Session or Cookies

I'm creating a Forum for a society, What's better sessions? or cookies? Cookies seem to be secure enough, but might I get in trouble if someone sets a browser to disable cookies?
Octavian

Some information on the subject of session tracking can be found here
http://www.apl.jhu.edu/~hall/java/Servlet-Tutorial/Servlet-Tutorial-Session-Tracking.html

Similar Messages

Setting secure on session management cookie only in production

I am faced with the following:
In our developmentcycle we deliver full application exports to an acceptation environment and after testing to a production environment.
However, only our production site does HTTPS. Development and acceptation only do HTTP.
In production we have to set the "secure"flag on the session management cookie.
We would like to set this flag in our deployment scripts.
So,
Is there an API we could use to set the "Secure" flag in the APEX metadata using SQL*Plus?

hi
->Use request.getParameter(String s) to recieve the infomation from the html page into your servlet.for storing session specific info go for
session.setAttribute(vble,value;
hope it'll solve your problem.

Maintaining Session, NO Cookies

Hello:
Environment: Apache/9iAS, Oracle DB, Unix OS.
Issue: Maintain user session when Cookies are NOT allowed.
What are the options to maintain a session on a load balancing (Apache, multiple web servers) environment and client side cookies are not allowed?
Please address security, not losing sessions in your suggestions.

repost

XSQL Session and Cookies

Hi, Steven,
I have a question about cookies parameters in include-parameters.
When set the following in my xsql file:
<xsql:set-session-param name="current_user" value="{@sessionid}"/>
<xsql:include-param name="mode"/>
<xsql:include-request-params/>
In the xml output, it looks like this.
<request>
<parameters>
</parameters>
<session/>
<cookies/>
</request>
How come the session and cookies values are not appeared in XML file? However, if I reload the xsql file, the session and cookies values are there. Any idea what might be wrong or it is what should be?
Thanks in advance.
Julie Zhu

I'd expect the cookies not to show up until the page request after the one in which they are set. This is correct since setting the cookies is something that's done on the response. Reading the cookies is reading them from the request.
Regarding the session variables, it's
always important to say what Web Servlet / Servlet Engine you're using XSQL with. Perhaps the setting of Servlet session variables behaves differently on different servers.

PPR and session timeout cookie

Scott,
Is there anyway of getting the PPR functionality to update the session timeout cookie whenever a PPR request is made???
Thanks..

I am using your session timeout function from otn.
I am using it to timeout after a set period of inactivity, every time the page is redrawn the cookie time is updated.
I am calling this function from the 'Session Verify Function' field in the authentication scheme, and initially setting the cookie on login.
I believe that the cookie only gets updated when the page is re-drawn and the Session Verify Function is run??
On a PPR request only part of the page is refreshed, the page header remains unaffected, which means the user can be active on a page without refreshing the timeout value on the cookie?
(Not a major problem, but would be nice to be able to update the cookie on a PPR request as well)
Thanks..

Session and cookies

Why, if I delete the Jsession cookies and I reload the index.faces page, and post the login form, this error happend ?
ViewExpiredException: viewId:/login.faces - View /login.faces could not be restoredNew JSession cookie isn't created... Strange ?

I can't find a real solution for that problem !
In IE, the website seem to work, but without cookies... why ?
In Firefox, after deleting the JSESSION cookie, if I reload (ctrl+F5), the cookies isn't created anymore... if I try many time, maybe 2-3 min later, the cookie is created ...
Without cookie, I have the error about the view.
Sometime, without any change, in Firefox, it work but using URL variable for session... and after few login-logout-login, it use JSESSIONID cookie !
Any idea ? This kind of random problem is hard to solve.
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee   http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<context-param>
<param-name>javax.faces.DEFAULT_SUFFIX</param-name>
<param-value>.xhtml</param-value>
</context-param>
<context-param>
<param-name>URL</param-name>
<param-value>ldap://localhost:10389</param-value>
</context-param>
<context-param>
<param-name>managerDN</param-name>
<param-value>uid=admin,ou=system</param-value>
</context-param>
<context-param>
<param-name>managerPassword</param-name>
<param-value>****</param-value>
</context-param>
<context-param>
<param-name>facelets.DEVELOPMENT</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<description>valide le fichier faces-config</description>
<param-name>com.sun.faces.validateXml</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<description>vérifie si tous les objets configurés sont créé correctement</description>
<param-name>com.sun.faces.verifyObjects</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>javax.faces.CONFIG_FILES</param-name>
<param-value>/WEB-INF/faces-config.xml</param-value>
</context-param>
<filter>
<filter-name>MyFacesExtensionsFilter</filter-name>
<filter-class>org.apache.myfaces.webapp.filter.ExtensionsFilter</filter-class>
<init-param>
   <param-name>uploadMaxFileSize</param-name>
   <param-value>20m</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>MyFacesExtensionsFilter</filter-name>

<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>

<filter-mapping>
<filter-name>MyFacesExtensionsFilter</filter-name>
<url-pattern>/faces/myFacesExtensionResource/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>com.sun.faces.config.ConfigureListener</listener-class>
</listener>
<listener>
<listener-class>com.sun.faces.application.WebappLifecycleListener</listener-class>
</listener>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>2</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
index.html
<html>
     <head>
          <meta http-equiv="Pragma" content="no-cache" />
          <meta http-equiv="expires" content="0" />
          <meta http-equiv="Cache-Control" content="no-cache" />
          <meta http-equiv="Cache-Control" content="must-revalidate" />
          <meta http-equiv="Refresh" content="0; URL=login.faces" />
          <title>Start Web Application</title>
     </head>
     <body>
          <p>
               Please wait for the web application to start.
          </p>
     </body>
</html>Edited by: laurentw on Feb 10, 2009 4:12 PM
Edited by: laurentw on Feb 10, 2009 4:13 PM

Sessions without cookies on OAS 4.0.8.2

I try to build a Servlet on OAS 4.0.8.2 where sessions are not realized via cookies but via URL encoding. This does not work, however, as the session information is added to the URL by the OAS in a form that destroys my query parameters which is an OAS bug, I think. Cookies work fine, but I am not allowed to use them in my context. Does anyone have experience with this ?

OK! Fixed that one myself - for now. I had used some wrong jar:s in my libraries.
There are still some problems.
If I use JDK 1.1.8, I get the following trace when trying to run my client:
java.lang.NoSuchMethodError: java.lang.System: method setProperty(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; not found
at
at javax.naming.spi.NamingManager.getDefaultInitialContextFactory(NamingManager.java:696)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:744)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:181)
at javax.naming.InitialContext.<init>(InitialContext.java:158)
at test.BCEJBClient.main(BCEJBClient.java:32)
The problem goes away if I instead use JDK 1.2.2. But in the project I'm working on we are usng JDK 1.1.8. How can this problem be solved?

APEX 4.1 - Problem with session and cookie

Hi,
I have 2 applications with both public pages and pages needs authentication. The 2 apllication have same authentication model and are using subscription to have like an SSO. So they share the same cookie.
My problem is when i'm loged on the first application and open a new navigator tab to go into a public page of the second without passing the session id, My session on the first application is not valid any more and i must login again.
I'm migrating all my applications from apex 3.1 to apex 4.1. Before this upgrade all my applications worked fine.
Thanks.

Hi,
have you implemented your own custom authentication scheme or are you using a built-in one? If you have a custom authentication scheme, can you setup an example on apex.oracle.com and provide the workspace name and application id so that we can have a look.
Regards
Patrick
My Blog: http://www.inside-oracle-apex.com
APEX Plug-Ins: http://apex.oracle.com/plugins
Twitter: http://www.twitter.com/patrickwolf

Read asp-session or cookie

hi!
there's an asp-login page that holds a session with login information.
this asp page then calls my jsp page.
the problem is that i wanna access this login information stored in the asp-session from my jsp.
how can i archieve this?
is there a way to access to the asp-session or the cookie?
thx in advance

easiest way is to forward response from ASP (these ASP has to be invoked after the login form is submitted - post method) to JSP and get the required parameter
there are two possibilities
1) directly u get values of by request.getParameter("username")
0r
2) pass parameter and values from ASP page as myjsppage?username=test
hope these solve your probs...my prob is dukes...
bye for now
Pranav

Invalid Session ID - cookie encode/decode

Hello,
I'm looking for the correct combination of cookie encode/decode parameters for my own setup.
Machine am : AM Server 7.0 on WS6.1
Machine amc : my own webapps using AM client SDK & protected by a Policy agent. 2.2 Everything within a WS6.1 container.
After being redirected to AM, I obtain my iPlanetDirectoryPro cookie and my webapp can obtain a SSOToken using the SSOToken token = manager.createSSOToken(String) if obtain the String via Cookie accessor's method.
No luck with SSOToken token = manager.createSSOToken(HttpServletRequest) which always gives a Invalid Session Id message. I know that this is an encoding problem but I tried many combinations & heard that these settings are not always well documented. I have at the moment :
am server AMConfig.properties :
com.iplanet.am.cookie.encode=false
am client sdk AMConfig.properties :
com.iplanet.am.cookie.encode=false
policy agent AMAgent.properties :
com.sun.identity.agents.config.sso.decode = false
com.iplanet.am.cookie.encode = false
Has somebody worked that out ?
Thanks !
nieuwenj

Hi, am using this code:
AMUtil.java
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.ChoiceCallback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.TextInputCallback;
import javax.security.auth.callback.TextOutputCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import com.sun.identity.authentication.AuthContext;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.iplanet.am.util.Debug;
* @author hjimenez
public class AMUtil {
    private String loginIndexName;
    private String orgName;
    private String user;
    private String password;
     * Creates a new instance of AMUtil
    public AMUtil(String loginIndexName, String orgName) {
        this.loginIndexName = loginIndexName;
        this.orgName = orgName;
    protected AuthContext getAuthContext()
    throws AuthLoginException, com.iplanet.sso.SSOException, Exception {
        AuthContext lc = new AuthContext(orgName);
        AuthContext.IndexType indexType = AuthContext.IndexType.MODULE_INSTANCE;
        lc.login(indexType, loginIndexName);
        debugMessage(loginIndexName + ": Se obtuvo login context");
        return lc;
    private void addLoginCallbackMessage(Callback[] callbacks)
    throws UnsupportedCallbackException {
        int i = 0;
        try {
            for (i = 0; i < callbacks.length; i++) {
                if (callbacks[i] instanceof TextOutputCallback) {
                    handleTextOutputCallback((TextOutputCallback)callbacks);
} else if (callbacks[i] instanceof NameCallback) {
handleNameCallback((NameCallback)callbacks[i]);
} else if (callbacks[i] instanceof PasswordCallback) {
handlePasswordCallback((PasswordCallback)callbacks[i]);
} else if (callbacks[i] instanceof TextInputCallback) {
handleTextInputCallback((TextInputCallback)callbacks[i]);
} else if (callbacks[i] instanceof ChoiceCallback) {
handleChoiceCallback((ChoiceCallback)callbacks[i]);
} catch (IOException e) {
e.printStackTrace();
throw new UnsupportedCallbackException(callbacks[i],e.getMessage());
private void handleTextOutputCallback(TextOutputCallback toc) {
debugMessage("Se ejecut� TextOutputCallback");
// Mostrar mensaje de acuerdo al tipo especificado
switch (toc.getMessageType()) {
case TextOutputCallback.INFORMATION:
debugMessage(toc.getMessage());
break;
case TextOutputCallback.ERROR:
debugMessage("ERROR: " + toc.getMessage());
break;
case TextOutputCallback.WARNING:
debugMessage("WARNING: " + toc.getMessage());
break;
default:
debugMessage("Tipo de mensaje no soportaado: " +
toc.getMessageType());
private void handleNameCallback(NameCallback nc)
throws IOException {
// asignar usuario
nc.setName(this.user);
private void handleTextInputCallback(TextInputCallback tic)
throws IOException {
// poner un prompt para obtener datos
System.out.print(tic.getPrompt());
System.out.flush();
tic.setText((new BufferedReader
(new InputStreamReader(System.in))).readLine());
private void handlePasswordCallback(PasswordCallback pc)
throws IOException {
// asignar password
String passwd = this.password;
pc.setPassword(passwd.toCharArray());
private void handleChoiceCallback(ChoiceCallback cc)
throws IOException {
// ignorar el valor default dado
System.out.print(cc.getPrompt());
String[] strChoices = cc.getChoices();
for (int j = 0; j < strChoices.length; j++) {
System.out.print("choice[" + j + "] : " + strChoices[j]);
System.out.flush();
cc.setSelectedIndex(Integer.parseInt((new BufferedReader
(new InputStreamReader(System.in))).readLine()));
public boolean login(AuthContext lc)
throws UnsupportedCallbackException {
boolean succeed = false;
Callback[] callbacks = null;
// obtener informaci�n del m�dulo solicitada
while (lc.hasMoreRequirements()) {
callbacks = lc.getRequirements();
if (callbacks != null) {
addLoginCallbackMessage(callbacks);
lc.submitRequirements(callbacks);
if (lc.getStatus() == AuthContext.Status.SUCCESS) {
System.out.println("Login exitoso.");
succeed = true;
} else if (lc.getStatus() == AuthContext.Status.FAILED) {
System.out.println("Login fallo.");
} else {
System.out.println("Estatus desconocido: " + lc.getStatus());
return succeed;
public void logout(AuthContext lc)
throws AuthLoginException {
lc.logout();
System.out.println("Log Out!!");
static void debugMessage(String msg) {
System.out.println(msg);
public String getUser() {
return user;
public void setUser(String user) {
this.user = user;
public String getPassword() {
return password;
public void setPassword(String password) {
this.password = password;
and call it from:
import com.iplanet.sso.SSOToken;
import com.sun.identity.authentication.AuthContext;
import com.sun.identity.authentication.spi.AuthLoginException;
import javax.security.auth.callback.UnsupportedCallbackException;
import com.iplanet.sso.SSOException;
import java.net.InetAddress;
* @author hjimenez
public class TestLogin {
    /** Creates a new instance of TestLogin */
    public TestLogin() throws SSOException {
     * @param args the command line arguments
    public static void main(String[] args) {
        try {
            // arg0 = LDAP arg1 = tecnet
            AMUtil login = new AMUtil(args[0], args[1]);
            // arg2=usuario arg3=pass
            login.setUser(args[2]);
            login.setPassword(args[3]);
            AuthContext lc = login.getAuthContext();
            if (login.login(lc)) {
                SSOToken token = lc.getSSOToken();
                System.out.println("Token asignado: "+token.getTokenID().toString());
                String host = token.getHostName();
                java.security.Principal principal = token.getPrincipal();
                String authType = token.getAuthType();
                int level = token.getAuthLevel();
                InetAddress ipAddress = token.getIPAddress();
                long maxTime = token.getMaxSessionTime();
                long idleTime = token.getIdleTime();
                long maxIdleTime = token.getMaxIdleTime();
                System.out.println("SSOToken host name: " + host);
                System.out.println("SSOToken Principal name: " +
                        principal.getName());
                System.out.println("Authentication type used: " + authType);
                System.out.println("IPAddress of the host: " +
                        ipAddress.getHostAddress());
                login.logout(lc);
        } catch (AuthLoginException e) {
            e.printStackTrace();
        } catch (UnsupportedCallbackException e) {
            e.printStackTrace();
        } catch (SSOException e) {
            e.printStackTrace();
        } catch (Exception e) {
            e.printStackTrace();

Change session tracking cookie name

Hello,
Is there a way to change the default JSESSIONID cookie name to some thing different for session tracking? I've searched around but have not found anything on this subject.
Thanks.

Are the web applications deployed at '/' on each server or are they deployed using unique context paths such as /app1, /app2 etc?
Which of the following represents how you access each app through the reverse proxy server?
a) http://app1.foo.com/
http://app2.foo.com/
where app1.foo.com, app2.foo.com all map to the proxy server which then reverse proxies each URL to the corresponding backend server/app
or
b) http://foo.com/app1
http://foo.com/app2
where foo.com maps to the proxy server and the proxy server reverse proxies /app1 to one server, /app2 to another and so on

Change session ID cookie name

Is there a way in Tomcat to change the cookie name for the session ID at the application or the server level? Instead of having JSESSIONID, to change it to something else. If 2 Tomcat servers are running on the same machine and the user goes between the 2 servers in the same browser window (process), then the ID from Tomcat A's session gets overwritten with Tomcat B's session ID, so the original A session is lost when going back to A after having been at B.

URL rewriting and session cookies are two mutually exclusive ways of identifying the user.
What you want to do is find the current session of the user and use that one instead of creating a new session each time the user changes machines. This is a bit of a problem because each Tomcat server keeps a separate list of SessionIDs to compare to the user's SessionID.
You can kind of get around this problem by having the first server create a cookie that is visible to the entire domain, and then each server can fetch that particular cookie rather than looking for an explicit SessionID. For example...
Cookie cookie = new Cookie( "bsampieri.com", getUniqueString() );
cookie.setDomain( ".bsampieri.com" );
cookie.setMaxAge( -1 );
response.addCookie( cookie );And then each server checks for a cookie called "bsampieri.com", gets the identification string from that, and compares it with your list of "valid users" or shopping cart or whatever.

Sticky session without cookie is broken

Hi,
I need help from you guys to confirm this is something not supported by newer version of Coldfusion any more.
Background:
This is for a mobile on-deck site of a carrier in Australia. The carrier append an unique ID (a 10 digit number) by HTTP header to each handset’s http request to the Coldfusion server. Our Coldfusion code saved this ID in a variable called request.uid. Considering that not all handsets support cookie, we turned off client cookies and instead use the following code to tell the Coldfusion server that a CFID and CFTOKEN has been passed to it in query string. No CFID and CFTOKEN were actually passed in the query string. We just used our code to pretend a CFID and CFTOKEN were passed (the actual value was not set by Coldfusion server but externally by our code) . This code had been working for years which enabled us not to depend on client cookies and CFID/CFTOKEN in query string to maintain sessions for on-deck mobile sites. However, this code started not to work after we applied a coldfusion hotfix 2 (http://kb2.adobe.com/cps/403/kb403781.html) in September on coldfusion 8.0.1. Every request will start a new session rather than stick to the same session after that.
<cfset url.cfid = "#request.uid#">
<cfset url.cftoken = 0>
<cfapplication name="hww_#request.site_id#" sessionmanagement="Yes"
                setclientcookies="No" sessiontimeout="0.1" applicationtimeout="0.1">
Can someone please verify that the above logic is not supported by new versions of Coldfusion anymore?
Thanks.

OK that's interesting. I had found your technique would not work if the value for request.uid was not numeric, but otherwise works fine (on CF 8.0.1).
My test rig is thus:

<cfset request.uid = "9999999999">
<cfset request.site_id = "fakeIdToken">
<cfset url.cfid = "#request.uid#">
<cfset url.cftoken = 0>
<cfapplication name="hww_#request.site_id#"
    sessionmanagement="Yes"
    setclientcookies="yes"
    sessiontimeout="#createTimeSpan(0,0,20,0)#"
    applicationtimeout="#createTimeSpan(0,2,24,0)#">
<cfparam name="session.ts" default="#now()#">
<cfdump var="#url#" label="url">
<cfdump var="#request#" label="request">
<cfdump var="#session#" label="session">
<cfdump var="#CGI#" label="CGI">
And then I hit another page in the same dir.
With any numeric value of request.uid, sessio.ts sticks. For non-numerics, it's ignored and CF creates its own CFID/CFTOKEN.
Are you sure about your UID values?
Adam

Finding real server from session ID cookie

Greetings,
          running Weblogic express, 8.1.4, with 3 servers in a cluster.
          How can I determine which server handled a request when looking at a tcpdump from in front of a load balancer?
          I know the jsessionid cookie has the primary server ID at the end, but I can't find the ID value in any of the config files.
          Example cookie ID's are:
          -193723663
          242986410
          253184977
          They don't seem to be an obvious IP address/port conversion. Is there another way to find which server handled a request based on these cookie ID's?
          --Kurt

Thank you for the quick reply.
          Do you know if the JVM id's are persistent? Meaning once I do figure out which id for which server, will they stay the same through reboots/restarts, etc.?
          Also, if there is an easy way to have the server set a separate cookie value, like "server=IP", then I would not need to worry about the session ID. I'm not that familiar with weblogic to know how to do this.
          Regards,
          --Kurt

Difference between session and cookie?

what for they use?

If we're talking web application context:
Each web browser transaction is a separate connection, so the web server often needs to be able to keep track of which comes from which browser, to tie the individual transactions into a conversation. The most popular underlying mechanism is cookies. The server sends the browser a cookie as part of the first transaction response and, thereafter, every time the browser sends a transaction it includes the cookie. Cookies typically contain random strings of characters which uniquely label the browser.
A Session object is used in Serlvets and JSPs as a higher level abstraction of the same thing. The session object retains data about the conversation between transactions. The web server normally implements this by automatically creating a random cookie associated with the Session object and, whenever a transaction is received, it looks for the cookie and finds the relavant session object.

Session or Cookies

Similar Messages

Maybe you are looking for