the datacenter, so we would need the hot stand-by OAS portal in that datacenter to return a 302 error code. Is there some method that we can add to our portal application which would always return a 302 error code.
See header information collected through wfetch. The 503 error is caused by the hot stand-by data center not accepting or recognizing the cookie. Both OAS datacenters are IDENTICAL in Oracle levels, application levels, web servers, portals and OS patches.
resolve hostname "170.107.183.32"WWWConnect::Connect("170.107.183.32","80")\nsource port: 2182\r\n
GET /portal/pls/portal/PORTAL.wwsec_app_priv.login?p_requested_url=%2Fportal%2Fpls%2Fportal%2FPORTAL.home&p_cancel_url=%2Fportal%2Fpls%2Fportal%2FPORTAL.home HTTP/1.1\r\n
Accept: */*\r\n
Accept-Language: en-us\r\n
Accept-Encoding: gzip, deflate\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)\r\n
Host: www.thomson-pharma.com\r\n
Connection: Keep-Alive\r\n
Cookie: ORA_WX_SESSION="10.225.8.30:80-1#2"; portal=9.0.3+en-us+us+AMERICA+3D66674E7EED0801E04400144F41424E+BBAA98EEB32D58C086231A8D6CBE2E5D402D89B0E79D83A18C668BB0CA7417B4044DEA389C8B50DD37D9272A24B4753B22F29978861DE14503F8B9BEDC2014654B26A434CF074F4D8749B88610ADADF5084A90ADBF749E2A; DATACENTER=EAGAN\r\n
\r\n
HTTP/1.1 503 Service Unavailable\r\n
Cache-Control: private\r\n
Content-Type: text/html\r\n
Set-Cookie: ORA_WX_SESSION="10.237.138.33:80-1#2"\r\n
Set-Cookie: portal=; expires=Wednesday, 27-Dec-95 05:29:10 GMT; path=/\r\n
Connection: Keep-Alive\r\n
Keep-Alive: timeout=5, max=999\r\n
Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=208440262161,0)\r\n
Content-Length: 710\r\n
Date: Fri, 26 Oct 2007 14:58:07 GMT\r\n
\r\n
Thanks -JohnHi John,
This question is probably more appropriate in one of the Portal forums, but perhaps you can take a look at the information in section C.5 Configuring the Portal Session Cookie in Appendix C of the Portal Configuration guide.
Here is a link: http://download.oracle.com/docs/cd/B14099_19/portal.1014/b19305/cg_app_c.htm#sthref1907
Regards,
Peter -
Session Cookies Being Overwritten Browsing From SSL to Non SSL
I have created a bug report for this issue as well.
Please note I am using J2EE session variables so keep that in mind.
I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.
For example:
Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".
Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".
Here's the problem:
Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.
Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.
Steps to Reproduce:
1. Clear your cookies.
2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.
This behavior changed in ColdFusion 10. ColdFusion 9 did not overwrite the session cookie.
Has anyone else experience this?Deleting and re-adding my account seems to have fixed it. I think when I initially added my Google Talk account, it was by using the "Add Jabber Account" under 10.6 or something. Now, when I re-added my account, I notice both "Google Talk" and "Jabber" are options, so my thought here is that Jabber and Google Talk options are no longer quite the same thing.
-
How to create a session cookie on demand
Hi,
I search the web but couldn't find anything related to creating session cookies on demand. I want to create a session cookie storing encrypted user tokens when there is none, for example, when the first page is called.
The encryption part is OK, but I want how can I intercept every call to a set of pages and create the session cookie if it doesn't exist.
I'm using ADF, of course, and Weblogic.
Anyone can provide some examples or source code?
Thanks.Cookies are accessible via the http request and response, there you can add new cookies and or change existing ones.
ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
HttpServletResponse response = (HttpServletResponse) ectx.getResponse();
// get existing cookies
Cookies [] cookies =((HttpServletRequest)ectx.getRequest()).getCookies();
// create and set a new one
Cookie cookie = new Cookie( "key", "value" );
response.addCookie( cookie );This code should work in a bean. After setting the cookie you need to implement a servlet filter or a page phase listener where you check the requested url and then check for your cookie.
Timo -
CFID and CFTOKEN Being Deleted from Session Cookie
I can't believe that no one else has run into this - but I
have found nothing on the internet.
When I copy a piece from a web page that is generated by my
coldfusion server, and paste it into a word document, the session
cookie is altered, and the CFID and CFTOKEN information is deleted,
so I lose my login. Recently, I've developed a problem on a
different application - when I open a word document that is stored
on the server, using CFCONTENT, same thing happens - the cookie is
altered, CFID and CFTOKEN are deleted, and I lose my login.
I'm tearing my hair out. Has anyone seen this behaviour, any
ideas as to why this would occur? Any ideas as to how to get around
it?Here's my CFAPPLICATION tag:
<cfapplication name="DashBoard"
clientmanagement="Yes"
sessionmanagement="Yes"
setclientcookies="Yes"
clientstorage="cookie"
loginstorage="session"
sessiontimeout="#CreateTimeSpan(0, 0, 30, 0)#">
Not sure what you mean by application sections. It's one
application.
I don't refer to the cookie in any other way. It's there only
to do what CF does with it - maintain the information that's used
to find the session.
Maybe you are looking for
-
I've got sites/pages that I'd like to have load data asynchronously; after the HTML document has loaded and the document object is closed. (Much like what is done with auto-suggest examples that access Yahoo or Amazon via the XMLHttpRequest object.)
-
Hardware changes might not have been detected
Hello, I am getting the error message "hardware changes might not have been detected" for five days now. Using HP Pavillion g6Notebook PC/Product No. : D8Q59EA#ABF running OS Windows 8 (not wanting to upgrade to 8.1) After Windows automatic security
-
When I have picked the horse or horses I wish to bet on and entered the amount of money I wish to bet and click on Bet now nothing happens it will also NOT clear the beting slip. I have been useing Firefox for about 10 years and this is the first pro
-
How to disable type ahead feature?
Is there a way to disable the type ahead feature? It's annoying to constantly have to pause typing while the app retrives a table list, field list, or anticipated keyword list.
-
Drill down from the charts of VC
Dear gurus, can I realize the functionality of drilling down from the charts of VC? For example, I have a bar chart. Can I drill down from each bar of chart to detailed infomation about that bar? Please advise. I'll assign points if helpful.