Session.removeAttribute and session.invalidate
I pass a scoped object from one JSP #1 to JSP #2 in a session.
In JSP #1, I did:
<c:set var="cr" value="${articleForm.creator}" scope="session"/>In JSP #2, I did:
<bean:define id="author" name="cr" scope="session" type="java.lang.String"/>
<html:text property="receiver" value="<%=author%>" size="82" maxlength="25" tabindex="1"/>Immediately after I output the value, I want to remove the object from the session. I have two questions:
1. which one of the following should I do:
session.removeAttribute( "cr" );or
session.removerAttribute( "author" );or
session.removeAttribute( "receiver" );2. Do I have to invalidate the session; i.e. session.invalidate(); after all the objects in the session are removed?
I pass a scoped object from one JSP #1 to JSP #2 in a session.
In JSP #1, I did:
<c:set var="cr" value="${articleForm.creator}" scope="session"/>In JSP #2, I did:
<bean:define id="author" name="cr" scope="session" type="java.lang.String"/> <html:text property="receiver" value="<%=author%>" size="82" maxlength="25" tabindex="1"/>Immediately after I output the value, I want to remove the object from the session. Which one of the following should I do:
session.removeAttribute( "cr" );or
session.removerAttribute( "author" );or
session.removeAttribute( "receiver" );
Similar Messages
-
Session.putValue() and session.setAttribute
do I have to use session.putValue() before using session.setAttribute() and session.getAttribute() ?
becuase I have one JSP page include one form (action=TheSameJspFile.JSP) several Submit bottuns each Bottun has its Value.
in the JSP I request the submit value and depends on it doing stuff ...
each Value I have to get and to set a session Attribute, if I want to putValue it will delete the old value.
how can I solve this?You need to store something in the session before you can retrieve it.
So, you need to do a setAttribute() to place something in the session. Then you use getAttribute() to retrieve it. DO NOT use putValue as it is deprecated and has been replaced by setAttribute(). DO NOT use getValue() as it is deprecated and has been replaced by getAttribute(). -
Session Id, Unified Session ID and session shadowing
Hi,
It looks like we've got a problem with session shadowing in our 2012R2 deployment. Trying to shadow a session from server manager returns an error "the session identification does not specify a valid session", but running a command "Mstsc.exe
/v:RDS2012 /shadow:2 /noConsentPrompt" and using SessionID opens correct session without a problem. I noticed that there are two different ID's for each session, SessionID and UnifiedSessionID which are different. When I'm trying to shadow a Uinified
one I'm receiving an error, but with SessionID it opens it. I can see that server manager is using UnifiedSessionID and that's why I can't open a shadowing session with GUI.
Is there a way to sort it out so we will be able to shadow a session from Server Manager?
Best,
MarcinHi,
It looks like we've got a problem with session shadowing in our 2012R2 deployment. Trying to shadow a session from server manager returns an error "the session identification does not specify a valid session", but running a command "Mstsc.exe
/v:RDS2012 /shadow:2 /noConsentPrompt" and using SessionID opens correct session without a problem. I noticed that there are two different ID's for each session, SessionID and UnifiedSessionID which are different. When I'm trying to shadow a Uinified
one I'm receiving an error, but with SessionID it opens it. I can see that server manager is using UnifiedSessionID and that's why I can't open a shadowing session with GUI.
Is there a way to sort it out so we will be able to shadow a session from Server Manager?
Best,
Marcin -
Upload file with iframe loos session user and session id in wwv_flow_files
Hello every one, hope someone could help us with this problem.
What we are trying to do is to upload a file from a jquery dialog in a appex page by redirecting the POST action of the wwvFlowForm to the iframe.
*1. In the javascript there is the function call to open my modal window with the input*
function add_fichier_form(numeroProjet,idCat){
$("#div_upload_fichier").dialog(
modal : true ,
autoOpen : false ,
resizable: false ,
width: 700
$('#div_upload_fichier').parent().appendTo('#div_base');
$('#upload_button').unbind('click').click(function(){
if ($('#P4010_FILE_FICHIER').val() != '') {
$('#upload_iframe_v2').unbind('load').load(function () {
$('#upload_status').html(' déplacement du fichier...');
// move the file
$('#upload_status').html('Fichier transféré avec succès');
//file transfer ok
//calling the javascript function to add everything in my own table;
//we see the file in the wwv_flow_file_objects$ without
add_fichier_form_db();
// set the form target to the iframe, submit, then remove the target
$('#wwvFlowForm').attr('target','upload_iframe_v2').submit().removeAttr('target');
$('#upload_status').html(' Téléchargement du fichier...');
}else {
alert('Veuillez sélectionner un fichier');
$("#div_upload_fichier").dialog("option", "title", "Ajout d'un fichier");
$("#div_upload_fichier").dialog("open");
}*2. At this point we see the file in the table but without the user and session credential*
select *
from wwv_flow_file_objects$
The result is that the field security_group_id is assign to 0 AND created_by = APEX_PUBLIC_USER
*3. add_fichier_form_db(); the javascript function making the ajax call to a procedure plsql*
function add_fichier_form_db(){
//alert ('Dasn fichier form db');
vNumeroProjet = document.getElementById('P4010_CAT_NUMERO_PROJET').value;
vIdCat = document.getElementById('P4010_CAT_ID').value;
vFichierNom = document.getElementById('P4010_NOM_FICHIER').value;
vFichierDesc = document.getElementById('P4010_DESC_FICHIER').value;
vFichierFile = document.getElementById('P4010_FILE_FICHIER_NAME').value;
var ajaxRequest = new htmldb_Get(null , 300, 'APPLICATION_PROCESS=ADD_FICHIER_FORM_DB', 4010);
ajaxRequest.add( "P4010_CAT_NUMERO_PROJET", vNumeroProjet);
ajaxRequest.add( "P4010_F_CAT_ID", vIdCat);
ajaxRequest.add( "P4010_FICHIER_NOM", vFichierNom);
ajaxRequest.add( "P4010_FICHIER_DESC", vFichierDesc);
ajaxRequest.add( "P4010_FILE_FICHIER_NAME", vFichierFile);
var gReturn = ajaxRequest.get();
if (gReturn){
$x("getlistfichier").innerHTML = gReturn;
closeForm();
}else{
alert ('Problèmes dans le call Ajax ADD_REPERTOIRE_FORM_DB \n La valeur retournée est: \n' + gReturn);
}*4. PLSQL PROCEDURE *
h1. WHEN the query is executing it's return ORA-01403: no data found. WHY ????
PROCEDURE P_ADD_FICHIER_FORM_DB(
P_NUMERO_PROJET number,
P_CAT_ID number,
P_FICHIER_NOM varchar2,
P_FICHIER_DESC varchar2,
P_FILE_FICHIER_NAME in varchar2)
AS
vNumeroProjet number;
vFichierNom varchar(255);
vFichierDesc varchar(2000);
vCatId number;
vActif number;
vDocSize number;
vNomUsager varchar(10);
vDateCreation date;
vFichierTypeId number;
vNomReel varchar2(1000);
vNomReel2 varchar2(1000);
vCurVal number;
BEGIN
SELECT FILENAME,DOC_SIZE,CREATED_ON
INTO
vNomReel,vDocSize,vDateCreation
FROM WWV_FLOW_FILES
WHERE FILENAME = P_FILE_FICHIER_NAME;
/*GET ERROR sqlerrm:ORA-01403: no data found */
END P_ADD_FICHIER_FORM_DB;h4. hope someone help us soon
Thanks in advance
jocelynFinally we find what was wrong so i give you the solution.
In the javascript on the function add_fichier_form
We need to append the div of the form to the default form of apex wwvFlowForm
so the line*
$('#div_upload_fichier').parent().appendTo('#div_base');
should be change to*
$('#div_upload_fichier').parent().appendTo('#wwvFlowForm');Edited by: jocbed on 2012-01-26 11:08 -
Session timeout and session.invalidate() -- are they the same?
I was just wondering when a session timeout occurs (either by setting the session-timeout in web.xml or the server's default timeout), is the session automatically invalidated? Or should we call setMaxInactiveInterval() instead? Or is calling session.invalidate() the only way to invalidate a session?
Hello all,
Both are same in terms of functionality, but if you use both of them like
1: You specified the tag sessionTimeout and
2: in your program the session.maxInactiveIntervalTime( value ) here if the value is(we gave it in terms of seconds like for 40 minutes we give 2400) then the program code will override the value previously set in web.xml
Thanks
Prabhakar -
Session Replication and Session Timeout -- Urgent
WLS -4.5.1 SP 11
OS - both NT and Sol
HI All
The session does not seems to timeout when running the Weblogic servers in
clustered mode with in-memory session replication on.
This problem seems to be there in version5.1 too , as per another post , it
seems to be solved in WLS5.1 sp 8
Could anyone pls confirm in which patch in WLS 4.5.1 is the problem
addressed . I'm using patch 11 and am getting the problem.
Thanks in advance..
-Surya
Try SP13 and if the problem persists, contact [email protected]
-K
Surya B Maithani wrote:
> WLS -4.5.1 SP 11
> OS - both NT and Sol
>
> HI All
>
> The session does not seems to timeout when running the Weblogic servers in
> clustered mode with in-memory session replication on.
> This problem seems to be there in version5.1 too , as per another post , it
> seems to be solved in WLS5.1 sp 8
>
> Could anyone pls confirm in which patch in WLS 4.5.1 is the problem
> addressed . I'm using patch 11 and am getting the problem.
>
> Thanks in advance..
>
> -Surya
-
Under Excel Service Application --> session management; what is the difference between Session timeout and Short Session timeout?
Any call made from the API will automatically be set to the “Session Timeout” period, no matter
what. Calls made from EWA (Excel Web Access) will get the “Short Session Timeout” period assigned to it initially.
Short Session Timeout and Session Timeout in Excel Services
Short Session Timeout and Session Timeout in Excel Services - Part 2
Sessions and session time-outs in Excel Services
above links are from old version but still applies to all.
Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog -
Session.invalidate & session.removeAttribute()
hi,
i need a clarification....does session.invalidate() also remeove all the attributes and their values or do i need an explicit session.removeAttribute("var_name") ??????????
if i use session.removeAttribute i get cannot resolve symbol at compile time!
thank u,
ashnacheck out,
1. maybe you are trying to run removeAttribute, AFTER invalidate().
2. you have given wrong name as argument to removeAttribute().
just call invalidate(), you dont need to call removeAttribute(). -
Session Login and Logout in jsp page
hi
i am developing jsp page
i completed except logout.jsp page
my login page is in Jsp format and then business Logic in servlet and then get method & set method in bean.java
i have login and then it sucess page there i have singout button
if i sign out it should go to login page
how to do
how to make session invalidate
how to get session id
i have one more doubt i should check session invalidate each jsp page
regarding session login and logout in jsp
if anybody knows please give me a piece of code regarding login and logout
Regards
AkshathaThis is part of your filter class now you need login.jsp page
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="Stylesheet" type="text/css" href="/PAS/css/site.css"/>
<title>Automation System | Login Page</title>
</head>
<body>
<div align="center">
<h1>Photint Automation System</h1>
</div>
<br/><br/><br/>
<center>
<table border="1" cellpadding="0" cellspacing="0" width="40%" bgcolor="FFFFFFFF">
<thead>
<tr>
<th align="left" height="30"> <h3> Login</h3></th>
</tr>
</thead>
<tbody>
<tr>
<td>
<div align="center">
<form name="LOGIN" action="/PAS/LoginServlet" method="POST">
<table border="0">
<tbody>
<tr>
<td height="15"></td>
<td height="15"></td>
<td height="15"></td>
<td height="15"></td>
</tr>
<tr>
<td height="30"></td>
<td align="right" height="30">User Name : </td>
<td align="left" height="30"><input type="text" name="USERNAME" value="" size="35" /></td>
<td height="30"></td>
</tr>
<tr>
<td height="30"></td>
<td align="right" height="30">Password : </td>
<td align="left" height="30"><input type="password" name="PASSWORD" value="" size="35" /></td>
<td height="30"></td>
</tr>
<tr>
<td height="50"></td>
<td height="50"></td>
<td align="center" height="50"><input type="submit" value="Login" name="Login" /> <input type="reset" value="Reset" name="Reset" /></td>
<td height="50"></td>
</tr>
</tbody>
</table>
</form>
</div>
</td>
</tr>
</tbody>
</table>
</center>
<br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/><br/>
<br/><br/><br/>
<center>Copyright © 2009 Photint FZ LLC</center>
<center>Powered by Ali Jamali</center>
<center>Version : 1.0</center>
</body>
</html>And you need loginServlet.java
package com.ali.util.filter;
import com.ali.entity.user.UserEntity;
import com.ali.util.HibernateUtil;
import java.io.IOException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class LoginServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("USERNAME");
String password = request.getParameter("PASSWORD");
if (username == null || username.length() == 0) {
System.err.println(" Username textfeild is empty ..... !");
RequestDispatcher dispatcher = request.getRequestDispatcher("Pages/user/LogIn.jsp");
dispatcher.forward(request, response);
return;
if (UserRegistry.isUserLoggedIn(username)) {
System.out.printf("User [%s] is already logged in. \n", username);
RequestDispatcher dispatcher = request.getRequestDispatcher("Pages/user/LogIn.jsp");
dispatcher.forward(request, response);
return;
UserEntity user = null;
try {
user = (UserEntity) HibernateUtil.load(UserEntity.class, username);
if (user == null || !user.getPassword().equals(password)) {
RequestDispatcher dispatcher = request.getRequestDispatcher("Pages/user/LogIn.jsp");
dispatcher.forward(request, response);
System.err.println(" Password or username is not valid ..... !");
return;
} catch (Exception e) {
e.printStackTrace();
RequestDispatcher dispatcher = request.getRequestDispatcher("Pages/user/LogIn.jsp");
dispatcher.forward(request, response);
return;
HttpSession session = request.getSession();
System.err.println(request.getRemoteAddr());
session.setAttribute("username", user.getFirstName());
session.setAttribute("userType", user.isAdmin());
UserRegistry.logInUser(username);
response.sendRedirect("/PAS/index.jsp");
}finally is you need to just one user can be online at time or need to know how many user & who is online you should at this class also
package com.ali.util.filter;
import java.util.ArrayList;
import java.util.List;
public class UserRegistry {
private static final List loggedInUsers = new ArrayList();
public static void logInUser(String username) {
loggedInUsers.add(username);
public static void logoutUser(String username) {
if (isUserLoggedIn(username)) {
loggedInUsers.remove(username);
public static boolean isUserLoggedIn(String username) {
return loggedInUsers.contains(username);
}If you have any more Q. or any comment , Most welcome
Thanks
Ali Jamali -
Hi,
I have questions about "Accounting-Start" and "Accounting-Stop".
1.If a NAS configured to have a primary and a backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the primary server goes down (Primary server won’t tell the NAS?). When sessions stop, the NAS sends the “Accounting-Stop” to the secondary. I understand the “Start-Stop” record with the same “user name” and “session-id” ideally should be recorded in the same server. If this situation happens what should both the NAS and RADIUS server do?
2.A NAS configured to have a primary and backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the administrator decided to change the primary server (as there are problems with the previous primary). sessions stop, the NAS sends the “Accounting-Stop” to the new primary. This ends up the “Accounting-Start” and “Accounting-Stop” with the same “user name” and “session Id” in two RADIUS servers.
To summarize, how to avoid the ”start-stop” pair ends up in different servers ? If it does, is it an issue for RADIUS application ?
Cheers,
1.If a NAS configured to have a primary and a backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the primary server goes down (Primary server won’t tell the NAS?). When sessions stop, the NAS sends the “Accounting-Stop” to the secondary. I understand the “Start-Stop” record with the same “user name” and “session-id” ideally should be recorded in the same server. If this situation happens what should both the NAS and RADIUS server do?
2.A NAS configured to have a primary and backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the administrator decided to change the primary server (as there are problems with the previous primary). sessions stop, the NAS sends the “Accounting-Stop” to the new primary. This ends up the “Accounting-Start” and “Accounting-Stop” with the same “user name” and “session Id” in two RADIUS servers.
To summarize, how to avoid the ”start-stop” pair ends up in different servers ? If it does, is it an issue for RADIUS application ?
Cheers,vignesh and BalusC,
following is the code in front controller's doFilter method. is this not thread safe?
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
HttpSession session = req.getSession();
somepackage.User user;
if(session.getAttribute("user") == null){
user = new somepackage.User();
session.setAttribute("user", user);
}else{
user = (somepackage.User) session.getAttribute("user");
}user object maintains all information about a user. if it is in session scope, everything should work fine.
another observation is after some time of usage, both people in different systems are getting same session.getId()
in my logout page i am using
session.invalidate();
thanks,
moses -
Problem with session.removeAttribute()
Hi,
After doing
<% session.removeAttribute("USER");%>from one jsp, if i say
<% =session.getAttribute("USER") %>in another jsp, I still get the value of the session variable USER.
Can anybody tell what might be the problem ???
Thanks !No it shouldn't and it doesn't just apply to those objects.
Quoting the api:
The remove attribute method:
public void removeAttribute(java.lang.String name)
Removes the object bound with the specified name from this session. If the session does not have an object bound with the specified name, this method does nothing.
After this method executes, and if the object implements HttpSessionBindingListener, the container calls HttpSessionBindingListener.valueUnbound. The container then notifies any HttpSessionAttributeListeners in the web application.removeAttribute removes the attribute from session.
If you can still see it in another jsp, you must be putting it back INTO the session somewhere.
Cheers,
evnafets -
BC4J/UIX: How to implement session timeout and logout?
Hi,
I need to implement logout function in my UIX application. We use JAZN basic authentication. So several things need to be done when user clicks 'logout'
1. Any pending transaction is rolled-back.
2. App Module - what to do with it?
3. Browser closes or redirects to other page. Any attempts to go BACK will show either 'session expired' or will redirect to login page.
Also I need a mechanism where if user is idle for say, 10 minutes, that he/she will be automatically logout (maybe after some warning message). How to do this?
Thanks
RadeWell if you search long enough, you will find your own answers. After months of not having this solved, I found the solution, in a piece of sample code from oracle that is distro with the OC4J stuff.
if (request.getRemoteUser() != null) {
// notes that the application is responsible for cleanup
//invalidate the HttpSession
HttpSession session = request.getSession();
session.invalidate();
String url=null;
oracle.security.jazn.oc4j.WebSSOUtil.globalLogout(response,url);
} else out.println("You are not logged in!");
out.println("</BODY>");
out.println("</HTML>");
This is the piece I was looking for, a way to kill off the SSO session. Now when I click logoff, the user is actually logged off the application and their HTTP session is killed off as well.
Kelly -
JSF - spring - hibernate and session
Hi,
I'm currently using hibernate spring and JSF
1/ the first problem
In the JSF common header page I try to test if a bean is in the session scope in order to show login or logout link, and the test always fails : the logout link is always displayed.
the JSF page :
<f:subview id="header" >
<h:form id="headerForm">
<table cellspacing="0" width="100%">
<tr>
<td align="left" valign="middle">
<a href="front.jsf"><img border="0" src="images/logo1.jpg"/></a>
</td>
<td align="right" valign="middle"> <br>
<!--<a href="front.jsf" rendered="#"> Accueil<</a> -->
<c:choose>
<c:when test="${empty sessionScope.accountBean}">
<h:commandLink action="Sign on">
<h:outputText value="Sign on"/>
</h:commandLink>
</c:when>
<c:otherwise>
<h:commandLink id ="logout" action="#{accountBean.logoutAction}" >
<h:outputText value="log out"/>
</h:commandLink>
</c:otherwise>
</c:choose>
</td>
</tr>
</table>
<table cellspacing="0" width="100%">
<tr>
<td>
<hr color="#99ca3c" size="5" noShade SIZE=1>
</td>
</tr>
</table>
</h:form>
</f:subview>The accountBean code :
public class AccountBean extends BaseBean{
//private Logger log = Log.getLog(this);
private String uid;
private String password;
private boolean loggedIn;
private AdminService adminService;
private Admin admin;
public AccountBean() {
this.logger.debug("Authentication");
this.loggedIn = false;
uid=null;
password=null;
// admin=new Admin();
public String loginAction() {
try {
this.logger.debug("loginAction");
admin = adminService.login(this.uid, this.password);
//this.serviceLocator.getUserService().login(this.username, this.password);
if (admin != null) {
if("".equals(admin.getUid())|| "".equals(admin.getPassword())){
this.loggedIn=false;
String msg = "Le mot de passe et l'identifiant doivent etre saisis ";
addErrorMessage(msg + ", saississez un mot de passe et un identifiant corrects");
return NavigationResults.RETRY;
else{
this.loggedIn = true;
HttpSession session = SessionUtil.getSession();
session.setAttribute("Admin", this.uid);
return NavigationResults.SUCCESS;
else {
this.loggedIn = false;
String msg = "Le mot de passe est incorrect ";
addErrorMessage(msg + ", saississez un mot de passe correct");
this.logger.debug(msg);
return NavigationResults.RETRY;
catch (UsernameNotExistException ue) {
String msg = "L'identifiant (login) est incorrect";
this.logger.info(msg);
addErrorMessage(msg + ", ressaysissez votre identifiant.");
return NavigationResults.RETRY;
catch (Exception e) {
this.logger.error("Could not log in user.", e);
addInfoMessage("Could not log in user: Internal Error");
return NavigationResults.FAILURE;
* The backing bean action to logout a user.
* @return the navigation result
public String logoutAction() {
//this.clear();
FacesContext fc = FacesContext.getCurrentInstance();
HttpSession session = (HttpSession) fc.getExternalContext().getSession(false);
session.invalidate();
this.logger.debug("Logout successfully.");
return NavigationResults.MAIN;
public String getPassword() {
return password;
public void setPassword(String password) {
this.password = password;
public String getUid() {
return uid;
public void setUid(String uid) {
this.uid = uid;
public Admin getAdmin() {
return admin;
public boolean getLoggedIn() {
return loggedIn;
public void setLoggedIn(boolean loggedIn) {
this.loggedIn = loggedIn;
public void setAdminService(AdminService adminService) {
this.adminService = adminService;
}the faces managed bean configuration
<managed-bean-name>accountBean</managed-bean-name>
<managed-bean-class>fr.cbmjadmin.views.bean.AccountBean</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
<managed-property>
<property-name>adminService</property-name>
<value>#{adminService}</value>
</managed-property>2/ the second problem :
my application shows a list of datas.
I log on the application , i update this list outside the application ( by using sql command) , i try to list my data using the application : the application does not reflect the modifications. I logout using the log out link, then i log on and the application does not reflect the modifications.
what happens?
How could I resove these problems.
How can i logout properly?
how can i show logout link when the user is logged in? and hide the log out link when the user is logout
Thanks.It depends on how you want to reprecate the session btwn instances or cluters
there are three kinds File System, Memory to Memory, HA
You can configure it from this property in the admin console
Configuration on a cluster -> Availability Service -> Web Container Availability -> Persistence Type: -
Session timeout and custom sso
Hi,
can anyone tell me how the session and idle timeout feature in Apex exactly works?
I built several applications in a workspace and do a sso authorization by setting a common cookie name. In addition to that i set the values for session length and idle timeout and assumed that the session length would be synchronized over all applications. But this doesn't seem to work. For instance, i set the idle timeout to 10 minutes in all applications and now i work for 15 minutes continously in application A and after that i switch over to application B (using the same session id!), the session is already expired in B.
Is this behavior correct? And, if yes, how can i set up a synchronization over all applications?
JensAnyone?
-
Javacard and session variables
Hello,
I'm trying to find a reasonable Javacard technique to handle "session variables" that must be kept between successive APDUs, but must be re-initialized on each card reset (and/or each time the application is selected); e.g. currently selected file, currently selected record, current session key, has the user PIN been verified...
Such variables are best held in RAM, since changing permanent (EEPROM or Flash) variables is so slow (and in the long run limiting the operational life of the card).
Examples in the Java Card Kit 2.2.2 (e.g. JavaPurseCrypto.java) manipulate session variables in the following way:
1) The programmers group session variables of basic type (Short, Byte, Boolean) according to type, and map each such variable at an explicit index of a vector (one per basic type used as session variable).
2) At install() time, each such vector, and each vector session variable, is explicitly allocated as a transient object, and this object is stored in a field of the application (in permanent memory), where it remains across resets.
3) Each use of a session variable of basic type is explicitly translated by the programmer into using the appropriately numbered element of the appropriate vector.
4) Vector session variables require no further syntactic juggling, but eat up an object descriptor worth of permanent data memory (EEPROM or Flash), and a function call + object affectation worth of applet-storage memory (EEPROM, Flash or ROM).
The preparatory phase goes:
public class MyApp extends Applet {
// transientShorts array indices
final static byte TN_IX = 0;
final static byte NEW_BALANCE_IX=(byte)TN_IX+1;
final static byte CURRENT_BALANCE_IX=(byte)NEW_BALANCE_IX+1;
final static byte AMOUNT_IX=(byte)CURRENT_BALANCE_IX+1;
final static byte TRANSACTION_TYPE_IX=(byte)AMOUNT_IX+1;
final static byte SELECTED_FILE_IX=(byte)TRANSACTION_TYPE_IX+1;
final static byte NUM_TRANSIENT_SHORTS=(byte)SELECTED_FILE_IX+1;
// transientBools array indices
final static byte TRANSACTION_INITIALIZED=0;
final static byte UPDATE_INITIALIZED=(byte)TRANSACTION_INITIALIZED+1;
final static byte NUM_TRANSIENT_BOOLS=(byte)UPDATE_INITIALIZED+1;
// remanent variables holding reference for transient variables
private short[] transientShorts;
private boolean[] transientBools;
private byte[] CAD_ID_array;
private byte[] byteArray8; // Signature work array
// install method
public static void install( byte[] bArray, short bOffset, byte bLength ) {
//Create transient objects.
transientShorts = JCSystem.makeTransientShortArray( NUM_TRANSIENT_SHORTS,
JCSystem.CLEAR_ON_DESELECT);
transientBools = JCSystem.makeTransientBooleanArray( NUM_TRANSIENT_BOOLS,
JCSystem.CLEAR_ON_DESELECT);
CAD_ID_array = JCSystem.makeTransientByteArray( (short)4,
JCSystem.CLEAR_ON_DESELECT);
byteArray8 = JCSystem.makeTransientByteArray( (short)8,
JCSystem.CLEAR_ON_DESELECT);
(..)and when it's time for usage, things go:
if (transientShorts[SELECTED_FILE_IX] == (short)0)
transientShorts[SELECTED_FILE_IX] == fid;
transientBools[UPDATE_INITIALIZED] =
sig.verify(MAC_buffer, (short)0, (short)10,
byteArray8, START, SIGNATURE_LENGTH);I find this
a) Verbose and complex.
b) Error-prone: there is nothing to prevent the accidental use of transientShorts[UPDATE_INITIALIZED].
c) Wastefull of memory: each use of a basic-type state variable wastes some code; each vector state variable wastes an object-descriptor worth of permanent data memory, and code for its allocation.
d) Slow at runtime: each use of a "session variable", especially of a basic type, goes thru method invocation(s) which end up painfully slow (at least on some cards), to the point that for repeated uses, one often attain a nice speedup by caching a session variable, and/or transientShorts and the like, into local variables.
As an aside, I don't get if the true allocation of RAM occurs at install time (implying non-selected applications eat up RAM), or at application selection (implying hidden extra overhead).
I dream of an equivalent for the C idiom "struct of state variables". Are these issues discussed, in a Sun manual, or elsewhere? Is there a better way?
Other desperate questions: does a C compiler that output Javacard bytecode make sense/exists? Or a usable Javacard bytecode assembler?
Francois GrieuInteresting post.
I don't have a solution to your problem, but caching the session variables arrays in local variable arrays is a good start. This should be only done when the applet is in context, e.g. selected or accessed through the shareable interface. This values should be written back to EEPROM at e.g. deselect or some other important point of time. Do you run into problems if a tear happens? I don't think so since the session variables should be transactional, and a defined point will commit a transaction.
Analyzing the bytecode is a good idea. I know of a view in JCOP Tools (Eclipse plugin) where you can analyze the bytecode and optimize it to your needs.
Maybe you are looking for
-
Recently I started getting a MS Visual C++Runtime Library Error message at start-up. Consequently Adobe Acrobat Pro 9 started giving me an Organizer database is damaged message that will reset the next time Acrobat is launched. Is this harmful to m
-
Jsp bean property method dilemma
Hi all, I'm just starting using bean and trying to convert old jsp in MVC model using beans. I expose the problem: a simple internal search engine ask with a form to enter the some parameter. I want to use this parameter to compose my query to the db
-
I have Windows XP with SP. I have a problem with my computer spontaneously re-booting every time I disconnect my Zen V from the USB port. It will immediately re-boot as if I pressed the reset button. I suspect it may have something to do with the "?"
-
Can we update the Category attribute values of a file
Can we update the Category attibute values of a file with out checkout the file? I have set the version configuration to folder and try to update the category attribute values of a file under that folder, It is asking to checkout the file before modi
-
Activation of sub-totals button in ALV grid
hi experts Execute the module pool program BCALV_GRID_DEMO .in the o/p screen - how to activate the subtotals button explicitly.