Session stealing using cookies

Hi,
I was going through the article "Using Secure Cookies to Prevent Session Stealing" at http://e-docs.bea.com/wls/docs103/security/thin_client.html#wp1039551
. And i was trying to setup WLAUTHCOOKIE_JSESSIONID cookie. But whatever is mentioned in this article is not available with my weblogic instance. I don't see any <WebServer> tag in the config.xml where i can set AuthCookieEnabled="true" .
Can anyone help?

yes, i have tried as ur suggestion. it wroks.
but why i want use 'user_id + session_id' as the
JSessionId is that :-- i assume that two user use one
client to login the sever(of course one by one)
although this happens unnormally. but u should think
about it when it happens.
so when two use one client machine, only single
session is given. Normally whenever a user is signing up as a different user from the same client the session must be invalidated before the user logs in. i.e the login page must contain a session.invalidate as such. This will make sure that u get a new sessionID even when a user logs in from the same client.
Hope this helps!!!
so the two user use same sessionID.
so i add userid in front of session id. but it do not
works well as you pointed the problem
any suggestion?

Similar Messages

Is there a way of not using cookies or "customized" url's? (servlets+jsp)

Hi there.
I'm wondering if there's an already implemented way of establishing a session without using cookies or url withs session id variables. Maybe it's possible uging IP to know wich computer is connected along with something else.

Actually, I don't hace any requierements to use only IP but I'm learning to develop web apps in general and this is a doubt I've been having for a while.
I guess IP+browser+screen res.+something else could work.
Someone would possibly want to use this so the browser user, even with some skills wouldn't know he's being tracked.
Maybe I have this doubt because I always hear about all the tracking done by companys for several purposes. But I'm not sure.
Anyway, all this started when I started reading about sessions and users loging in.
Now. My real doubt is: What kind of tracking should be used and how should it be done?

Please help me-it's urgent,maintaining session and security using cookies.

hi folks,
i presently developing a web site for an engineering colleege ,i am facing prob in maintaining the session using cookies,and destroying a cookie and keeping security to the user,There are four links on my webpage ,including a logout link,when i click the other links other than the logout,it works perfectly,and when i click the logout link,i am not able to disable the cookie and still able to visit previous pages by clicking the back button.please give a suggestion as such to disable the cokie and maintain the security for my web site.
Thank u....

Try out this login if it helps you.
Create a bean that stores some String value. Then make a object of this bean using the useBean tag with session scope when a user logs in. Store the name of the user in the bean and also set the same name value in the Session object. Then on every JSP page compare the value set in the session object with the bean variable (which will be having a session scope). If the value match, then the JSP page output must be displayed to the user. Then on the logout link, invalidate the session object using the invalidate() method of the session class. As a result now when you will try to navigate back to the old JSP page, null will be returned to you when you will try to retrive the name value from the session object. And since this null will not match with the value in the bean, you should not proceed further with generating the output. Hope this help
Nirav ([email protected])

Use cookies or sessions or what?

I am using frames on Web Site One, with a frame on Web Site
One pointing to Web Site Two (I own both web sites).
Problem: Web Site Two needs remember variables in the Web
Site Two frame displayed on Web Site One.
When I use cookies on Web Site Two, they work fine when
actually on Web Site Two. But cookies will not work in the Web Site
Two frame on Web Site One.
I have tried using cfcookie with the domain setting, but it
doesn't work... probably because they are completely different
URLs.
I have tried using session variables, which also work on Web
Site Two when on that web site, but not when accessing Web Site
Two's pages in a frame on Web Site One.
Is there a way to retain variables within a frame on Web Site
One that is pointing to a completely different URL? Again, I have
complete access to the coding on both web sites.

Only if you pass the variable in a url in that frame.
Sessions and Cookies (
in many cases the same thing) are domain specific, and not
only would this not be allowed security-wise by the browser, but CF
will attempt to stop it as well.
What you are attempting is basically cross-site scripting.
Passing a variable to the url of each fram ewould be the only
way to send the same variable to a completely different website.

Urgent: how to use cookies or session in javafx

Hi....
i am new to javafx and need help to learn how to use cookies and session in javafx.i want to create a simple website using javafx.....
Urgent reply is requested
mufaddal

Please correct me if I'm wrong: I think LiveConnect is not supported on IE, and Mozilla has plans to discontinue it.
Didn't an earlier version of JavaFX allow access to the Applet instance, including the AppletContext? Seems to me, just generally, that JavaFX applets are hobbled unless they have that functionality available. Cookies are one example. Also applet parameters, hyperlinks, and the browser status display.
Especially hyperlinks.

Whether to use cookie for session mgmt

i m using session mgmt by getsession ,setvalue& getValue methods.
whether it is necessary to use cookies for it

you don't use get/setValue, you should be using get/setAttribute
you don't need to do anything with cookies. session tracking cookies are inserted automatically.

How do I use cookies to control which part of the timeline to play from?

Hi there,
I have created an animation with Adobe Edge. My site uses Concrete5 and I am pulling in the Edge content into an IFRAME on my home page (there my be a better way to do this and I'm open to suggestions). I want the animation to play from the start when someone first visits the site, but if during their browser session they navigate back to the home page, I want the animation to only play a shorter segment of frames near the end.
My question is, how do I use cookies to acheive this? I'm new to javascript/jquery.
I've included the following code on compositionReady, (found in another post on this forum) but don't have a clue how to continue...
// insert code to be run when the composition is fully loaded here yepnope( { nope:[ '/js/jquery.cookie.js' ], complete: init } ); function init() { //create your cookie's initial values here }
My temp site is here - http://79.170.40.43/nutcrackerdesign.co.uk/
On revisting the homepage, I only want to play from when the green 'How can we help?' button drops in.
Many thanks!
Russ

Hi, Russ-
I found this article, which seemed really helpful in describing how cookies work in JavaScript:
http://www.quirksmode.org/js/cookies.html
Remember that JS works just fine within Animate, so on your compositionReady, you can read your cookie and then set the play based on that. You should probably uncheck the autoplay for your Stage and control the play of your Stage from the compositionReady.
Good luck!
-Elaine

Can a site use cookie info from separate Firefox windows, or just between tabs in the same window?

Hi!
I apologize for how crazy my question sounds,, (& for everything that follows), but I'm at a loss as to the correct wording...I hope my explanation will clarify things, at least enough so that someone understands what I'm trying to say! Wish me luck!
I'm using Firefox 37.0.1 on Windows 8.1 & everything is up to date. The most important details for this problem will be my settings & addons for Firefox, so here goes:
I allow all cookies, but it's set to clear them when Firefox closes.
I do NOT save any history or passwords & I also have "Click & Clean" enabled, & I use it frequently, even though I don't save any history or anything else, just to add to my security/privacy, (guess I didn't use it often enough, huh?)
I have the box checked for "Do Not Track", (but I just learned the hard way that even so-called "nice" companies don't honor this request)
I have "Ghostery" as well as "Google Analytics Opt-out" enabled, (even though I don't use Google for my search engine, nor do I go to a Google site unless it's absolutely necessary, (I read about Google's penchant for following users everywhere in order to get their preferences, so I avoid them if at all possible).
In other words, I thought I was protected from tracking-related problems, but I need to know if these precautions are effective when using Firefox & having several tabs open...then opening another tab/window...are cookies & any other info "readable", (I don't know what word should be used here), from tab to tab in the same window, (which just happened to me), & is the cookie info readable from window to window? In other words, do I have to completely close out Firefox, delete cookies, then open a brand new window so that any session cookie info has been deleted to protect my browsing info from being accessed?
I know, I'm STILL not making much sense...here's what happened, (I won't divulge the site that did the 'cookie abuse', though.
I had several tabs open, as I usually do, because I was gathering info for research on a report I was working on. Suddenly, I remembered I had to order my hubby's birthday gift, so I opened another tab, (in the same window), to my favorite site & started searching for the items I wanted. I found what I was looking for & was getting ready to check out when I noticed something very odd...there were several "suggestions" listed for items I "might be interested in, based on my browsing", but the funny thing was, I didn't search for anything related to these suggested items! Instead, they were related to items in the other tabs I had open. Scary, underhanded stuff, if you ask me! I always knew not to have banking/financial sites open while surfing, but the tabs I had open were from sites where I was getting research info for my report, so no red flags went up when I went to the site to place my order.
So I guess the question I need answered is...is cookie info accessible only between tabs in the same browser window OR is it even accessible from window to window? Did I make sense yet? I sure hope so, because this incident has me absolutely flapping around like a fish that's just been pulled out of the water & is just left on the deck! This obvious assault on my privacy has hit me like a punch in the stomach, because I thought this site was one I could trust...especially since I had "Do Not Track", "Google Analytics Opt-out" & "Ghostery" enabled!
I just don't know how to deal with this, but obviously, I need to know the rules so this NEVER happens again. Luckily, there wasn't any finance-related breach, but my sense of trust has taken a BIG blow.
If this made sense to anyone, please advise me on the rules of 'cookie abuse' so I don't EVER let this happen again!
Also, is cookie info able to be shared between browsers, e.g. use Firefox for more personal/sensitive browsing & Opera for research activity?
Any & all advice is desperately needed & gratefully accepted! I sincerely hope this doesn't happen to anyone else because it really takes the wind out of your trust bubble. I've never been as surprised & disappointed at a company as I am about this. So sad.
Oh well, learn something new every day...too bad I learned not to trust. :(
Thanks in advance for your help.
Nuts4Mutts :(
P.S. If you need anything clarified, just ask

Cookies are stored in a cookie jar and thus are shared among all open tabs and windows.
Only all Private Browsing mode tabs/windows use a separate cookie jar that is used for all PB mode tabs.
Note that session restore stores cookies of open tabs in the sessionstore.js file as part of stored session data.
* http://kb.mozillazine.org/browser.sessionstore.privacy_level

How to use cookies in jsp

Hi all,
I'm new to jsp, please let me know how to use cookies with jsp.
I have three web applications, in run time I have to switch from one application to another application based on single login page. I have taught cookies are one of the solution. But while I'm googling I unable to get such a good material.
please give some examples,
Thanks in advance.
achchayya

Read a cookie in jsp
HttpSession session = request.getSession();
Cookie cookie_session = getCookie(request, "COOKIENAME");
          if (cookie_session == null) {
               sesID = session.getId();
          } else {
               sesID = cookie_session.getValue();
          }or
get all cookie in the browser
This gets all the cookies and according to the cookie name given u can get the cookie value
Cookie[] cookies = request.getCookies();
          if (cookies != null) {
               for (int i = 0; i < cookies.length; i++) {
                    if (cookies.getName().equals(cookieName))
                         return cookies[i];
               }but i am not sure if this works for ur requirement try and see

Duplicate session error using Flash Remoting from Air 3.4 Mobile Apps ( IOS and Android ) with CF10

We're getting the "duplicate session" error using Flash Remoting from Air 3.4 Mobile Apps ( IOS and Android ) with Coldfusion 10 Standard.
faultCode:Server.Processing.DuplicateSessionDetected faultString:'Detected duplicate HTTP-based FlexSessions,
generally due to the remote host disabling session cookies.
Session cookies must be enabled to manage the client connection correctly.' faultDetail:'null'
Have read most of the docs about this error -all to do with LCDS
Notes:
Not using LCDS,
No Remote Calls from loaded Sub-Apps,
No Errors from the Flex Web App which is pretty much identical and calls the same cfcs.
The error does not happen all the time and is hard to reproduce - say 5% of app sessions at a guess.
Could it be a two first time remote calls hitting the server together before a session is set up?
Our remoteObjects are in two places 1) Main Application.mxml and within a class compiled into the main app - can't see how this would be an issue.
I enabled session management for the CFCs in Application.cfc but still occurs. Is this neccessary - it's not in any docs?
Could this be something to do with the app not being shut down - as is typical with mobile users? When they resume use after a day or two surely a new session will be created?
Please advise thank you.

For our profect I think this issue was caused as follows:
Believing that remoting was full asynchronous we fired a 2 or 3 remote calls to the server at the same time ( within the same function ) - usually when the users goes to a new section of the app.
This seemed to trigger the duplicate http session error since according to http://blogs.adobe.com/lin/2011/05/duplication-session-error.html two remote calls arriving before a session is created will cause 2 sessions to be created.
Our current solution ( too early to say it works ) is to daisy chain the multiple calls together .
Also there seemed to be an issue where mobile apps that never quit ( thanks Apple! ) caused the error when activated after a few hours.
I guess the session expires on the server and the error above occurs on activation.
So the mobile apps now ping the server with a remote call when activated after sleeping for more than one hour.
All duplicate http errors are silently caught and reported.
Fingers crossed we won't get any more!

How to use cookie in OAF?

Hi,
I want to set cookies from OAF controller.
Any thought or code snippet?
Abdul Wahid

Thanks keerthi,
Late reply.I guess, the article is about how oaf foundations is maintaining states.
I did try search, but didn't get any direct solution to use cookies just like its used in servlets.
The requirement was to maintain session information above the user level sessions. Custom servlet cookies looked fine, but couldn't get way to set those in OAF.
However, if some body gets similar requirement, the solution found, was, "pageContext.putSessionValueDirect" method.
Thanks again brother.
Abdul Wahid

Use Cookies = no issue

I am running a web agent application(web agent 9.2.1) on application server 10g. In the web module on AS: I have changed the property Use Cookies = NO (which is a setting needed for our application ), When running my application I get the following error
*An error occurred in the Oracle OLAP Web Agent
*The session is no longer available. It may have been terminated because it was idle
too long
Has anyone ecnountered this error, or has an idea on how I could fix it.
Thanks
Ahmed Hafez

Is this on a device? If so, sign out then sign back in again.

Dreamweaver need to create a session variable or Cookie or something Help

I have been working for weeks I am very close but can't get over one last hurdle. I am trying to call a session variable much like dreamweaver calls mm_username. It is in the same user table as username - password - access level - Customer_id. I need to pull the session variable or cookie or however I can do it to access the customer id number so I can have customer specific information and pricing. There will be mulitple users for each customer so I need another variable besides mm_username. Help I use dreamweaver cs4 aspvbscript and sqlserver ...help

I soon as I put the red line of code in it is custoemr _id instead of user id in my table. Dreamweaver removes the user id function. is it in the wrong place ...what am i doning wrong ....it is fine with the first part you did but the second part it doesnt like in red.
<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>

<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString <> "" Then MM_LoginAction = MM_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
MM_valUsername = CStr(Request.Form("username"))
If MM_valUsername <> "" Then
Dim MM_fldUserAuthorization
Dim MM_redirectLoginSuccess
Dim MM_redirectLoginFailed
Dim MM_loginSQL
Dim MM_rsUser
Dim MM_rsUser_cmd
MM_fldUserAuthorization = "Access_Level"
MM_redirectLoginSuccess = "/mainmenu.asp"
MM_redirectLoginFailed = "/loginfailed.asp"
MM_loginSQL = "SELECT customer_id, Login_Name, password"
If MM_fldUserAuthorization <> "" Then MM_loginSQL = MM_loginSQL & "," & MM_fldUserAuthorization
MM_loginSQL = MM_loginSQL & " FROM dbo.btb_web_login WHERE Login_Name = ? AND password = ?"
Set MM_rsUser_cmd = Server.CreateObject ("ADODB.Command")
MM_rsUser_cmd.ActiveConnection = MM_p21_STRING
MM_rsUser_cmd.CommandText = MM_loginSQL
MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param1", 200, 1, 20, MM_valUsername) ' adVarChar
MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param2", 200, 1, 10, Request.Form("password")) ' adVarChar
MM_rsUser_cmd.Prepared = true
Set MM_rsUser = MM_rsUser_cmd.Execute
If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ' username and password match - this is a valid user
    Session("MM_Username") = MM_valUsername
    Session ("MM_USERID") = MM_rsUser.Fields.Item("customer_id").value
    If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And false Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    MM_rsUser.Close
    Response.Redirect(MM_redirectLoginSuccess)
End If
MM_rsUser.Close
Response.Redirect(MM_redirectLoginFailed)
End If
%><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Brown Live Online Login</title>
<style type="text/css">

</style></head>
<body>
<p class="style5"><img src="/images/BTBlogosmall.jpg" width="322" height="53" /></p>
<p class="style5">Brown Live Online 2.0 </p>
<form ACTION="<%=MM_LoginAction%>" id="form1" name="form1" method="POST">
<p>
    <label><span class="style3">    User Name</span>
    <input name="username" type="text" id="username" size="20" />
    </label>
</p>
<p>
    <label><span class="style1"><span class="style6">Password</span></span>
    <input name="password" type="password" id="password" size="20" />
    </label>
</p>
<p>
    <label>
    <input type="submit" name="button" id="button" value="Login" />
    </label>
</p>
</form>
<p><a href="/index.html"><img src="/images/brown2.0.jpg" width="100" height="100" /></a> Click Image to return to <a href="http://www.browntransmission.com">www.browntransmission.com</a></p>
</body>
</html>

Using cookie with DII

Here is an example to use cookie with static web service call:
http://download.oracle.com/docs/cd/B32110_01/web.1013/b28974/j2sewsclient.htm#DAFDHCFA
could some one give an example using cookie with dynamic invocation interdace to inva=oke web service?
Thanks

Dear net pas,
Hope you are doing good.
You have raised a very valid issue.
Please do have a look at the SAP NOTE: 1144722-Global configuration of session cookies and attributes
Also:
Protecting Sessions Security
http://help.sap.com/saphelp_nw70/helpdata/en/44/691ccdce2a3675e10000000a114a6b/frameset.htm
Here pay special attention at:
cookies named JSESSIONID (in accordance with the JavaÔ Servlet 2.3 specification) for tracking Web browser sessions.
For this purpose, make sure that the value of SystemCookiesDataProtection and SystemCookieHTTPProtection properties of the HTTP Provider Service on the server nodes is set to true:
More info at:
http://help.sap.com/saphelp_nw70ehp2/Helpdata/EN/44/691ccdce2a3675e10000000a114a6b/content.htm
Thank you and have a nice day :).
Kind Regards,
Hemanth
SAP AGS

Sites identified to allow, allow for session or block cookies in exceptions diappear

I identify sites to allow, allow for session or block cookies in the exception tab in the privacy tab. These sites all disappear when Firefox is closed without any action on my part. I have to repeatedly reenter the sites again. How do I arrange to make the remain until I make a change?

Do not use [[Clear Recent History]] to clear the "Cookies" and the "Site Preferences"
Clearing "Site Preferences" clears all cookies, images, pop-up windows, software installation, and password exceptions.
* http://kb.mozillazine.org/Cookies

Session stealing using cookies

Similar Messages

Maybe you are looking for