Session expired with StreamingAMFChannel

Similar Messages

• ISE 1.2 CWA with Multiple PSNs - SessionID Replication / Session Expired

  Hi all.
  I have a (2) Policy Services Nodes (PSNs) in an ISE 1.2 deployment running patch 1. We are using Wireless MAB and CWA on 5760 Wireless LAN Controllers running v3.3.3.
  We are hitting an issue wherein a client first passes MAB and then gets redirected to a CWA custom portal. The client then receives a Session Expired message. This seems to be related to the fact that CWA is technically a 2-stage authentication (MAB by the WLC and then CWA by the client). Specifically, it seems to happen when the WLC makes its MAB RADIUS access-request to PSN-1 and then the client comes in to PSN-2 to complete the CWA. This issue does not happen when only one PSN is in use and all authentication traffic (both MAB RADIUS and CWA) is directed at a single PSN.
  Clients resolve the FQDN in the redirect URL using public DNS and a public DNS zone file (call it cwa-portal.example.com). cwa-portal.example.com has two A records for the two PSN nodes. DNS is responding to queries using DNS round-robin.
  I have the PSNs configured in a Node Group for session information replication between PSNs, but this doesn't seem to make a difference in behavior.
  So I ask:
  What is the recommended architecture for CWA when using more than one PSN? It seems that you would need to keep the two authentication flows pinned together so that they both hit the same PSN when using more than one PSN in a deployment. A load balancer balancing on the SessionID string comes to mind (both the RADIUS MAB request and the CWA URL contain this unique per-client SessionID), but that seems terribly overbuilt for a seemingly simple problem. On the other hand, it also seems like using a Node Group setup should easily be able to replicate client SessionIDs to all nodes in the deployment so that this isn't an issue. I.e., if the WLC authenticates MAB on PSN-1, then PSN-1 should tell the Node Group about it such that when the client CWA's on PSN-2, PSN-2 doesn't respond with a Session Expired message.
  Is there any Cisco documentation that talks about this?
  Possibly related:
  https://supportforums.cisco.com/discussion/12131531/ise-12-guest-access-session-expired
  Justin

  Tim,
  Thanks for your reply and confirming my suspicion. Hopefully a future version of ISE will provide automated SessionID synchronization among PSNs so that front-end finagling in a multi-PSN environment won't be necessary.
  For anyone else with this issue who for whatever reason can't implement a load balancer(s), I built an automated EEM applet running on a "watchdog" switch (3750 running 12.2(55)SEE9) using IPSLA tracking that senses when PSN1 is down and then
  modifies an ASA to change its client-facing NAT statement for PSN1 to PSN2
  modifies the primary and HA wireless LAN controllers to change its MAB RADIUS aaa server group to use PSN2
  reverts the ASA and WLCs to using PSN1 when PSN1 is detected up and running again
  The applet ensures the SessionID authentications stay "glued" together so that both WLCs and the client hit the same PSN for both stages of authentication. It's failover only, not a load balancing solution, but it meets our current project's need for an automated HA environment.
  PM me if you want the code. I'm have a little too much going on ATM to sanitize and post it. :)
  Justin

• PLease Help !Jsp Session expired when open Window with "_blank" atributte

  PLease please Help me!
  Hi ,
  I have a problem
  First , all my pages when load evaluate if session exists .
  If not exists session
  this page redirect other page (page_expired.jsp)
  this works correctly ... but
  when page01.jsp open page02.jsp from :
  <form action='page02.jsp' target ="_self"> - >works correctly (load on the same page ..)
  but when :
  <form action='page02.jsp' target ="_blank"> -> this redirect page_expired.jsp
  why this ??
  Sometimes work and Sometimes not work...
  but now it does not work
  Excuse my english not is goog...
  Greetings From Lima - Peru

  Hi
  This problem ocurred when testing on my server of testing(this is in my office) ,
  but when test in the server machine of my house this work!!! great! ,
  not appear session expired.!!
  this theme of configuration ??
  if is ths ?
  what configure ?
  Please Help Me .
  I am using EASERVER 5.2 with JSP
  Bye! Greetings From Lima Per�

• Frank session expiration sample - Does it work with a Custom JAAS Module ?

  I configured the sample as described in "Detecting and handling user session expiry" - http://thepeninsulasedge.com/frank_nimphius/2007/08/22/adf-faces-detecting-and-handling-user-session-expiry/
  I also have a custom database JAAS login module as described in http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm
  Thing is that when the session expires (timeout) I am redirected to the Login.jsp page of the JAAS Login Module instead of the SessionHasExpired.jspx page.
  Is there any way to say that the filter should go before the JAAS module ?
  Am I missing something ?
  Thanks,
  Claudio.

  Claudio,
  no, unfortunately not. The servlet filter is executed after the container checked for user authentication. This is less a problem for BASIC and cerificate based authentication because in both cases users are authenticated automatically (even if using custom LoginModules) by the brower or cerificate.
  Form based authentication is different because the browser doesn't re-establish the authentication and the container checks for security before the servlet is called.
  Frank

• No more than 1 sessions at a time are allowed. Please wait until open sessions expire.

  I have been unable to log into my Actiontec MI424WR router this week, The router returns the message "No more than 1 sessions at a time are allowed. Please wait until open sessions expire." every time I try to log in. This has been going on for days.  Even pulling the power to reboot it did no change.  I'm the only user in the household that would log into it, so I don't understand how this could occur.  How can I get in?
  GLN2

  I really don't want to do a hard reset as I have a handful of custon port forwarding rules that I had created. I'm not a wiz at that, so it would take me too much time to re-create!  I may have no choice. Next time I can get in I will try the backup of the config file. I hope it contains the port forwarding rules.
  The backup function should work fine, I have used it to save my Steam port  forward rules to my hard drive, after a pin hole reset I was able to restore successfully. I did configure mine to 1 session & ALWAYS   logout when I am done.  I have never had any problems logging into the router. But in your case you may need more than 1 session allowed.
  Are you using a native or 3rd party app to remember your router ID/password? IF you are do not do this, you are "defeating" the built in security of the router
  If a forum member gives an answer you like, please give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem. Thanks !!!
  http://forums.verizon.com/t5/Verizon-net-Email/Fix-for-Missing-Inbox-sent-folders-etc-with-Internet-Explorer-11/m-p/647399

• Redirect to main jsp when the session expires

  Hi,
  I have a jsp say mainframe.jsp in which I have two frames each having a jsp page say child1.jsp and child2.jsp.
  When the session expires and I when i try do any changes in child2.jsp or child1.jsp, the page redirects to login page and when I login successfully, I am getting redirected to child2.jsp or child1.jsp respectively. But I want it to be redirected to mainframe.jsp.
  Any help is greatly appriciated.
  Thanks in advance.
  Vinod

  I think I am not clear.
  When I try to login after session expiry, I am redirected to child jsp.
  But what I want is that I should be redirected to mainfram.jsp page.
  url in the address shows : ../mainframe.jsp?ID=******
  When my seesion is expired and I try do some manipulation in child1.jsp (which is inside a frame of my mainframe.jsp). it is redirected to login page and from there to child1.jsp instead of mainframe.jsp
  Now the address url shows : ../child1.jsp?ID=********* because of which I am not able to see child2.jsp along with child1.jsp
  What I want : ../mainframe.jsp?ID=********
  this is the code I am using !!
  String destPage = request.getRequestURI();
  response.sendRedirect("../redirect.jsp?dest=" + URLEncoder.encode(destPage));

• Why am I getting a number of session expired terminations on my yahoo email since upgrading to 31.0?

  Sometimes I'm logged into my yahoo email for just a few seconds and am getting a session expired notice. I've run Malwarebytes to look for malware, but it came up empty. Never had this problem prior to upgrading to Firefox 31.0.
  I have not tried other browsers. I don't like either IE or Chrome.
  Any ideas what to do?
  Thanks.

  Currently, your More System Details shows you start up automatically in private browsing mode (Privacy set to "Never remember history"). Is that the same as how you were using Yahoo! mail in Firefox 30?
  In the past, Yahoo! sites were sensitive to connection changes. You generally could not stay logged in with one of the connection settings:
  "3-bar" menu button (or Tools menu) > Options > Advanced > Network mini-tab > "Settings" button
  * "Auto-detect proxy settings" caused problems
  * "No proxy" should work
  Not sure whether that is a factor here. Is there anything else that could be causing your connection to vary, such as a private VPN or Tor?

• ISE 1.2 Guest Access session expired

  We have set up the ISEs to allow wired guest users to logon with CWA but every time we get
  "Your session has expired. Sign on again".
  We successfully get to the portal and can logon, change password, accept conditions but then we just get the session expired page.
  From the switch (some data redacted fro privacy):
  sw01#sh auth ses int f0/1
              Interface:  FastEthernet0/1
            MAC Address:  0021.xxda.xx28
             IP Address:  xxx.xx.40.45
              User-Name:  00-21-xx-DA-xx-28
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-domain
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  901
                ACS ACL:  xACSACLx-IP_GuestWired_ISE_Portal_Access-53182da8
       URL Redirect ACL:  dot1x_WEBAUTH-REDIRECT
           URL Redirect:  https://guest.ourdomain.com:8443/guestportal/gateway?sessionId=AC1262FB000000FA0FCEFDB8&portal=TT_GuestPortal&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1262FB000000FA0FCEFDB8
        Acct Session ID:  0x000001CF
                 Handle:  0x370000FB
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  The ISE reports a failed login
  Event
  5418 Guest Authentication Failed
  Failure Reason
  86017
  Now the reason appears to be that the guest portal being accesed is on an ISE in our DMZ but the RADIUS/MAB authentication is done by our internal ISEs (all ISEs are part of the same cluster however).  This is because the NAD is a switch and its management interface is on the inside of the network while  the guest VLAN is in a DMZ.  If we authenticate the RADIUS and guest on the same ISE (by breaking routing/security) then the access is granted and it all works corrcetly.
  We are summarising that the session ID sent by the RADIUS ISE server is not avaialble to the Guest Portal ISE server so the session ID does not exist in the session cache.
  So does the  guest portal ISE server have to be the same ISE server that does the RADIUS/MAB session generation?  There is no obvious way to tie a FQDN (e.g. guest.ourdomain.com) to the ISE used by the NAD.
  Should the session ID not be shared across all enforcement nodes?
  Any other ideas or thoughts?
  Chris Davis

  Thanks Jan, do you know if this is by design, even across nodes in node groups?  I'm guessing that Bug CSCul10677 is the same issue.
  Thing is, it rather makes the CWA static IP/Hostname option redundant/useless in a resilient configuration.  It also means that the NAD must use the guest network for dot1x traffic or that the guest nework must be able to route over/into the internal network neither of which appear to be ideal from a security perspective...

• New session created with every request

  Hi there,
  I have an web application that we used to deploy on tomcat, websphere and bea without any trouble. We are trying to move to support OAS and the application gives this peculiar behavior:
  A new session is created with every single request by the client browser. I have searched these forums for the better part of today and read some interesting similar cases but none of the fixes seem to have any effect on my problem.
  Is there a different way I need to request the session object from the request in the app for OAS? Or is there a configuration that I should have? I am deploying the app as a .war file. Is there a better way to deploy on OAS, should I stick the war in a .ear?
  Any help on this would be most greatly appreciated!
  Thanks,
  -Adam

  I have a problem that matches with this subject line but its somewhat different. This original posting wants to create new session and invalidate the existing one but my problem is to keep the session invalide if it has expired for the browser.
  Anyways, here is my problem. I have JSP named entity_actions.jsp which has 3 pop-up links that opens up with code like:
  window.open('restaurantentry.do?entityName=restaurant')
  window.open('districtentry.do?entityName=district')
  window.open('baseentry.do?entityName=base')
  My web.xml has this tag:
  <session-config>
  <session-timeout>5</session-timeout>
  </session-config>
  And the way forward the response for each request is:
  context.getRequestDispatcher(urlString).forward(request, response);
  The code I check for session timeout is:
  private void checkForSessionTimeOut(HttpServletRequest request)
  throws SessionTimeoutException
  HttpSession current_session = request.getSession(false);
  logger.info(CLASS_OBJECT, "Session in checkForSessionTimeOut(): "+current_session);
  if (current_session == null)
  logger.error(CLASS_OBJECT, "SessionTimeOutException has thrown.");
  throw new SessionTimeoutException("sessionTimeOut");
  Now lets say I want to show the end user session expiry page after 5 mins of idle time. Now from entity_actions.jsp when I click/open any one popup first time after 5 mins of idle time/session expire,
  logger.info(CLASS_OBJECT, "Session in checkForSessionTimeOut(): "+current_session);
  this loggers shows current_session as 'null' and I can display session exp mesg on the popup page. But when I click/open any other popup or any other link on the page it DOES WORK instead of having current_session = null, it creates new one. And I can see the sessionid which is different than fist session created on the same base page/browser.
  The same pattern of code used to work on Tomcat and JRun before for showing consistant session expiry on all the clicks being made on the same browswer after session gets expire.
  Why OC4J / JDev 10.1.3 is creating new session on the same browser even after session has expired?
  How can I fix this?
  Thanks

• Session expiring

  We are using Oracle 10g r2 and APEX 3.1. We have deployed an application that is having issues with sessions expiring and the user is being required to log back in. We are using the default Application Express Authentication Schemes. We have noticed the expiration occurs when we have a user open seperate browsers and log into the app in each one. There is no period of inactivity so it should not be a timeout of any sort. Anyone have any similar issues? Any ideas at all would be appreciated.
  Thanks
  Jon

  Browser windows must run in separate OS processes in order for one's cookies not to be shared among them. There are ways to do this in IE, not sure of a way to do this in Firefox. BTW, the sessions are not expiring, the cookie value is being supplanted.
  Scott
  Edited by: sspadafo on Dec 16, 2008 1:23 PM

• Session problem with localdirector

            I have 3 sun's running WL4.5.1/sp8 clustering under 3
            Stronghold3/mod_wl_ssl.so proxy. Then I have 2 localdirectors sit in front
            of the proxies. When running my application, I can get a session and
            authenticate, then move around my jhtml's. But when I try to access certain
            servlets, I will get "Session Expired" for some reason. The funny thing is,
            when I switched to DNS. The whole thing works. Any help is appreciated.
            Patrick
            

  Patrick,
            Several things happen to make all this work.
            1) Cookies or rewritten URLs are stored in the
            browser to maintain 1/2 the state. Every
            time your browser connects to a WL server it
            sends the session cookie but only to the
            server that gave it the cookie. Even
            browsers don't trust everyone with free
            cookies.
            check to verify that your WL servers are
            set to use domain cookies. That way a
            cookie sent from one machine will be allowed
            to be sent to another machine in the domain.
            Unless you are trying to use multiple domains,
            then you have to add another layer of complexity
            onto this mess and I'm not sure how it would
            interoperate.
            2) The proxy plugins maintain a hash table that links
            the session token (cookie) with a specific EJB.
            The proxy tries to send your connection back to
            the first container that you connected with. If
            it is busy or dead then the transaction is rolled
            back and sent onto another container.
            Stateful beans are made persistent by serializing
            the context and writing it out to disk or a DB.
            Sounds like your cookie is being sent to a WL server that
            has no record of your existence. Are you trying to use
            multiple domains and is the config set to send domain
            cookies?
                                Kevin
            patrick li wrote:
            >
            > I have 3 sun's running WL4.5.1/sp8 clustering under 3
            > Stronghold3/mod_wl_ssl.so proxy. Then I have 2 localdirectors sit in front
            > of the proxies. When running my application, I can get a session and
            > authenticate, then move around my jhtml's. But when I try to access certain
            > servlets, I will get "Session Expired" for some reason. The funny thing is,
            > when I switched to DNS. The whole thing works. Any help is appreciated.
            >
            > Patrick
            

• Synchronizing persistent tmux loginctl session ID with new session

  Hey all. Does anyone else have the issue with a persistent tmux session losing it's 'active' session status with loginctl after restarting the window manager (monsterwm in this case, logging in automatically on VT1 per the wiki)? This causes issues with udisks mounting priviliges. I'd think it'd cause issues with pulseaudio but it doesn't (and I don't understand why).
  So, to reproduce:
  1. Fresh reboot and login
  2. Open terminal. $XDG_SESSION_ID will be 1
  3. Open tmux instance. $XDG_SESSION_ID will be 1
  4. Restart the window manager
  5. Open terminal. $XDG_SESSION_ID = 3. loginctl session-status active=yes
  6. Reattach tmux session. XDG_SESSION_ID =1. loginctl session-status active=no
  Is there some easy way to keep these synchronized so I don't have permissions issues?
  Thanks!
  Scott

  No, it has nothing to do with host names, CNAME, DNS or anything.
  The session ID is sent to the server from the browser in either a cookie header or as part of the "extra info" part of a URL with the request. If there is no session ID in either place, the server creates a new session. If there is a session ID, then it gets the session object (if it's not expired). Then it sends the session ID back to the browser with the response to that request (either as a cookie or encoded into the URLs in the page, which you have to do explicitly do for each URL). Click on a link, then the process starts again. The first time you go to a site, you have no session ID. The server just makes a new one.
  The only thing that domain names have any affect on is cookies. Cuz cookies are name/value data associated with a domain name of the server (amongst other things). The browser, for security reasons, only sends cookies in requests to servers that set the cookie in the first place. The server can't get cookies that it didn't set.
  So if you have a server running on your local machine, you can access that server in 3 ways:
  1) localhost
  2) network name
  3) domain name
  The browser can know quite easily that 1 and 2 are the same thing, and send cookies for either interchangably (not that it has to, but it seems you are seeing this happen, so...). But the browser will probably not make any assumption about 3's relation to 1 or 2. The association is generally to domain name, not necessarily IP address.
  And it's really a moot point anyway. You should not typically be accessing a server from those 3 different means within the same session. Someone connecting to your server isn't going to use anything but #3 anyway, the other 2 (definitely #1 and #2 only works on the same LAN) wouldn't make much sense. So there's not going to be this issue at all. The session ID itself has no relation whatsoever to a client's domain name.

• Checking for session expiration

  We're using JSPs and Servlets in our application. Looking for a way in code to check if the session has expired. We will need to do this from a jsp as well as a servlet (sometimes a jsp is pointed to by a link and sometimes a servlet). Can someone point me in the right direction?
  Thanks all.
  jl

  I like the idea of a session verifier. We have about 25 jsps, 15 servlets, and at least 80 components (beans) in the app. How would the verifier component work? How could we intagrate it with all the other existing components? Ideally it would be integrated with minimal modifications...
  Is the following what you had in mind with your suggestion to check for session data:
  HttpSession session = request.getSession();
  //or could this be used too: HttpSession session = pageContext.getSession();
  String valid = session.getAttribute( KEY );
  if ( null != valid ) {
  //then the session is still active
  jl
  >
  If the session has expired and you current have a new
  session, then use the isNew() method to check the
  session object. Or, you could check the session
  object for the data you are looking for. If it is
  missing, then the session expired and has been newly
  created. You should build into your design a session
  verifier so that you don't expierence NullPointers or
  missing data.

• How to handle session expiration in ATG

  Hi,
  We have a requirement wherein we have to redirect the user to a specific jsp when his session is expired. For example if a guest user is in cart page and is idle for more than 30 min he should be redirected to session expired page. We are using Apache web server and Jboss app server. Following are the ways i tried
  1. In Apache/conf/extra/httpd-vhosts.conf, I have set ErrorDocument 409 to session expired jsp - This is failed because jsp is not a static content and only static contents will be present in webserver. If it would have been a simple html (static) then this method would have worked fine I believe.
  2. In cart page I have set the sessionExpirationURL of cartformhandler to appropriate jsp, checkForValidSession to true, CheckSessionExpiration.expirationURL to same session expired jsp. I am not sure why this is not working.
  Please let me know the best way to handle this situation. Any suggestions would be appreciated.
  Regards,
  Avinash

  When user clicks any link on your page after session expired then you can redirect him to login page through your formhandler if a handleX() method was invoked by the request or you can use a filter which can check for something like profile.isTransient(). You can then redirect to the login page from your filter keeping a parameter of the original url to be used as login success url so that after login you can again redirect to the page that user originally intended to see.
  For detecting user idleness in browser, here is one of the possible approach using javascript by implementing a document level keyboard/mouse listener to detect user interaction in your page:
  <script type="text/javascript">
      var t;
      window.onload = resetTimer;
      document.onmousemove = resetTimer;
      document.onkeypress = resetTimer;
      function handleIdleTimedOut() {
          //alert("You are now logged out.");
          window.location.href = 'logout.jsp';
      function resetTimer() {
          clearTimeout(t);
          var timeoutPeriod = 1000 * 60 * 5;  //5 minutes       
          t = setTimeout(handleIdleTimedOut, timeoutPeriod);
  </script>Apart from this, you may also want to take a look at reverse ajax to send the timed out kind of notification to the browser with the help of a HttpSessionListener:
  http://directwebremoting.org/dwr/documentation/reverse-ajax/index.html
  Hope this helps.
  Edited by: Nitin Khare on Aug 23, 2012 12:15 AM

• Can someone explain this behavior?? (session 0 with htp.init)

  Hi,
  I've noticed that when you access a page using the Session 0 and that page contains an "htp.init" in a before header process, for some reason the session expires and creates a new one.
  I made an example on apex.oracle.com, but first let me explain what've done exactly.
  There's two pages. On page 1, I have an item named :P1_COLOR that is assigned the value of an application item :P_RED. This application item is affected in an application process before header that runs only on page 1 (the value assigned is "This is red"). I also have an item that displays the session id using this code:
  return :APP_SESSION;
  Then, I have a link called "page 2" in the HTML region :
  a href="f?p=&APP_ID.:2:&APP_SESSION.:::::">page 2</a
  Also, more importantly, on page 1 I have a process before header that sets a cookie:
  begin
  htp.init;
  owa_util.mime_header('text/html', FALSE);
  owa_cookie.send(
  name    => 'MY_COLOR_COOKIE_'||:P_RED,
  value   => 'test_value',
  expires => SYSDATE365,+
  path    => null,
  domain  => null                );
  owa_util.mime_header('text/html', TRUE);
  END;
  Now if you go in the application normally without session 0, you will see the "This is red" with the session id and when you click on page 2 you will still see "This is red" with the same session ID
  http://apex.oracle.com/pls/otn/f?p=60310:1::::::
  But when using the Session 0, you see "This is red" with a session id, but when you click page 2, you don't see "This is red" and a new session ID is created, but the link in the address bar still contains the session 0. Also, if you press BACK and then go on page 2 again, you don't lose the :P_RED value nor the session. There seems to be a problem only the first time around.
  http://apex.oracle.com/pls/otn/f?p=60310:1:0:::::
  Can anyone explain me this behavior? Is it a bug? What is the work around? Because, i know that if you want to set a cookie you need "htp.init".
  Note: I 've commented the cookie part of my process and only left the htp.init uncommented and had the same result, that's why I'm saying it is caused by htp.init
  Thanks, reginald
  Edited by: reggieh on Mar 19, 2009 7:09 AM

  Yes, you might need to do something like that. The zero SID cookie is set only once: the first time the application is visited with a zero for session ID. So for email links where you use zero in the link, you could make the link target page a dummy public page (999) with BRANCH_TO_PAGE_ACCEPT in the request and the actual page you want the user to go to in the portion of the request after the pipe symbol, e.g., for page 10, the url would look like:
  http://host:port:/pls/DAD/f?p=60310:999:0:BRANCH_TO_PAGE_ACCEPT|10
  An after-submit process on page 999 would use :REQUEST as the page to redirect to:
  owa_util.redirect_url('f?p=' || :APP_ID || ':' || :REQUEST || ':' || '0');
  apex_application.g_unrecoverable_error := true;
  If this works the way we're thinking, the zero sid cookie will be sent when page 999 is requested, then page 999's after-submit process would take the user to the desiired page on which your process could set the tracking cookie.
  Scott