Setting secure on session management cookie only in production

Similar Messages

• Setting secure flag on weblogic (5.1) session cookie.

  Hello All,
            I need to set secure flag on weblogic session cookie. I am not able to
            find any property in weblogic.properties file to set the secure flag for
            session cookie.
            Does anybody has any idea how to achieve this.?
            Thanks
            Nitin
            

  The best way to reduce GC is to change you application to use less memory. Serious.
  There are a number of JVM options for GC. I can't tell you what will work best
  for your application.
  25 seconds is way too long for a GC. Is the OS paging? You may wish to invest
  in additional memory.
  Mike Reiche
  vijendran <[email protected]> wrote:
  Hi,
  I am running a load test which will simulate 100 users. when i tried
  to simulate i found that GC is happening often even though i set the
  heap to 512 MB., and that too some time it takes upto 25 secs. for a
  GC to complete. Please advise on how to increase the performance for
  more number of users (without clustering weblogic) and to avoid GC happening
  often.
  Regards
  Vijendran

• How can I set Firefox 8.0 to accept 3rd party cookies ONLY from selected sites but NOT from any other sites?

  I do not like to accumulate 3rd party cookies and would simply not check the Accept 3rd Party Cookies box in Preferences. BUT in order to use my bank's web page I have to accept 3rd party cookies from a separate site that manages some of their transactions (like paying bills). This means I have to accept 3rd party cookies and then delete them by hand OR I have to check the accept box each time I use the bank's website and then uncheck it when I am done.

  Thanks, but that is not what I was trying to do. I do not want to block cookies from a single site. I do not want to block all 3rd party cookies.
  What I want to do is ACCEPT 3rd party cookies only from ONE site but NOT from any other site.

• The OMS is not set up for Enterprise Manager Security

  Hi, I'm trying to add an agent to grid control and its not connecting with the management server because i cant secure it...
  bash-2.05$ ../../bin/emctl secure agent <password>
  Oracle Enterprise Manager 10g Release 3 Grid Control 10.2.0.3.0.
  Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved.
  Agent is already stopped... Done.
  Securing agent... Started.
  Requesting an HTTPS Upload URL from the OMS... Failed.
  The OMS is not set up for Enterprise Manager Security.
  i have tried this on two seperate servers, both do the exact same thing. However, on my repository server where the OMS is housed, i can secure the agent no problem. Does anyone know what the problem could be? My OMS is on a Linux (SuSE 10.2) 32-bit machine.
  heres the emdctl.trc on the agent machine:
  2007-07-11 11:00:20 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:00:21 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:00:21 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:00:21 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:00:21 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:00:22 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:00:22 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:05:10 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:05:10 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  2007-07-11 11:10:08 Thread-1 WARN http: snmehl_connect: connect failed to (cbldb3:3872): Connection refused (error = 239)
  2007-07-11 11:10:08 Thread-1 ERROR main: nmectla_agentctl: Error connecting to http://cbldb3:3872/emd/main/. Returning status code 1
  bash-2.05$ lsof | grep 3872
  bash-2.05$
  seems to be failing the connect but nothing is running on the port so i'm not sure why
  Thanks in advance
  Message was edited by:
  user581869

  some further information and hopefully someone can help me...
  I went to the OMS binary folder (fmc45712:$OMS_HOME/bin) and executed the following commands...
  $OMS_HOME/opmn/bin/opmnctl stopall
  $OMS_HOME/bin/emctl stop oms
  $OMS_HOME/bin/emctl secure oms
  $OMS_HOME/bin/emctl start oms
  $OMS_HOME/opmn/bin/opmnctl startall
  then i go to $AGENT_HOME on the OMS machine (fmc45712:$AGENT_HOME/bin) and execute..
  $AGENT_HOME/bin/emctl status agent -secure
  Oracle Enterprise Manager 10g Release 3 Grid Control 10.2.0.3.0.
  Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved.
  Checking the security status of the Agent at location set in /opt/oracle/OracleHomes/agent10g/sysman/config/emd.properties... Done.
  Agent is secure at HTTPS Port 3872.
  Checking the security status of the OMS at http://fmc45712:4889/em/upload/... Done.
  OMS is secure on HTTPS Port 1159
  I then to go the server i deployed the agent on that i want to get communicating wtih my OMS...
  $AGENT_HOME/bin/emctl status agent -secure
  Oracle Enterprise Manager 10g Release 3 Grid Control 10.2.0.3.0.
  Copyright (c) 1996, 2007 Oracle Corporation. All rights reserved.
  Checking the security status of the Agent at location set in /u101/em/agent10g/sysman/config/emd.properties... Done.
  Agent is unsecure at HTTP Port 3872.
  Checking the security status of the OMS at http://fmc45712:4889/em/upload/... Done.
  OMS is running but has not been secured. No HTTPS Port available.
  same command, different computer, but on the same network, and it just doesn't work. The OMS is on Linux x86 and the agent on the alternate computer is on HP-UX. If anyone has any help it'd be much appreciated.

• Session state can only be used when enablesessionstate is set to true.

  When I try to open up a certain webpage it says; Session state can only be used when enablesessionstate is set to true. What does it mean and what should I do?

  Contact the webmaster for that site and report the problem.

• ASP Web Forms Error: Session state can only be used when enableSessionState is set to true

  Hello,
  I am developing a custom application page for a custom Web Forms I am creating, which I plan on using for custom task form into SharePoint 2010 Foundation.
  Currently, I am trying to test it in Debug Mode using Visual Studio 2010 but when I am trying to use Sessions I get the error:
  Session state can only be used when enableSessionState is set to true, either in a configuration file or in the Page directive. Please also make sure that System.Web.SessionStateModule or a custom session state module is included in the <configuration>\<system.web>\<httpModules> section in the application configuration
  I've already done this on trying to fix:
  On my page
  <%@ Page Language="C#" AutoEventWireup="true" CodeFile="TestForm.aspx.cs" Inherits="TestForm" EnableSessionState="True" %>
  And on my web.config
  <pages enableSessionState="true">..<httpModules>
  <remove name="Session" />
    <add name="Session" type="System.Web.SessionState.SessionStateModule, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
  </httpModules>
  Note: I am getting an error when I try to add <module> into web.config
  ASP .NET State Service is currently running.
  And the part where it keeps error is when in PageLoad, I try to set a List object something like this:
  List<object> myobject
  get
  if (Session["object"] == null)
  Session["object"] = new List<object>();
  return Session["object"] as List<object>;
  set
  Session["object"] = value;
  protected void Page_Load(object sender, EventArgs e)
  myobject= new List<object>();
  BUT the error still persists! I also try to restart IIS but still the error still happens.
  I am running out of ideas so can you help me out?
  Thank you!

  Could be your skype intercepting your requests at 80 port, in Skype options uncheck
  Or Your IE has connection checked for Proxy when there is no proxy
  Or your fiddler could intercept and act as proxy, uncheck it!
  Solves the above problem, It solved mine!
  HydTechie
  HydPhani

• How to set default value of session management alert

  Dear Sir,
  Our server is EP7 , I would like to set the default value of session management alert to be "OFF". Because now the default value of session management alert to be "ON".  And I must manual set when the server start every time.
  Please kindly advise.
  Thank you and best regards,
  Vimol

  Hi,
  There is also a SAP note which explains this:
  SAP Note Number: [868477 |https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/oss_notes/sdn_oss_ep_pin/~form/handler%7b5f4150503d3030323030363832353030303030303031393732265f4556454e543d444953504c4159265f4e4e554d3d383638343737%7d]
  Regards,
  Praveen Gudapati

• Am using Safari 4.1.3 with system 10.4.11 and can only come up with advances preference page when calling up security - thus cannot see cookies. I have Safari 5.0.6 on my MacBook. Will it run on my older machine? Can I transfer older bookmarks?

  Am using Safari 4.1.3 with system 10.4.11 and can only come up with advances preference page when calling up security - thus cannot see cookies. I have Safari 5.0.6 on my MacBook. Will it run on my older machine? Can I transfer older bookmarks to the new software?
  Machine Serial Number:          W8*********AR
  <Personal Information Edited by Host>

  Safari preferences has no...

• Session Manager only reloading 1 of the 13 windows shown as backed-up

  Since applying latest update to Firefox (including a suggested upgrade to Adobe Flashplayer) Firefox Session Manager only opens the first window and its Tabs of a saved session, even though it shows that that session contains 13 Windows with a total of 53 tabs.
  If I then close that Window and try to re-open it Firefox fails to open any Window.

  Thanks fr revert !
  After clicking on the provided link , Above error pops up. I clicked "ok" n allowed download to complete after which same previous error shows up!

• If user disable cookie how to set and use session with URL Rewritting

  if user disable cookie how to set and use session with URL Rewritting by append session ID in url

  If cookies are disabled, then app server will automatically try to use URL rewriting for session control. Programmer's responsibility is to encode any links or redirects using
  response.encodeURL("/yourPage.jsp")
  and
  response.encodeRedirectURL("/yourPage.jsp")
  See API for details
  http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/HttpServletResponse.html#encodeURL(java.lang.String))

• Plugin based Web Service with session management

  I am trying to make a web service in java with jax-ws that should support extensions to the service without rebuilding the project. I thought it might be possible to make a standard web service and the let each plugin create their own service, making the client side plugin point to both the standard service and the plugin specific one. This way I could have user management and such in the standard service and the more plugin specific one in an other service. The problem is though, how do I make a common session for all the services? All services are running at the same server and on the same domain name.
  I checked the HTTP headers and found out that the JSESSIONID was changing when I created a new port on the client side. I was trying to implement a SOAPHandler to edit the cookie in the HTTP header, hoping that this will lead to the same session across the services. But found it hard. It was no problem reading the "Set-cookie" header, setting the cookie on the new requests was harder, as the CookieJar object seems to be internal [1]. And the MessageContext.HTTP_REQUEST_HEADERS wasn't created at the time my handlers run. Is there an easy solution to this?
  I am not sure if my idea is a good solution to the main problem, and all other ideas are more than welcome. I hope it is possible to extend the features of my server without rebuilding the project. If anything is unclear, feel free to ask :)
  [1] com.sun.xml.internal.ws.client.http.CookieJar

  Adhir_Mehta wrote:
  Could you explain plug in scenario with one example?Ok. We have not chosen exactly how to do this, but the idea is that someone may be able to extend the functionality of our server without rebuilding the project. We thought of something like a jar file with a implementation of some abstract classes. It should at least only be necessary to redeploy the project into the web container. The problem is; how do we let the plugins extend our web interface? One solution we thought of was to let each plugin have it's own service and dynamicly link to the plugin services from the main service that we provide as standard in our server. This way we may have some kind of plugin support on the clients as well, making the client side plugins know what kind of service it needs on the server side and thus extending the functionality all together.
  Hope that explains our scenario. Feel free to comment and add new ideas :)
  Regarding session management, its not advisable to manage the session in web services since that way it will become non interoperable.The documentation we found regarding sessions and jax-ws was all doing sessions with HTTPSessions, and to let the web container handle that.
  On the server side
      @Resource
      private WebServiceContext wsContext;
      private HttpSession getSession() {
          MessageContext mc = wsContext.getMessageContext();
          return ((javax.servlet.http.HttpServletRequest)mc.get(MessageContext.SERVLET_REQUEST)).getSession();
      HttpSession session = getSession();
      session.setAttribute("User", user);On the client side
  ((BindingProvider)port).getRequestContext().put(BindingProvider.SESSION_MAINTAIN_PROPERTY,true);Do you have other standard options for us on how to do session management? All ideas are more than welcome

• State management and session management

  Hi
  Can anyone tell me a good way to maintain state without using EJB?
  and is there a way to manage sessions without cookies and URL rewriting.
  Thanks

  Can anyone tell me a good way to maintain state
  without using EJB?Of course. Depends on what sort of state you are looking to maintain... if you are looking for alternatives to stateless session beans, you can simply use the servlet session i.e., via HttpSession.set/getAttribute().
  and is there a way to manage sessions without cookies
  and URL rewriting.Not really, cookies and URL rewriting are the only reasonable solutions. I suppose one could design an alternative approach. The bottom line is http is a stateless protocol -- to maintain state across requests a session id must be associated with the client.

• 'Security' shows nothing re: cookies

  I'm trying to check/remove cookies as I just had a popup that took 20 minutes before it disappeared. It was http://a.tribalfusion, which I've never seen before, so I thought I'd go in & manage cookies & to see nothing had been hacked (as though I'd be able to tell!) The popup went away after I began searching it's URL to see what/who it was.
  I've got my settings pretty secure, I think, but am unable to access cookies via Security at all; nothing in there from any available options. Am I missing something?!

  Hi Noelene,
  Glad that worked out.
  scottishlass wrote:
  Last question: are you familiar w/this a.tribalfusion? It seems to be a 'High' danger spyware, which I've not had problems w/at all since I switched to Mac 3 1/2 yrs ago.
  I'm not familiar with it but a search on "a.tribalfusion" in Google gives a lot of hits. Seems some kind of advertising service used on some sites.
  What you can do (all in Safari, so not in System Preferences ):
  Make sure in the Safari menu the setting "Block Pop-Up Windows" is checked.
  In the Security Screen, where we've been before, make sure to accept only cookies from sites you visit.
  Remove all your cookies and restart Safari.
  If the problem persists it might be good idea to create a separate topic on "a.tribalfusion". There for sure are people around here who have encountered it and can help you better than I can.
  Eric

• Tomcat Session Management

  Hello.
  I have a question about how Tomcat performs session managment that I can't quite seem to find an answer for.
  When you put data into a session, such as a logonid, is the session data sent back to the client and stored in the cookie, or is it kept on the server side (in memory?) and accessed via the sessionid when the user returns? If you use WebScarab or achilles to watch the traffic, it doesn't appear that the data goes back to the client. (Which is a good thing for security). Just wanted to confirm that.
  Thanks very much.

  I'm not sure but I think the listener is only called when a user session is Created or Destroyed.
  What we did:
  1. on Create, stored the newly created user session in a vector in the Application Session.
  2. on Destroy (User session timeout or user logs off), remove the session from the vector.
  We maintained the list to see who was online and too see when they last made a server request:
  long last_access_x_seconds_ago = System.currentTimeMillis() - userSession.getLastAccessedTime();The userSession comes from the vector list in the application session. The method getLastAccessedTime(); is a default session method, there are some others that you might find useful...
  HTH.
  ps. My nick/name is Munyul ... HTH = Hope This Helps :p

• Session management problems with SSO

  Hi all-
  I've been getting an Apex app tied to SSO as a partner app (per http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html). So far, it sort of works. If I go to my apex app, it redirects me to SSO, where I authenticate and end up back in the apex app. Great. Here are two problems I've run into:
  1. If I am already authenticated to SSO, and I go to my apex app (url like: http://host/pls/apex/f?p=101:1), my browser goes into an infinite redirect (url like: http://host/pls/apex/f?p=101:1:::::FSP_AFTER_LOGIN_URL:\f? p=101|1|||||FSP_AFTER_LOGIN_URL|\f?p=101|1|||||FSP_AFTER_LOGIN_URL|\f? p=101|1|||||FSP_AFTER_LOGIN_URL|\f?p=101|1|||||FSP_AFTER_LOGIN_URL|\f? p=101|1|||||FSP_AFTER_LOGIN_URL|\f?p=101|1|||||FSP_AFTER_LOGIN_URL|\f? p=101|1|||||FSP_AFTER_LOGIN_URL|\f?p=101|1|||||FSP_AFTER_LOGIN_URL|\f? p=101|1|||||FSP_AFTER_LOGIN_URL|\f?p=101|1|||||FSP_AFTER_LOGIN_URL|\f? p=101|1|||||FSP_AFTER_LOGIN_URL|\f?p=101|1|||||FSP_AFTER_LOGIN_URL|\f? p=101|1|||||FSP_AFTER_LOGIN_URL|\f?p=101|1|||||FSP_AFTER_LOGIN_URL|\f? p=101|1|||||FSP_AFTER_LOGIN_URL|\f?p=101|1|||||FSP_AFTER_LOGIN_URL|\f? p=101|1|||||FSP_AFTER_LOGIN_URL|\f?p=101|1|||||FSP_AFTER_LOGIN_URL|\f? p=101|1|\\\\\\\\\\\\\\\\\\\). To resolve, I have to clear cookies.
  2. If I am using my apex app, then log out of SSO (in another browser window), I can still click around in my apex app (i.e., apex thinks I'm still authenticated).
  Anyone have any thoughts? I'm wondering if I need to do something in page session management (under authentication schemes) to fix #2, but I have no clue about #1.
  Thanks
  Rob

  Hi Scott-
  Thanks for the info on #2 - I'll work on that after I get #1 sorted out, since it's the more dire problem. Here's some more info:
  Apex version = 3.0.1.00.08
  SSO SDK = ssosdk902.zip
  I set it up as "My Application as Partner App." I used "MY_PARTNER_NAME" as SSO Partner Application Name. In the list of SSO Partner Apps on the SSO Admin page, my partner app name is also MY_PARTNER_NAME. It gives the following info:
  Login URL:      https://sso_host/pls/orasso/orasso.wwsso_app_admin.ls_login
  Single Sign-Off URL:      https://sso_host/pls/orasso/orasso.wwsso_app_admin.ls_logout
  Home URL: http://apex_host/pls/apex
  Success URL: http://apex_host/pls/apex/RBLICK.YOUR_PACKAGE.PROCESS_SUCCESS
  Logout URL: http://apex_host/pls/apex
  RBLICK is the schema owning the apex app. In there, I created a package called YOUR_PACKAGE:
  create package YOUR_PACKAGE as
  procedure process_success(urlc in varchar2);
  end YOUR_PACKAGE;
  CREATE PACKAGE BODY YOUR_PACKAGE AS
  procedure process_success(urlc in varchar2) as
  begin
  wwv_flow_custom_auth_sso.process_success(
  urlc=>urlc,
  p_partner_app_name=>'MY_PARTNER_NAME');
  end process_success;
  END YOUR_PACKAGE;
  Anything look obviously wrong to you?
  Thanks!
  Rob