Sticky session without cookie is broken

Similar Messages

• Sessions without cookies on OAS 4.0.8.2

  I try to build a Servlet on OAS 4.0.8.2 where sessions are not realized via cookies but via URL encoding. This does not work, however, as the session information is added to the URL by the OAS in a form that destroys my query parameters which is an OAS bug, I think. Cookies work fine, but I am not allowed to use them in my context. Does anyone have experience with this ?

  OK! Fixed that one myself - for now. I had used some wrong jar:s in my libraries.
  There are still some problems.
  If I use JDK 1.1.8, I get the following trace when trying to run my client:
  java.lang.NoSuchMethodError: java.lang.System: method setProperty(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; not found
  at
  at javax.naming.spi.NamingManager.getDefaultInitialContextFactory(NamingManager.java:696)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:744)
  at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:181)
  at javax.naming.InitialContext.<init>(InitialContext.java:158)
  at test.BCEJBClient.main(BCEJBClient.java:32)
  The problem goes away if I instead use JDK 1.2.2. But in the project I'm working on we are usng JDK 1.1.8. How can this problem be solved?

• Authentication in clustered web application without sticky session

  I have built JSP/Servlet/Struts application in the past on a cluster of app servers. Each app server has its own JVM running the Servlel Container. All of the HTTP requests come into a hardware load balancer, which directs the requests to one of the app servers in the cluster.
  I have wanted to use the Java HttpSession management without any kind of distributed session provided by the app server. We have used "sticky" sessions. The application writes a cookie to the client on the first request. The load balancer looks for that cookie on subsequent requests and directs the request to the server that originally wrote the cookie. This ensures that all requests within the same session are handled by the same application server. This also means that if I do request.getSession().setAttribute("authenticated",true) on one request, when I do request.getSession().getAttribute(authenticated) on subsequent requests in the same session, I can be sure the value will not be null. This allows me to create a filter that checks for that session attribute on each request, and if it is false or null, redirect the request to some sort of login page. Otherwise I can be sure the user has logged in.
  I want to build a stateless/non-session based application that can still handle authentication. What I mean by that is that I don't want the load balancer to have to send requests for the same session all to the same server. I would like the load balancer to send each request where ever it wants. That means the simple authentication example I explained in the last paragraph would not work. The user could login on server A, but then on a subsequent request during the same "session", the user's request could be handled by server B. In that case, the session attribute would be null, and the app would think that the user has not logged in.
  My application can require that users have cookies enabled, so therefore I can assume the user is accepting cookies (I would have something to check that and redirect the user to an error page saying "turn cookies on" if cookies weren't on). I think one thing that I could do is use encrpytion with a key that is shared between all the servers in the cluster. For example, user logins in on server A, server A writes a cookie with the contents "username,1109272102009". The first part being the username that the user successfully authenticated as and the second part being a timestamp for when the cookie was created. The contents of the actual cookie would be encrypted and I would send the ciphertext as the value of the cookie. When server B gets the cookie, it can decrypt the ciphertext (using the same key as was used to encrypt the data on server A), and check that the username is valid and that the timestamp does not exceed some timeout. The timestamp in the cookie would then have to be updated for the next request.
  So my question is (thanks for sticking with me and reading this really long post), has anyone done anything like this before? Is what I have described totally ridiculous or insecure? Are there any books or articles that describe a pattern similar to this that has been know to work well?

  I have worked on a web site that did exactly that.
  The cookie contained a little bit more information - there was a small amount of user data that were needed on heavily accessed pages.
  You'll have a problem if your web application uses attributes. We solved this by keeping most stuff in hidden inputs (backed up by hidden input cryptographic checksums in places where forgery was a concern.) HttpSession attributes have some problems and gotchas.
  A few possible fine tunings:
  Add a random number to the cookie. Should make known plaintext attacks harder.
  Add some extra stuff to the cookie, so that any random hex string that happens to decode to "xZoiyqw,15" isn't accepted. It's easy to try a million cookies until you get "<something>,<integer>" but getting "<something>,<integer>,HelloHowAreYou" is a lot harder.
  Be paranoid in checking the format of the cookie. If you add a random number, check that it is all digits etc. Belt and suspenders: also check that the time stamp isn't in the future (allow e.g. 15 seconds future time, in case different servers' clocks are a bit off.)
  Don't update the cookie at every hit, only if the time stamp is older than a couple of minutes. Saves encryption CPU power.
  After encrypting, prepend a short version number to the cookie. E.g. if the hex cookie is ABCDEF, make it 1ABCDEF. If you later e.g. change the encryption algorithm, change version to 2 and you can easily skip any obviously non-decipherable cookies. A second version number within the cookie might or might not be useful.
  Even though you can make random load balancing, consider not doing that. E.g. a server might pull the user's name from the database into memory cache. You get less database traffic and smaller caches if the user still goes to the same server. If a server goes down, only then switch him elsewhere. Downside though: if one server is "half alive" (doesn't respond to requests but alive enough so the load balancer doesn't notice the malfunction), all users bound to that server see a 100% failure.
  Benchmark cookie decryption time when selecting the crypto algorithm. How many hits per second you can get and how many you need.
  Guard your crypto keys like the crown jewels. Change them periodically and whenever someone in your company (especially IT department) gets the pink slip.

• Sticky sessions and Load Balancing in WL Clusters

  We are using iPlanet Web Server 4.1 with WebLogic App Server; and would like
  to implement load balancing with sticky sessions and in-memory state
  replication.
  The documentation in Weblogic says that -
  When using in-memory state replication, your WebLogic Server Cluster must
  live behind one or more proxy servers. The proxy servers are smart enough to
  send servlet requests, belonging to the same HTTP session, back to the same
  server in the cluster that holds the session data.
  (Ref: http://www.weblogic.com/docs51/cluster/setup.html)
  Does this mean that the sticky session configuration has to be done on the
  iPlanet Web Server itself ?
  Also, if WebLogic is used as the Web server, does WebLogic provide any
  support for sticky sessions?
  Any help, suggestions or links to useful info are welcome.
  Regards,
  Milind.

  Mike,
  im curious as to why you would recomend using weblogic as a web server in 6.1?
  I would not for the following reasons:
  - it costs 10x more per cpu list
  - it doesnt support hardware accell cards (afaik, please let me know if this has
  changed)
  iplanet is really good a serving up static html and gif's, especially in ssl if you
  have a hardware accell card. So if you have a site with lots of graphics and you use
  ssl a lot, I think its still a better solution.
  -Joel
  Mike Reiche wrote:
  You get sticky round-robin by default.
  You need to have session tracking turned on (i think it is on by default). You
  need to have the WL plugin configured in iPlanet.
  When WL creates an httpSession, it writes a cookie (or rewrites the URL) back
  to the browser. On subsequent requests, the browser sends the cookie and iPlanet
  plug-in directs the request to the correct WL instance based on the ip address
  of the WL server embedded in the cookie.
  If you are using WLS 6.1, I would recommend using it as a web server (and not
  using iPlanet). I imagine that it supports stickly load balancing as well.
  Mike
  Joel Nylund <[email protected]> wrote:
  you get round robin by default, if you want a different scheme you can
  use one
  of the other 3 options (weight, random or parameter).
  -Joel
  I think weight can be set in weblogic properties. I havent used any other
  than
  round robin.
  Milind Prabhu wrote:
  We are using iPlanet Web Server 4.1 with WebLogic App Server; and wouldlike
  to implement load balancing with sticky sessions and in-memory state
  replication.
  The documentation in Weblogic says that -
  When using in-memory state replication, your WebLogic Server Clustermust
  live behind one or more proxy servers. The proxy servers are smartenough to
  send servlet requests, belonging to the same HTTP session, back tothe same
  server in the cluster that holds the session data.
  (Ref: http://www.weblogic.com/docs51/cluster/setup.html)
  Does this mean that the sticky session configuration has to be doneon the
  iPlanet Web Server itself ?
  Also, if WebLogic is used as the Web server, does WebLogic provideany
  support for sticky sessions?
  Any help, suggestions or links to useful info are welcome.
  Regards,
  Milind.

• Finding the handler host in cluster when using sticky sessions

            Our design is like this: we have Apache front-ending the WL cluster. The session
            is not replicated across WL hosts in cluster. However, the Apache-weblogic bridge
            takes care of handling sticky - sessions ( i.e. forwarding requests in same session
            to one host in cluster )
            Now, we have some code running on Apache itself , in Perl.
            The requirement is as follows : In the Perl code, we trap certain requests which
            are NOT forwarded to Weblogic. However, in the Perl code, we do trap the JSESSIONID
            cookie. Now, using this cookie value, is it possible to know which WL host in
            cluster is handling its corresponding session ??
            This is required, since the Perl module is supposed to make an explicit HTTP request
            to that WL host - passing the JSESSIONID as a parameter - for authentication.
            Thanks,
            Subodh
            

  can the perl module send this request to the apache webserver itself and set
            the cookie the same? That would allow apache plugin to send it to the right
            node.
            "Subodh" <[email protected]> wrote in message
            news:[email protected]..
            >
            > Our design is like this: we have Apache front-ending the WL cluster. The
            session
            > is not replicated across WL hosts in cluster. However, the Apache-weblogic
            bridge
            > takes care of handling sticky - sessions ( i.e. forwarding requests in
            same session
            > to one host in cluster )
            >
            > Now, we have some code running on Apache itself , in Perl.
            >
            > The requirement is as follows : In the Perl code, we trap certain requests
            which
            > are NOT forwarded to Weblogic. However, in the Perl code, we do trap the
            JSESSIONID
            > cookie. Now, using this cookie value, is it possible to know which WL host
            in
            > cluster is handling its corresponding session ??
            >
            > This is required, since the Perl module is supposed to make an explicit
            HTTP request
            > to that WL host - passing the JSESSIONID as a parameter - for
            authentication.
            >
            >
            > Thanks,
            > Subodh
            >
            

• Session and cookies

  Why, if I delete the Jsession cookies and I reload the index.faces page, and post the login form, this error happend ?
  ViewExpiredException: viewId:/login.faces - View /login.faces could not be restoredNew JSession cookie isn't created... Strange ?

  I can't find a real solution for that problem !
  In IE, the website seem to work, but without cookies... why ?
  In Firefox, after deleting the JSESSION cookie, if I reload (ctrl+F5), the cookies isn't created anymore... if I try many time, maybe 2-3 min later, the cookie is created ...
  Without cookie, I have the error about the view.
  Sometime, without any change, in Firefox, it work but using URL variable for session... and after few login-logout-login, it use JSESSIONID cookie !
  Any idea ? This kind of random problem is hard to solve.
  web.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee   http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
  <context-param>
    <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
    <param-value>.xhtml</param-value>
  </context-param>
  <context-param>
    <param-name>URL</param-name>
    <param-value>ldap://localhost:10389</param-value>
  </context-param>
  <context-param>
    <param-name>managerDN</param-name>
    <param-value>uid=admin,ou=system</param-value>
  </context-param>
  <context-param>
    <param-name>managerPassword</param-name>
    <param-value>****</param-value>
  </context-param>
  <context-param>
    <param-name>facelets.DEVELOPMENT</param-name>
    <param-value>true</param-value>
  </context-param>
  <context-param>
    <description>valide le fichier faces-config</description>
    <param-name>com.sun.faces.validateXml</param-name>
    <param-value>true</param-value>
  </context-param>
  <context-param>
    <description>vérifie si tous les objets configurés sont créé correctement</description>
    <param-name>com.sun.faces.verifyObjects</param-name>
    <param-value>true</param-value>
  </context-param>
  <context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>server</param-value>
  </context-param>
  <context-param>
    <param-name>javax.faces.CONFIG_FILES</param-name>
    <param-value>/WEB-INF/faces-config.xml</param-value>
  </context-param>
  <filter>
    <filter-name>MyFacesExtensionsFilter</filter-name>
    <filter-class>org.apache.myfaces.webapp.filter.ExtensionsFilter</filter-class>
    <init-param>
     <param-name>uploadMaxFileSize</param-name>
     <param-value>20m</param-value>
    </init-param>
  </filter>
  <!-- extension mapping for adding <script/>, <link/>, and other resource tags to JSF-pages  -->
  <filter-mapping>
    <filter-name>MyFacesExtensionsFilter</filter-name>
    <!-- servlet-name must match the name of your javax.faces.webapp.FacesServlet entry -->
    <servlet-name>Faces Servlet</servlet-name>
  </filter-mapping>
  <!-- extension mapping for serving page-independent resources (javascript, stylesheets, images, etc.)  -->
  <filter-mapping>
    <filter-name>MyFacesExtensionsFilter</filter-name>
    <url-pattern>/faces/myFacesExtensionResource/*</url-pattern>
  </filter-mapping>
  <listener>
    <listener-class>com.sun.faces.config.ConfigureListener</listener-class>
  </listener>
  <listener>
    <listener-class>com.sun.faces.application.WebappLifecycleListener</listener-class>
  </listener>
    <servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>0</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
  </servlet-mapping>
  <session-config>
    <session-timeout>2</session-timeout>
  </session-config>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
  </welcome-file-list>
  <login-config>
    <auth-method>BASIC</auth-method>
  </login-config>
  </web-app>
  index.html
  <html>
       <head>
            <meta http-equiv="Pragma" content="no-cache" />
            <meta http-equiv="expires" content="0" />
            <meta http-equiv="Cache-Control" content="no-cache" />
            <meta http-equiv="Cache-Control" content="must-revalidate" />
            <meta http-equiv="Refresh" content="0; URL=login.faces" />
            <title>Start Web Application</title>
       </head>
       <body>
            <p>
                 Please wait for the web application to start.
            </p>
       </body>
  </html>Edited by: laurentw on Feb 10, 2009 4:12 PM
  Edited by: laurentw on Feb 10, 2009 4:13 PM

• Apache plugin won't do sticky sessions

  Hi,
  I'm trying to use the apache plugin, with apache 1.3.26, front-ending 2 WL6.0SP2;
  and I can't get session affinity to work.
  the plugin get loaded properly, and "works" since it is load balancing requests.
  unfortunately, sticky sessions don't
  here the relevant config
  <IfModule mod_weblogic.c>
  WebLogicCluster 10.2.255.35:7070,10.2.255.50:7070
  DebugConfigInfo ON
  CookieName SID
  Debug ALL
  </IfModule>
  and a dump of the URLs for a single session. you can see it's going to the 2 servers.
  ================New Request:
  Wed Sep 25 08:23:29 2002 Connected to 10.2.255.35:7070
  Wed Sep 25 08:23:29 2002 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
  Wed Sep 25 08:23:29 2002 Hdrs from WLS:[Set-Cookie]=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Hdrs to client:[Set-Cookie]=[SID=PZHUuWPR; path=/]
  ================New Request:
  Wed Sep 25 08:23:29 2002 Init: availcookie=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Connected to 10.2.255.35:7070
  Wed Sep 25 08:23:29 2002 Hdrs from clnt:[Cookie]=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Hdrs to WLS:[Cookie]=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
  ================New Request:
  Wed Sep 25 08:23:29 2002 Init: availcookie=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Connected to 10.2.255.50:7070
  Wed Sep 25 08:23:29 2002 Hdrs from clnt:[Cookie]=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Hdrs to WLS:[Cookie]=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
  ================New Request:
  Wed Sep 25 08:23:29 2002 Init: availcookie=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Connected to 10.2.255.50:7070
  Wed Sep 25 08:23:29 2002 Hdrs from clnt:[Cookie]=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Hdrs to WLS:[Cookie]=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
  The weird part is that I'm seeeing this behavior with the iplanet plugin as well.
  anyone got any luck in setting that up ?
  thanks,
  jm.

  You can use the console to edit the deployment descriptor for the webapp.
  Or you can modify the weblogic.xml and add the following:
  <session-descriptor>
  <session-param>
  <param-name>
  PersistentStoreType
  </param-name>
  <param-value>
  Replicated
  </param-value>
  </session-param>
  </session-descriptor>
  Some useful links:
  http://e-docs.bea.com/wls/docs61/webapp/weblogic_xml.html#1014231
  http://e-docs.bea.com/wls/docs61/webapp/sessions.html#100659
  http://e-docs.bea.com/wls/docs61/cluster/servlet.html
  Regards,
  Eric
  "Pancday Pac" <[email protected]> wrote in message
  news:[email protected]...
  Eric,
  I also met this problem.
  How to "have replicated sessions set for the webapp". What I found is just
  the CookieName which I didn't change and just use the default value.
  "Eric Gross" <[email protected]> wrote in message
  news:[email protected]...
  It looks like you have properly setup clustering on WebLogic itself.
  You need to make sure you have replicated sessions set for the webapp in
  question.
  Regards,
  Eric
  "Jean-Michel Leon" <[email protected]> wrote in message
  news:[email protected]...
  Hi,
  I'm trying to use the apache plugin, with apache 1.3.26, front-ending
  2
  WL6.0SP2;
  and I can't get session affinity to work.
  the plugin get loaded properly, and "works" since it is load balancingrequests.
  unfortunately, sticky sessions don't
  here the relevant config
  <IfModule mod_weblogic.c>
  WebLogicCluster 10.2.255.35:7070,10.2.255.50:7070
  DebugConfigInfo ON
  CookieName SID
  Debug ALL
  </IfModule>
  and a dump of the URLs for a single session. you can see it's going to
  the
  2 servers.
  ================New Request:
  Wed Sep 25 08:23:29 2002 Connected to 10.2.255.35:7070
  Wed Sep 25 08:23:29 2002 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
  Wed Sep 25 08:23:29 2002 Hdrs from WLS:[Set-Cookie]=[SID=PZHUuWPR;
  path=/]
  Wed Sep 25 08:23:29 2002 Hdrs to client:[Set-Cookie]=[SID=PZHUuWPR;path=/]
  ================New Request:
  Wed Sep 25 08:23:29 2002 Init: availcookie=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Connected to 10.2.255.35:7070
  Wed Sep 25 08:23:29 2002 Hdrs from clnt:[Cookie]=[SID=PZHUuWPR;
  path=/]
  >>>
  Wed Sep 25 08:23:29 2002 Hdrs to WLS:[Cookie]=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
  ================New Request:
  Wed Sep 25 08:23:29 2002 Init: availcookie=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Connected to 10.2.255.50:7070
  Wed Sep 25 08:23:29 2002 Hdrs from clnt:[Cookie]=[SID=PZHUuWPR;path=/]
  >>>
  Wed Sep 25 08:23:29 2002 Hdrs to WLS:[Cookie]=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
  ================New Request:
  Wed Sep 25 08:23:29 2002 Init: availcookie=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Connected to 10.2.255.50:7070
  Wed Sep 25 08:23:29 2002 Hdrs from clnt:[Cookie]=[SID=PZHUuWPR;path=/]
  >>>
  Wed Sep 25 08:23:29 2002 Hdrs to WLS:[Cookie]=[SID=PZHUuWPR; path=/]
  Wed Sep 25 08:23:29 2002 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
  The weird part is that I'm seeeing this behavior with the iplanetplugin
  as well.
  anyone got any luck in setting that up ?
  thanks,
  jm.

• Client Object Model don't work without "cookies"

  Problem could be reproduced for all types of Client Model Object (Managed, JS, etc..)
  for example (Managed Client Model Object):
  using (var context = new ClientContext("http://pc:1111"))
      var site = context.Web;
      context.Load(site, s => s.Title);
      context.ExecuteQuery();
      Console.WriteLine(site.Title);
      Console.ReadLine();
  1) All works fine if
  cookies is turned on in web.config for Web Application
  pc:1111 (<sessionState mode="InProc"cookieless="false" timeout="20" />) 
  in "fiddler":
  Request: POST /_vti_bin/client.svc/ProcessQuery HTTP/1.1
  Response: HTTP/1.1 200 OK
  2) If using cookieless session (<sessionState mode="InProc"cookieless="true" timeout="20"
  />)
  "context.ExecuteQuery()" generate WebException "The remote server returned an error: (404) Not Found."
  in "fiddler":
  Request: GET /(S(1j0bsz55e3dk1455dhagx4ry))/_vti_bin/client.svc/ntlm/ProcessQuery HTTP/1.1
  Response: HTTP/1.1 404 Not Found
  What settings should be applied for correct working "Client Model Object" in cookieless  session or "Client Model Object" couldn't be used without cookies at all?

  Hi. I think that the CSOM uses cookie to manage authentication...
  Regards,
  Bubu
  http://zsvipullo.blogspot.it
  Please mark my answer if it helped you, I would greatly appreciate it.

• PPR and session timeout cookie

  Scott,
  Is there anyway of getting the PPR functionality to update the session timeout cookie whenever a PPR request is made???
  Thanks..

  I am using your session timeout function from otn.
  I am using it to timeout after a set period of inactivity, every time the page is redrawn the cookie time is updated.
  I am calling this function from the 'Session Verify Function' field in the authentication scheme, and initially setting the cookie on login.
  I believe that the cookie only gets updated when the page is re-drawn and the Session Verify Function is run??
  On a PPR request only part of the page is refreshed, the page header remains unaffected, which means the user can be active on a page without refreshing the timeout value on the cookie?
  (Not a major problem, but would be nice to be able to update the cookie on a PPR request as well)
  Thanks..

• Restore session without inputing session id

  After I left(closed) IE and access the same page, for example access "http://abc/pls/apex/f?p=1000:1", the site redirect me to the login page. This must annoyed users much.
  1) In a short period, if I input the url with session id, then I can reuse the same session. So how should I restore the session without directing me to the login page: I just input "http://abc/pls/apex/f?p=1000:1" instead of ""http://abc/pls/apex/f?p=1000:1:SESSION_ID" and I can access to the same page under the same session.
  2) If the session is expired, I also want I can login the server without input user name and password by using cookie. How should I implement one method to create a new session without prompting user to login page?

  Vic,
  For authenticated applications, if there is no session ID in the URL, the user must login again.
  If the session is expired ...
  They go away after 24 hours, but that's not really the same as expiring. You can invalidate your application's session cookie after a period of user inactivity if you want to and sometimes this is called session expiration but I don't think it helps with your main problem.
  I also want I can login the server ...
  There is no logging into any server that happens. A user submits a login page in your application and then logs in to your application. The steps in your application's authentication scheme determine most of the details of how that happens.
  Scott

• Sticky session for SSL termination

  We have a server farm with 2 servers.  The ACE is perfoming SSL termination to this farm, and talking tcp/80 on the back end.  How can I ensure these sessions are sent to the same servers?
  Thanks

  since you are doing ssl termination you can do cookie sticky and have the ace either learn a cookie from the server or insert a cookie to provide sticky.
  for instance to do cookie insert
  sticky http-cookie COOKIE1 GROUP3
  cookie insert browser-expire <-- this makes it a session based cookie. If you want the cookie to expire at a set time you can leave off browser-expire
  and then set a timeout . the timeout is not on ace rather we will send a utc expire time to the browser
  serverfarm test
  then call the sticky serverfarm in your load balance policy
  policy-map type loadbalance first-match L7PLBSF_STICKY-COOKIE_POLICY
    class class-default
     sticky-serverfarm GROUP3
  you can also use other sticky methods see
  http://www.cisco.com/en/US/customer/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1070365

• ALLOW A USER TO KILL A SESSION WITHOUT ALTER SYSTEM PRIVILEGE.

  Hi
  I need a user to have permission to kill a session without having the ALTER SYSTEM privilege. I created a procedure on sys schema and granted the EXECUTE privilege to the user but it doesn't work, how can I do, help please.
  CREATE OR REPLACE PROCEDURE SYS.PRC_SESSION_KILLER (P_SID IN NUMBER, P_SERIAL IN NUMBER)
  AS
  BEGIN
       EXECUTE IMMEDIATE 'GRANT ALTER SYSTEM TO SYSADMIN';
       EXECUTE IMMEDIATE 'ALTER SYSTEM KILL SESSION ''' || P_SID || ',' || P_SERIAL || ''' IMMEDIATE';
       EXECUTE IMMEDIATE 'REVOKE ALTER SYSTEM FROM SYSADMIN';
  END;
  Thank you very much.

  Hi,
  I second everything John said.
  Are you sure the arguments are correct?
  Below is the procedure I use. You may want to run it, just to see what the error is.
  PROCEDURE     kill_internal
       s_id          IN     NUMBER,
       serial_num     IN     NUMBER,
       stat_out     OUT     VARCHAR2
  IS
       alter_handle     INTEGER;
       ex_val          INTEGER;     -- Returned by dbms_sql.execute
  BEGIN
       alter_handle := dbms_sql.open_cursor;
       dbms_sql.parse
            alter_handle,
            'ALTER SYSTEM     KILL SESSION '''     ||
                 TO_CHAR (s_id, '999990')     ||
                 ', '                    ||
                 TO_CHAR (serial_num, '999990')     ||
            dbms_sql.native
       ex_val := dbms_sql.execute (alter_handle);
       dbms_sql.close_cursor (alter_handle);
       stat_out := 'Success: '                    ||
                 TO_CHAR (s_id, '999990')     ||
                 ', '                    ||
                 TO_CHAR (serial_num, '999990');
  EXCEPTION
       WHEN OTHERS
       THEN
            stat_out := 'Failure:'          ||
                 SQLERRM;
  --          dbms_output.put_line (stat_out);
            dbms_sql.close_cursor (alter_handle);
  END     kill_internal
  ;

• Issue with sticky sessions

  My application has the following architecture:
  1.) a load balanced Flex frontend with sticky sessions which queries
  2.) a load balanced REST service also with sticky sessions
  The flex frontend queries the service using a Flex HTTPService object.  However, although sticky sessions are enabled on both the flex frontend and
  rest service, we are seeing queries go to different instances. For example
  user will request Flex App1 which will then call RestService1
  then user will request Flex App1 again which will call RestService2(instead of RestService1).
  Has anyone seen this issue before in a load balanced environment?  I need this to work because the REST service does not have a distributed cache, so subsequent requests must hit the same box to use the cache.
  thanks

  NW6 SP5 needs nw6nss5c in order for NSS to work properly; once applied
  then do
  nss /poolrebuild /purge
  on all pools. Make sure you have tested backups first, just in case.
  Also Load Monitor - Server Parameters - NCP. Set Level 2 OpLocks Enabled
  = Off, and Client File Caching Enabled = Off.
  What lan driver, date and version, on the server?
  Andrew C Taubman
  Novell Support Forums Volunteer SysOp
  http://support.novell.com/forums
  (Sorry, support is not provided via e-mail)
  Opinions expressed above are not
  necessarily those of Novell Inc.

• Setting secure on session management cookie only in production

  I am faced with the following:
  In our developmentcycle we deliver full application exports to an acceptation environment and after testing to a production environment.
  However, only our production site does HTTPS. Development and acceptation only do HTTP.
  In production we have to set the "secure"flag on the session management cookie.
  We would like to set this flag in our deployment scripts.
  So,
  Is there an API we could use to set the "Secure" flag in the APEX metadata using SQL*Plus?

  hi
  ->Use request.getParameter(String s) to recieve the infomation from the html page into your servlet.for storing session specific info go for
  session.setAttribute(vble,value;
  hope it'll solve your problem.

• Sticky sessions in SharePoint

  Hi,
  What is Sticky Sessions? 
  How it works in a SharePoint 2010 Farm, while load balancing?
  Any change in SP13 over SP10?
  I read, 'Distrubuted Chache Services' make sure that sticky sessions are no longer required.
  But, I did not understand the funda? Please explain!
  - GEM

  If you have multipe front-end servers a sticky session esnures that every request of a client gets redirected to the same server instead of all requests of a single client divided over multiple servers. This makes handling session state easier, as you'll
  only have to store it in memory if you have sticky sessions. Otherwise, you'll have to have a central store that is accessed by all front-ends. This is a load balancer feature, not a SharePoint feature.
  If you're using distributed cache services you have an enterprise-level mechanism for storing state acros multiple servers, so it doesn't matter much if you don't have sticky sessions, the cache will be available (in a fast way) anyway.
  Kind regards,
  Margriet Bruggeman
  Lois & Clark IT Services
  web site: http://www.loisandclark.eu
  blog: http://www.sharepointdragons.com