What are default Zend Session handling best practices to prevent Cross Site Request Forgery?

Similar Messages

• What are Microsoft- or other's-best practice or recommendation of Disk usage, CPU usage, memory usage monitoring to prevent system trouble ?

  We use win2003,win2008,win2012 servers.
  I heard somewhere that Microsoft recommendation threshold of disk usage monitoring is ( free disk space >= 15- 20 %) , if I remember correctly, but how about CPU usage and memory usage monitoring ? 
  What are  Microsoft- or other's-best practice or recommendation of Disk usage, CPU usage, memory usage monitoring to prevent system trouble and improve availability ?

  Hi,
  You can refer the following Performance Tuning Guidelines,
  Performance Tuning Guidelines for Windows Server 2003
  http://download.microsoft.com/download/2/8/0/2800a518-7ac6-4aac-bd85-74d2c52e1ec6/tuning.doc
  Performance Tuning Guidelines for Windows Server 2008 R2
  http://blogs.technet.com/b/josebda/archive/2010/08/27/performance-tuning-guidelines-for-windows-server-2008-r2.aspx
  WINDOWS SERVER 2012 - PERFORMANCE TUNING GUIDELINES
  http://blogs.technet.com/b/itprocol/archive/2012/11/27/windows-server-2012-performance-tuning-guidelines.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Exception Handling best practices?

  Hi, Where can I find the tutorial on exception handling best practices on oracle website?
  I am looking for the sun standards for the exception handling.

  By the way, the google keywords to find that tutorial are "java exception tutorial". In general to find a Java tutorial on topic X the google keywords are "java X tutorial". Prefer tutorials from Oracle when scanning the list of links you get back.

• What are the ways to handle Idocs which are failed to post to R/3

  Hi Experts
  What are the ways to handle Idocs which are failed to post to R/3  after sucessfully configuration of the Scenario.
  Thanks & Regards
  Aravind

  Hi
  Check the Idoc Status in R/3 with WE05.
  Idocs will fail in following conditions
  1) Idoc will be in error if all the mandatory field are not mapped.
  2) If partner profile is not maintained.
  3) Most of the times, idocs will be in error due to functional issues.....check the status and take help from functional guys.
       Once the error resolved, reprocess the same idoc using BD87
  Regards
  Abhijit
  Edited by: Abhijit Bolakhe on Mar 18, 2010 3:11 PM

• What are the browser recommendations for best viewing iWeb 08 site on a PC?

  What are the browser recommendations for best viewing iWeb sites on a PC? Can't find any info on Apple iWeb site.

  Hi,
  I don't think there are recommendations from Apple.
  What I can say is that the newest version of InternetExplorer at the UniversityCampus is working great with my website I didn't find any problem (Menus, Slideshows, text displaying, pictures everything worked great). There are IE problems reported in other threads but I think they refer to older IE versions (seems like most IE users still have older versions on their PCs).
  Newest Firefox will work too.
  Reagrds,
  Cédric

• EBS Supplier best practice to update vendor site code, update or create a new one

  I have a question related to EBS Supplier vendor site code. Application lets you update the vendor site code, but what is the best practice to update the site code?....would you inactivate the exiting one and create a new one? or would you just update the existing value?

  Ok,
  My workaround was to put in my TaskFlow an action to commit. After that I put two more actions (execute) and then back to my page. This way works but I would like to know if there is any more efficient way to do this just when I am inserting.
  Regards

• Best practice for running multiple sites on 1 CF install?

  Hi-
  I'm setting up a new hosting environment (Windows Server 2008 Standard 64 bit VPS  configuration, MySQL, IIS 7, CF 9)
  Has anyone seen any docs or can anyone suggest best practices for configuring multiple sites in this environment? At this point I'm thinking simple is best, one new site in IIS for each client (domain) and point it to CF.
  Given this environment, is anyone aware of any gotchas within the setup of CF 9 on IIS 7?
  Thank you in advance,
  Rich

  There's nothing wrong with that approach. You can run as many IIS sites as you like against a single CF install.
  As for installing CF on IIS 7, I recommend that you do the following: install CF 9 without connecting it to IIS, then installing the 9.0.1 upgrade and any hotfixes, then connecting CF to IIS using the web server configuration utility. This will keep you from having to install the IIS 6 compatibility layer that's needed with CF 9 but not with CF 9.0.1.
  Dave Watts, CTO, Fig Leaf Software
  http://www.figleaf.com/
  http://training.figleaf.com/

• What are the modules in which we can create a party site?

  Hi Gurus,
  I would like to know, what are the modules from which we can create a party site.
  Please repond.
  Thanks,
  Venkatesh

  Hi,
  There can be numerous modules which create party sites , Leads/Quotes/Order/Recievable/HR/IB/ISupport etc.
  Actual number of modules depend on the kind of implementation.
  Run this query in your Oracle instance , to get an idea of various modules which has created Party sites in your system.
  SELECT meaning,
  description
  FROM fnd_lookup_values
  WHERE lookup_type = 'HZ_CREATED_BY_MODULES'
  AND lookup_code IN (SELECT DISTINCT created_by_module
  FROM hz_party_sites)
  -Idris

• What are developers​' opinions on how best to handle upgrading large code libraries with multiple apps to new a labview version?

  I have a large set of code that I've painstakingly migrated from one labview version to another over the years.  I have lots of deployed applications that I need to continue to support.  From experience and interaction with other developers, I don't think I can continue to migrate every application to a new labview version when I upgrade going forward.  Every application seems to break in one way or another, the builds don't work right and need to be re-done, and its too much time to get all my applications working and tested again.  That opinion is solidified by NI's policies that make it impossible to install old toolkit versions on new labview versions, for example.  Compatibility is often being sacrificed so NI can develop labview in the direction they choose.  So I have to take the position that whatever version I write an application in will probably need to be maintained in that labview version throughout it's life.
  In light of this, how are other developers managing older applicatiosn written in older versions of labview.  Right now I have a virtual PC on my system with 7.1, 8.0, 8.2, and 8.5 all running on different virtual PC's so I can keep each installation separate.  I strongly recommend this approach.  But keeping my large libraries of code separate is tough.  They are many GB, they all link to each other, and I always get worried even when I separate them in different directories that somehow labview will search in the wrong place and find the wrong version of a sub-vi.  Are other people also trying to maintain separate copies of all their code in different labview versions?  How are other people managing this problem?
  -Devin
  I got 99 problems but 8.6 ain't one.
  Solved!
  Go to Solution.

  Hi,
  The following directory hierarchy, coupled with a "hierarchical" VI naming strategy, have been effective (for me) at preventing "cross-linking" across projects and LV versions. The storage hierarchy was designed for use within an SCC environment, but works fine independently. Hierarchical-naming insures unique names for application-specific files. Use of Project Libraries (in LabVIEW 8.x) addresses the problem of having different VIs with the same name, still, it gives me warm-fuzzies to have app-specific files named uniquely, and I can't imagine not using Hierarchical-naming anymore - it's described at-length in section 2.1 of attached .doc..
  Note: It's been my experience that companies identify resources as supporting specific "Programs", where a Program is related to a product or "family" of products, so, under <Programs> (below) each "Program" subdirectory encapsulates product-specific (or product-family-specific) applications. Also, assuming no SCC tool is being employed the <Production> directory (below) exists as a repository for distributables.  All distributables required to reproduce a test-station should be located under <Production>.
  <Software_Root>
  <Development>
  | <Common>
  | | <LabVIEW_61>
  | | | <Drivers>
  | | | | <DMM>
  | | | | <OS>
  | | | | <PS>
  | | | <Utilities>
  | | |   <File>
  | | |   <Error>
  | | |   <String>
  | | <LabVIEW_711>
  | | <LabVIEW_82>
  | | <LabVIEW_851>
  <Programs>
  * Program-specific applications that (probably) have distributables
  | <Program_#1>
  | | <Application_#1>
  | |   <Docs>
  | |   <Source>
  *       Individual, application-specific, VIs go here
  | | <Application_#2>
  | | <Application_#3>
  | <Program_2>
  | | <Program_3>
  | <Tools>
  *   Tools are NOT "program"-specific, and, may have distributables
  |   <SomeTool>
  |   <SomeOtherTool>
  <Production>
  | <COTS&Freeware>
  | <Programs>
  | | <Program_1>
  | | | <Application_#1>
  | | | | <Application_#1_Rev#1>
  | | | |   Application_#1.bld>
  | | | |   <EXE>
  | | | |   <Installer>
  | | | |   <Source>
  | | | |     Application_#1.llb>
  *           Distributable is created from LLB "snapshot", not directly from development tree
  | | | <Application_#2>
  | | | | <Application_#2_Rev#1>
  | | | |    Application_#2.lvproj>
  | | | |   <EXE>
  | | | |   <Installer>
  | | | |   <Source>
  | | | |     Application_#2.llb>
  | <Tools>
  "Inside every large program is a small program struggling to get out." (attributed to Tony Hoare)
  Attachments:
  StyleGuide.doc ‏941 KB

• ADF Faces : session timeout best practice

  hi
  I made these small modifications to the web.xml file in the SRDemoSample application:
  (a) I changed the login-config from this ...
    <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
        <form-login-page>infrastructure/SRLogin.jspx</form-login-page>
        <form-error-page>infrastructure/SRLogin.jspx</form-error-page>
      </form-login-config>
    </login-config>... to this
    <login-config>
      <auth-method>BASIC</auth-method>
    </login-config>(b) I changed the session-timeout to 1 minute.
    <session-config>
      <session-timeout>1</session-timeout>
    </session-config>Please consider this scenario:
  (1) Run the UserInterface project of the SRDemoSample application in JDeveloper.
  (2) Authenticate using "sking" and password "welcome".
  (3) Click on the "My Service Requests" tab.
  (4) Click on a "Request Id" like "111". You should see a detail page titled "Service Request Information for SR # 111" that shows detail data on the service request.
  (5) Wait for at least one minute for the session to timeout.
  (6) Click on the "My Service Requests" tab again. I see the same detail page as in (4), now titled "Service Request Information for SR #" and not showing any detail data.
  question
  What is the best practice to detect such session timeouts and handle them in a user friendly way in an ADF Faces application?
  thanks
  Jan Vervecken

  Hi,
  no. Here's the content copied from a word doc:
  A frequent question on the JDeveloper OTN forum, and also one that has been asked by customers directly, is how to detect and graceful handle user session expiry due to user inactivity.
  The problem of user inactivity is that there is no way in JavaEE for the server to call the client when the session has expired. Though you could use JavaScript on the client display to count
  down the session timeout, eventually showing an alert or redirecting the browser, this goes with a lot of overhead. The main concern raised against unhandled session invalidation due to user
  inactivity is that the next user request leads to unpredictable results and errors messages. Because all information stored in the user session get lost upon session expiry, you can't recover the
  session and need to start over again. The solution to this problem is a servlet filter that works on top of the Faces servlet. The web.xml file would have the servlet configured as follows
  1.     <filter>
  2.         <filter-name>ApplicationSessionExpiryFilter</filter-name>
  3.         <filter-class>
  4.             adf.sample.ApplicationSessionExpiryFilter
  5.         </filter-class>
  6.         <init-param>
  7.             <param-name>SessionTimeoutRedirect</param-name>
  8.             <param-value>SessionHasExpired.jspx</param-value>
  9.         </init-param>
  10.     </filter>
  This configures the "ApplicationSessionExpiryFilter" servlet with an initialization parameter for the administrator to configure the page that the filter redirects the request to. In this
  example, the page is a simple JSP page that only prints a message so the user knows what has happened. Further in the web.xml file, the filter is assigned to the JavaServer Faces
  servlet as follows
  1.     <filter-mapping>
  2.             <filter-name>ApplicationSessionExpiryFilter</filter-name>
  3.             <servlet-name>Faces Servlet</servlet-name>
  4.         </filter-mapping>
  The Servlet filter code compares the session Id of the request with the current session Id. This nicely handles the issue of the JavaEE container implicitly creating a new user session for the incoming request.
  The only special case to be handled is where the incoming request doesn't have an associated session ID. This is the case for the initial application request.
  1.     package adf.sample;
  2.     
  3.     import java.io.IOException;
  4.     
  5.     import javax.servlet.Filter;
  6.     import javax.servlet.FilterChain;
  7.     import javax.servlet.FilterConfig;
  8.     import javax.servlet.ServletException;
  9.     import javax.servlet.ServletRequest;
  10.     import javax.servlet.ServletResponse;
  11.     import javax.servlet.http.HttpServletRequest;
  12.     import javax.servlet.http.HttpServletResponse;
  13.     
  14.     
  15.     public class ApplicationSessionExpiryFilter implements Filter {
  16.         private FilterConfig _filterConfig = null;
  17.        
  18.         public void init(FilterConfig filterConfig) throws ServletException {
  19.             _filterConfig = filterConfig;
  20.         }
  21.     
  22.         public void destroy() {
  23.             _filterConfig = null;
  24.         }
  25.     
  26.         public void doFilter(ServletRequest request, ServletResponse response,
  27.                              FilterChain chain) throws IOException, ServletException {
  28.     
  29.     
  30.             String requestedSession =   ((HttpServletRequest)request).getRequestedSessionId();
  31.             String currentWebSession =  ((HttpServletRequest)request).getSession().getId();
  32.            
  33.             boolean sessionOk = currentWebSession.equalsIgnoreCase(requestedSession);
  34.           
  35.             // if the requested session is null then this is the first application
  36.             // request and "false" is acceptable
  37.            
  38.             if (!sessionOk && requestedSession != null){
  39.                 // the session has expired or renewed. Redirect request
  40.                 ((HttpServletResponse) response).sendRedirect(_filterConfig.getInitParameter("SessionTimeoutRedirect"));
  41.             }
  42.             else{
  43.                 chain.doFilter(request, response);
  44.             }
  45.         }
  46.        
  47.     }
  This servlet filter works pretty well, except for sessions that are expired because of active session invalidation e.g. when nuking the session to log out of container managed authentication. In this case my
  recommendation is to extend line 39 to also include a check if security is required. This can be through another initialization parameter that holds the name of a page that the request is redirected to upon logout.
  In this case you don't redirect the request to the error page but continue with a newly created session.
  Ps.: For testing and development, set the following parameter in web.xml to 1 so you don't have to wait 35 minutes
  1.     <session-config>
  2.         <session-timeout>1</session-timeout>
  3.     </session-config> Frank
  Edited by: Frank Nimphius on Jun 9, 2011 8:19 AM

• Kiosk Session Timeout Best Practice

  Dear All,
  I've noticed that user sessions are being timed out after about 3 hrs 20 minutes (presumably this is the default) so people coming in to work in the morning are having to start new sessions which really isn't practical with Citrix.
  The users need to be able to leave a session in the evening and then pick it up again the following morning.
  What are people using as a timeout value for Sun Ray sessions - 12 hours? 24 hours? What's the best thing to do? Will it cause problems if I have lots of sessions hanging around for that length of time?
  Many thanks.
  Chris

  Dear All,
  I've noticed that user sessions are being timed out after about 3 hrs 20 minutes (presumably this is the default) so people coming in to work in the morning are having to start new sessions which really isn't practical with Citrix.
  The users need to be able to leave a session in the evening and then pick it up again the following morning.
  What are people using as a timeout value for Sun Ray sessions - 12 hours? 24 hours? What's the best thing to do? Will it cause problems if I have lots of sessions hanging around for that length of time?
  Many thanks.
  Chris

• ESB Exception Handling Best Practices

  I've update the "ESB Transactions, Error Handling and Resubmit" Lesson PDF to include a best practices section. Go to http://otn.oracle.com/goto/esb and click on the link in the Learning more section. Feedback welcome.

  Hi Dave,
  I checked this document yesterday, it contained 18 pages.
  Some great info in the additional 7 pages, just in time as well: at a customer site we are hitting bug 5547165, the rejected messages being empty. I checked the rejection handlers for BPEL and was investigating how these could be used in case of ESB. Seems you have provided the answer.
  Any chance a fix for the bug mentioned here is in the 10.1.3.3 patch set?
  One more thing: by default the rejected messages for ESB are written to file system, in a directory below the 'home' OC4J instance. Could this be turned into a configurable space in a next release?
  Thanks and best regards, Sjoerd

• Exception handling best practice

  whats the best practice for exception handling on ?
  - BC
  -controller
  -view layer (Managed beans)
  do we have to handle commit operations on BC so we can rollback like this code
  public void save()
  // create/update/delete ROW
  try
  this.getTransaction().commit();
  catch(JboException e ){this.getTransaction().rollBack();}
  thanks
  Edited by: user3674912 on 23/05/2011 05:18 ص

  Hi,
  IMO, best practices is to handle exceptions as close to their origin. If you can't handle it, you re-throw it as you would in Java so another handler gives it a try
  Frank

• What is the guideline and/or best practice for EMC setup on ASM?

  We are going to use EMC CX4-480 for ASM storage on RAC. What is the guideline and best practice for EMC setup on ASM?
  Thanks for the advice!

  Probably a poor choice of words. Sorry.
  So basically, I have gotten further, but I just noticed related problem.
  I'm using the WebServices(WS) 1.0. I insert an account, then, on a separate WS call, I insert my contacts for the account. I include the AccountID, and a user defined key from the Account when creating the Contact.
  When I look at my Contact on the CRMOD web page, it shows the appropriate links back to the Account. But when I look at my Account on the CRMOD web page, it shows no Contacts.
  So when I say workflow or Best Practice, I was hoping for guidance on how to properly write my code to accomplish all of the necessary steps. As in this is how you insert an account with a contact(s) and it updates the appropriate IDs so that it shows up properly on the CRMOD web pages.
  Based on the above, it looks like I need to, as the next step, take the ContactID and update the Account with it so that their is a bi-directional link.
  I'm thinking there is a better way in doing this.
  Here is my psuedocode:
  AccountInsert()
  AccountID = NewAcctRec
  ContactInsert(NewAcctRec)
  ContactID = NewContRec
  AccountUpdate(NewContRec)
  Thanks,

• Simple HTTP Post Handler - Best Practice?

  I would like to create a fairly simple ASP.Net application that takes an XML record from an HTTP post request, submits it to a process that invokes a command line app that parses the XML file, takes the parsed XML file (as XML), and returns the result. 
  For now the process can be synchronous as the transform has to complete and there are no parallel activities that need to be performed.
  I'm not sure that writing an HTTP Handler is the way to go, but maybe I'm mistaken.  Plus there are no examples of doing that in Visual Studio 2013 using IIS 8.0 or 8.5 and I don't really understand the value of applying a file extension or processing
  an HTTP post to initiate the request, perhaps using a dedicated port.  I already have a class library for handling the process request.
  I'm also a little confused about reading the post request - it seems I can just do it during the page load and that I should be able to extract the first request form field - that of course means using a webform to process the request which seems to be the
  most straight-forward way to do this. So I'm looking for the best practice for fielding this kind of request.  My target server is Windows 2012, but I'm developing with VS 2013 and C# on Windows 7 using IIS Express and configuring IIS is confusing. 
  Overall it is a fairly simple app, but there are so many rich new features in VS 2013 (most of my work has been in VS 2005).  I also want to build a test app and am looking for the best way to do so, although I think I can build a simple client app
  to do that.  The business requirements will be to issue the post request from a MarkLogic xquery request which will take care of any JSON wrappers and balance between multiple Windows servers to handle the load.
  Thanks for any help with this!
  ~Tim

  Hi Tim,
  Thank you for posting in the MSDN forum.
  Actually this forum is to discuss the VS IDE, if this issue is related to web development, you could ask this question in the ASP.NET forum:
  http://forums.asp.net. If then, you could get an answer more quickly and professional. Thanks for your cooperation.
  Best Regards,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.