What is required to create same session on different hosts?
There are two stand alone servers. I do not want to setup a cluster environment. I just want the session created in one server is recognized by other
When I request server A with client C, that(server A) will request to server B (with a flag set in header so that it wont go in loop). When I request server B with client C the session is not recognized on server B. what else do I have to do?
I tried setting jsession id
I am using apache httpclient to send the request to other server. I
have added header and I can see cookie header is same in both server,
still its not recognized
request.setHeader("cookie", req.getHeader("cookie"));
Please suggest
#Aadam did you tried HttpSession ?
Related
I know how to get cookies value from HTTP request with that way
> httpReq.getheader()
but now i want to access and get cookies values that set in browser wherever and use it in java classes without sending HTTP request?
is it possible ?
It is not possible ... unless your Java code is actually running in the web browser. The Java Tutorials include a page on Accessing Cookies in an Applet or JNLP application.
However, if your Java code is running in the web, then you have a problem because:
most browsers have already dropped support for Java plugins,
Oracle has deprecated browser-side Java as of Java 9.
If your Java code is server-side, then the HTTP request is the only way that information (such as cookies) is passed from the client (browser) to server. The server cannot send requests to the browser. The best it can do is send an HTTP reply that causes the browser to send another request. (Or open a WebSocket ...)
I have a web application which is accessible to users through proxy sevlet - part of bigger web application. Communication between browser and bigger application is encrypted by ssl. From my embedded application I would like to set a secure cookie which indicates users' session. Communication between proxy servlet and my web application is not encrypted, so when I set session id cookie it doesn't have secure flag. My application is running on tomcat and response from this tomcat is proxy'ied to client's browser by proxy servlet.
Will this cookie be secure and unable to hijacked by others, despite the fact that is not indicated as secure? Can browser send back cookie in not secured connection in that situation?
edit:
I will specify a little bit more architecture of that sollution to make it clear:
There are 2 web applications, each one has its own session:
1) one is accesible directly to users and communication between it and browser is encrypted by SSL. (application X)
2) second is not accesible to users, but is proxy'ied by servlet from application X (application Y) Servlet is also proxy'ing http headers.
Architecture looks like on this diagram:
client browser| <-SSL-> |Application X (proxy servlet) | <-internal network, no SSL -> |application Y
I would like to set cookie in client browser from application Y that indicates session. Cookie header is taken from application Y to X and set into the client's browser, but unfortunately this header doesn't have secure flag. I'm not sure wheter it will be send back by browser in secure connection or not.
This really isn't a good way to secure your web app because the most important area of communication (between the browser and however they get to your app) is not encrypted. That is the area most likely to be snooped on by others. Cookies are inherently insecure without SSL because without SSL there is no way to encrypt them. They're just part of the HTTP transaction (and thus are only as secure as the rest of it).
Sessions are pretty much inherently safe from tampering if the HTTP transactions happen over SSL because the cookie only contains a fairly unique ID code pointing to a storage compartment on the server for the user's information in the servlet container.The only way someone can hijack that is they can intercept the cookie and make their browser use that cookie. Again, SSL is your best bet there.
Now, you could use something like a nonce to add additional security on top of SSL. There are plenty of apps out there that use them if you want to look at live examples.
It seems like the user's web browser connects to your web proxy server remotely via HTTPS, and your web proxy server connects to your application locally via HTTP.
You may still be able to set the cookie as secure by manually setting the secure option for the cookie, or manually creating the cookie header. Generally, a web/application server ignores settings on outgoing cookies. Instead, it's generally up to the browser to enforce the rules.
It's important to send the cookie with the secure option to the browser, so the browser knows not to send the cookie back unless it's over HTTPS, thus preventing eavesdropping. You should also include the httponly option for the cookie.
Adding a nonce would not provide any additional protection here because if the victim can be convinced to send the request out unencrypted, the attacker will be able to capture both the cookie and the nonce.
This is not to say that nonce's aren't good on their own to prevent replay attacks, even over HTTPS, but it wont prevent session hijacking.
My objective is to set a cookie from within a servlet called from a java client, and get the cookie when a different servlet is called from the browser.
The java client has an authenticated session with the server.
The server runs locally.
I tried suggestions from a different question and rename put an alias domain name in my hosts file.
I manually set the domain of the cookie to the alias domain, but it still won't return on the server.
request.getRemoteHost() returns 127.0.0.1 in both servlets.
Any help would be appreciated.
A cookie is held in memory (or on disk, but at a specific place) by each client. A Java client and a browser don't share cookies. Two different browsers (IE and Firefox, for example) don't share cookies either. There is no way to do what you want.
We have a weblogic server configured to require a client certificate on stablishing a ssl connection with client for a web service solution. The ssl handshake works perfectly as we have already configured all that is required.
Now, after the connection we do receive a soap request where the client id is one of the fields of this request soap.
What we need to do is to check this id against the common name of the client certificate used to connect within our server in order to garantee the transaction.
This is very important to us because this is a bank transaction and there is a lot of money involved in it and we need to avoid frauds.
So: Is there a way to recover the common name of a client certificate used to stablish a 2 way ssl connection from java code running on the server using a weblogic 10.3.3 server?
[]s
The client's certificate can be read from the incoming Servlet request using the HttpServletRequest.getAttribute(String) method invocation. The attribute with name javax.servlet.request.X509Certificate is populated by the servlet container when it creates an instance of the Request object for processing by the servlet/webservice.
The DN of the certificate can then be obtained from the X500Principal object, obtained from the certificate object via the getX500Principal method invocation. This does not give the CN, but will provide your with the complete distinguished name in a specified format; this could be parsed to provide the CN.
As far as accessing the ServletRequest object is concerned, JAX-WS web services can be programmed to read the MessageContext which allows access to the underlying HttpServletRequest object.
How can i read cookies of the client system for Java web application.
My application on server and i want to fetch some information of client system.
Use the following in your servlet/jsp to get cookies
javax.http.servlet.Cookie[] cookies = request.getCookies();
i want to make cookies with some information which user enters and next time i use that information
An example of what you want to do is here
You get cookies from the client system by using a javascript (on the client) to read the cookie and formulate a web request to send to your server.
Use something like the javascript XMLHTTPRequest function (on the client) to send the request to your server (including the cookie value).