Sessions without cookies on OAS 4.0.8.2

Similar Messages

• Sticky session without cookie is broken

  Hi,
  I need help from you guys to confirm this is something not supported by newer version of Coldfusion any more.
  Background:
  This is for a mobile on-deck site of a carrier in Australia. The carrier append an unique ID (a 10 digit number) by HTTP header to each handset’s http request to the Coldfusion server. Our Coldfusion code saved this ID in a variable called request.uid. Considering that not all handsets support cookie, we turned off client cookies and instead use the following code to tell the Coldfusion server that a CFID and CFTOKEN has been passed to it in query string. No CFID and CFTOKEN were actually passed in the query string. We just used our code to pretend a CFID and CFTOKEN were passed (the actual value was not set by Coldfusion server but externally by our code) . This code had been working for years which enabled us not to depend on client cookies and CFID/CFTOKEN in query string to maintain sessions for on-deck mobile sites. However, this code started not to work after we applied a coldfusion hotfix 2 (http://kb2.adobe.com/cps/403/kb403781.html) in September on coldfusion 8.0.1. Every request will start a new session rather than stick to the same session after that.
  <cfset url.cfid = "#request.uid#">
  <cfset url.cftoken = 0>
  <cfapplication name="hww_#request.site_id#" sessionmanagement="Yes"
                  setclientcookies="No" sessiontimeout="0.1" applicationtimeout="0.1">
  Can someone please verify that the above logic is not supported by new versions of Coldfusion anymore?
  Thanks.

  OK that's interesting.  I had found your technique would not work if the value for request.uid was not numeric, but otherwise works fine (on CF 8.0.1).
  My test rig is thus:
  <!--- Application.cfm --->
  <cfset request.uid = "9999999999">
  <cfset request.site_id = "fakeIdToken">
  <cfset url.cfid = "#request.uid#">
  <cfset url.cftoken = 0>
  <cfapplication name="hww_#request.site_id#"
      sessionmanagement="Yes"
      setclientcookies="yes"
      sessiontimeout="#createTimeSpan(0,0,20,0)#"
      applicationtimeout="#createTimeSpan(0,2,24,0)#">
  <cfparam name="session.ts" default="#now()#">
  <cfdump var="#url#" label="url">
  <cfdump var="#request#" label="request">
  <cfdump var="#session#" label="session">
  <cfdump var="#CGI#" label="CGI">  
  And then I hit another page in the same dir.
  With any numeric value of request.uid, sessio.ts sticks.  For non-numerics, it's ignored and CF creates its own CFID/CFTOKEN.
  Are you sure about your UID values?
  Adam

• Session and cookies

  Why, if I delete the Jsession cookies and I reload the index.faces page, and post the login form, this error happend ?
  ViewExpiredException: viewId:/login.faces - View /login.faces could not be restoredNew JSession cookie isn't created... Strange ?

  I can't find a real solution for that problem !
  In IE, the website seem to work, but without cookies... why ?
  In Firefox, after deleting the JSESSION cookie, if I reload (ctrl+F5), the cookies isn't created anymore... if I try many time, maybe 2-3 min later, the cookie is created ...
  Without cookie, I have the error about the view.
  Sometime, without any change, in Firefox, it work but using URL variable for session... and after few login-logout-login, it use JSESSIONID cookie !
  Any idea ? This kind of random problem is hard to solve.
  web.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee   http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
  <context-param>
    <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
    <param-value>.xhtml</param-value>
  </context-param>
  <context-param>
    <param-name>URL</param-name>
    <param-value>ldap://localhost:10389</param-value>
  </context-param>
  <context-param>
    <param-name>managerDN</param-name>
    <param-value>uid=admin,ou=system</param-value>
  </context-param>
  <context-param>
    <param-name>managerPassword</param-name>
    <param-value>****</param-value>
  </context-param>
  <context-param>
    <param-name>facelets.DEVELOPMENT</param-name>
    <param-value>true</param-value>
  </context-param>
  <context-param>
    <description>valide le fichier faces-config</description>
    <param-name>com.sun.faces.validateXml</param-name>
    <param-value>true</param-value>
  </context-param>
  <context-param>
    <description>vérifie si tous les objets configurés sont créé correctement</description>
    <param-name>com.sun.faces.verifyObjects</param-name>
    <param-value>true</param-value>
  </context-param>
  <context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>server</param-value>
  </context-param>
  <context-param>
    <param-name>javax.faces.CONFIG_FILES</param-name>
    <param-value>/WEB-INF/faces-config.xml</param-value>
  </context-param>
  <filter>
    <filter-name>MyFacesExtensionsFilter</filter-name>
    <filter-class>org.apache.myfaces.webapp.filter.ExtensionsFilter</filter-class>
    <init-param>
     <param-name>uploadMaxFileSize</param-name>
     <param-value>20m</param-value>
    </init-param>
  </filter>
  <!-- extension mapping for adding <script/>, <link/>, and other resource tags to JSF-pages  -->
  <filter-mapping>
    <filter-name>MyFacesExtensionsFilter</filter-name>
    <!-- servlet-name must match the name of your javax.faces.webapp.FacesServlet entry -->
    <servlet-name>Faces Servlet</servlet-name>
  </filter-mapping>
  <!-- extension mapping for serving page-independent resources (javascript, stylesheets, images, etc.)  -->
  <filter-mapping>
    <filter-name>MyFacesExtensionsFilter</filter-name>
    <url-pattern>/faces/myFacesExtensionResource/*</url-pattern>
  </filter-mapping>
  <listener>
    <listener-class>com.sun.faces.config.ConfigureListener</listener-class>
  </listener>
  <listener>
    <listener-class>com.sun.faces.application.WebappLifecycleListener</listener-class>
  </listener>
    <servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>0</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
  </servlet-mapping>
  <session-config>
    <session-timeout>2</session-timeout>
  </session-config>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
  </welcome-file-list>
  <login-config>
    <auth-method>BASIC</auth-method>
  </login-config>
  </web-app>
  index.html
  <html>
       <head>
            <meta http-equiv="Pragma" content="no-cache" />
            <meta http-equiv="expires" content="0" />
            <meta http-equiv="Cache-Control" content="no-cache" />
            <meta http-equiv="Cache-Control" content="must-revalidate" />
            <meta http-equiv="Refresh" content="0; URL=login.faces" />
            <title>Start Web Application</title>
       </head>
       <body>
            <p>
                 Please wait for the web application to start.
            </p>
       </body>
  </html>Edited by: laurentw on Feb 10, 2009 4:12 PM
  Edited by: laurentw on Feb 10, 2009 4:13 PM

• Client Object Model don't work without "cookies"

  Problem could be reproduced for all types of Client Model Object (Managed, JS, etc..)
  for example (Managed Client Model Object):
  using (var context = new ClientContext("http://pc:1111"))
      var site = context.Web;
      context.Load(site, s => s.Title);
      context.ExecuteQuery();
      Console.WriteLine(site.Title);
      Console.ReadLine();
  1) All works fine if
  cookies is turned on in web.config for Web Application
  pc:1111 (<sessionState mode="InProc"cookieless="false" timeout="20" />) 
  in "fiddler":
  Request: POST /_vti_bin/client.svc/ProcessQuery HTTP/1.1
  Response: HTTP/1.1 200 OK
  2) If using cookieless session (<sessionState mode="InProc"cookieless="true" timeout="20"
  />)
  "context.ExecuteQuery()" generate WebException "The remote server returned an error: (404) Not Found."
  in "fiddler":
  Request: GET /(S(1j0bsz55e3dk1455dhagx4ry))/_vti_bin/client.svc/ntlm/ProcessQuery HTTP/1.1
  Response: HTTP/1.1 404 Not Found
  What settings should be applied for correct working "Client Model Object" in cookieless  session or "Client Model Object" couldn't be used without cookies at all?

  Hi. I think that the CSOM uses cookie to manage authentication...
  Regards,
  Bubu
  http://zsvipullo.blogspot.it
  Please mark my answer if it helped you, I would greatly appreciate it.

• PPR and session timeout cookie

  Scott,
  Is there anyway of getting the PPR functionality to update the session timeout cookie whenever a PPR request is made???
  Thanks..

  I am using your session timeout function from otn.
  I am using it to timeout after a set period of inactivity, every time the page is redrawn the cookie time is updated.
  I am calling this function from the 'Session Verify Function' field in the authentication scheme, and initially setting the cookie on login.
  I believe that the cookie only gets updated when the page is re-drawn and the Session Verify Function is run??
  On a PPR request only part of the page is refreshed, the page header remains unaffected, which means the user can be active on a page without refreshing the timeout value on the cookie?
  (Not a major problem, but would be nice to be able to update the cookie on a PPR request as well)
  Thanks..

• Restore session without inputing session id

  After I left(closed) IE and access the same page, for example access "http://abc/pls/apex/f?p=1000:1", the site redirect me to the login page. This must annoyed users much.
  1) In a short period, if I input the url with session id, then I can reuse the same session. So how should I restore the session without directing me to the login page: I just input "http://abc/pls/apex/f?p=1000:1" instead of ""http://abc/pls/apex/f?p=1000:1:SESSION_ID" and I can access to the same page under the same session.
  2) If the session is expired, I also want I can login the server without input user name and password by using cookie. How should I implement one method to create a new session without prompting user to login page?

  Vic,
  For authenticated applications, if there is no session ID in the URL, the user must login again.
  If the session is expired ...
  They go away after 24 hours, but that's not really the same as expiring. You can invalidate your application's session cookie after a period of user inactivity if you want to and sometimes this is called session expiration but I don't think it helps with your main problem.
  I also want I can login the server ...
  There is no logging into any server that happens. A user submits a login page in your application and then logs in to your application. The steps in your application's authentication scheme determine most of the details of how that happens.
  Scott

• ALLOW A USER TO KILL A SESSION WITHOUT ALTER SYSTEM PRIVILEGE.

  Hi
  I need a user to have permission to kill a session without having the ALTER SYSTEM privilege. I created a procedure on sys schema and granted the EXECUTE privilege to the user but it doesn't work, how can I do, help please.
  CREATE OR REPLACE PROCEDURE SYS.PRC_SESSION_KILLER (P_SID IN NUMBER, P_SERIAL IN NUMBER)
  AS
  BEGIN
       EXECUTE IMMEDIATE 'GRANT ALTER SYSTEM TO SYSADMIN';
       EXECUTE IMMEDIATE 'ALTER SYSTEM KILL SESSION ''' || P_SID || ',' || P_SERIAL || ''' IMMEDIATE';
       EXECUTE IMMEDIATE 'REVOKE ALTER SYSTEM FROM SYSADMIN';
  END;
  Thank you very much.

  Hi,
  I second everything John said.
  Are you sure the arguments are correct?
  Below is the procedure I use. You may want to run it, just to see what the error is.
  PROCEDURE     kill_internal
       s_id          IN     NUMBER,
       serial_num     IN     NUMBER,
       stat_out     OUT     VARCHAR2
  IS
       alter_handle     INTEGER;
       ex_val          INTEGER;     -- Returned by dbms_sql.execute
  BEGIN
       alter_handle := dbms_sql.open_cursor;
       dbms_sql.parse
            alter_handle,
            'ALTER SYSTEM     KILL SESSION '''     ||
                 TO_CHAR (s_id, '999990')     ||
                 ', '                    ||
                 TO_CHAR (serial_num, '999990')     ||
            dbms_sql.native
       ex_val := dbms_sql.execute (alter_handle);
       dbms_sql.close_cursor (alter_handle);
       stat_out := 'Success: '                    ||
                 TO_CHAR (s_id, '999990')     ||
                 ', '                    ||
                 TO_CHAR (serial_num, '999990');
  EXCEPTION
       WHEN OTHERS
       THEN
            stat_out := 'Failure:'          ||
                 SQLERRM;
  --          dbms_output.put_line (stat_out);
            dbms_sql.close_cursor (alter_handle);
  END     kill_internal
  ;

• Setting secure on session management cookie only in production

  I am faced with the following:
  In our developmentcycle we deliver full application exports to an acceptation environment and after testing to a production environment.
  However, only our production site does HTTPS. Development and acceptation only do HTTP.
  In production we have to set the "secure"flag on the session management cookie.
  We would like to set this flag in our deployment scripts.
  So,
  Is there an API we could use to set the "Secure" flag in the APEX metadata using SQL*Plus?

  hi
  ->Use request.getParameter(String s) to recieve the infomation from the html page into your servlet.for storing session specific info go for
  session.setAttribute(vble,value;
  hope it'll solve your problem.

• Maintaining Session, NO Cookies

  Hello:
  Environment: Apache/9iAS, Oracle DB, Unix OS.
  Issue: Maintain user session when Cookies are NOT allowed.
  What are the options to maintain a session on a load balancing (Apache, multiple web servers) environment and client side cookies are not allowed?
  Please address security, not losing sessions in your suggestions.

  repost

• Getting timestamps for SQL session without the trace file enabled

  hi, i have a clarification. Is there a method or way by which i can get the timestamps of an SQL session without the the trace file enabled , and if so please get me the details of this.
  thanks in advance.

  Hi,
  Don't very understand what do you want.
  SQL> set timing on
  SQL> select * from dual;
  D
  X
  Elapsed: 00:00:01.07
  SQL> Is this ?
  Nicolas.

• XSQL Session and Cookies

  Hi, Steven,
  I have a question about cookies parameters in include-parameters.
  When set the following in my xsql file:
  <xsql:set-session-param name="current_user" value="{@sessionid}"/>
  <xsql:include-param name="mode"/>
  <xsql:include-request-params/>
  In the xml output, it looks like this.
  <request>
  <parameters>
  </parameters>
  <session/>
  <cookies/>
  </request>
  How come the session and cookies values are not appeared in XML file? However, if I reload the xsql file, the session and cookies values are there. Any idea what might be wrong or it is what should be?
  Thanks in advance.
  Julie Zhu

  I'd expect the cookies not to show up until the page request after the one in which they are set. This is correct since setting the cookies is something that's done on the response. Reading the cookies is reading them from the request.
  Regarding the session variables, it's
  always important to say what Web Servlet / Servlet Engine you're using XSQL with. Perhaps the setting of Servlet session variables behaves differently on different servers.

• How to rectify the hanging session without killing it?

  Hi all,
  Please help me out in the follwoing scenario.
  In a production server, I have few sessions got hanged at client side. I need to rectify it
  I cannot kill the session without commiting the data inserted.
  Is there anyway to rectify the problem.
  Please help me out.
  Thanks
  Regards
  Gatha

  Hi Gatha,
  Plz read this article here you will find all the info in very smart way...
  [http://www.oracledba.in/display_article.aspx?article_id=284]
  A R P I T S I N H A
  [http://www.oracledba.in/Main.aspx]

• RTPManager create Session without initial Target?

  hi!
  is there a way to initialize an RTP-session without having to add at least one target?
  i would like my video-streamserver to listen for new participants and only start streaming
  if there are any. vice versa, i want it to stop streaming if there are no more participants.
  the participants would be player -applets downloaded from my site.
  is that possible?

  it is possible:
  just use
  initialize(javax.media.rtp.SessionAddress localAddress)
  instead of:
  initialize(javax.media.rtp.SessionAddress[] localAddresses,
  javax.media.rtp.rtcp.SourceDescription[] sourceDescription,
  double rtcpBandwidthFraction,
  double rtcpSenderBandwidthFraction,
  javax.media.rtp.EncryptionInfo encryptionInfo)

• Debug session without compile

  Is there any way to get Flex Builder to launch a debug
  session without 1st trying to compile? I'm using Beta 3, but due to
  some backwards compatibility issues I'm having to do command line
  compiles using the Beta 2 SDK. I still need to use the debugger,
  and I can, but every time I try and launch it, FB 1st tries to
  compile my stuff, and warns me of errors it found before it will
  actually start up the debug session.
  Thanks,
  -Hob

  One workaround you could use is to point the debug
  configuration at a different file than the one that is being
  compiled by the tool. You do that by editing the debug
  configuration. By default, FB creates a debug configuration that
  will launch the HTML wrapper it creates for your compiled
  application. But you can go in and edit it to point at anything. If
  you make your build script generate a SWF that has a different name
  than the one being created by FB, you should be able to point the
  debug config at your renamed SWF and launch it instead of the one
  that's being auto-compiled when you hit debug.

• APEX 4.1 - Problem with session and cookie

  Hi,
  I have 2 applications with both public pages and pages needs authentication. The 2 apllication have same authentication model and are using subscription to have like an SSO. So they share the same cookie.
  My problem is when i'm loged on the first application and open a new navigator tab to go into a public page of the second without passing the session id, My session on the first application is not valid any more and i must login again.
  I'm migrating all my applications from apex 3.1 to apex 4.1. Before this upgrade all my applications worked fine.
  Thanks.

  Hi,
  have you implemented your own custom authentication scheme or are you using a built-in one? If you have a custom authentication scheme, can you setup an example on apex.oracle.com and provide the workspace name and application id so that we can have a look.
  Regards
  Patrick
  My Blog: http://www.inside-oracle-apex.com
  APEX Plug-Ins: http://apex.oracle.com/plugins
  Twitter: http://www.twitter.com/patrickwolf