I have a situation where I need to create a cookie when a session is created, and when the session is removed I have to remove the cookie. When a user manually ends a session I can remove the cookie in the doGet method of the logout servlet. But when the session times out I am not able to do that, so I am planning to sue the HttpSessionListener for this, but I have seen some where that we cannot do that. Is there any other way than the one mentioned here.
Really how do want to remove a cookie when you do not access to the user?!?!
The only solution is setting cookie live-time to the exact time your cookie session is(1 hour is default)
For each request you need to set the cookie with the updated time(current_timestamp+'1 hour'), it will tell browser keep the cookie for next 1 hour.
Beside the cookie, you need to check the integrity of the cookie and the session, simply track the cookie integrity with the session(maybe a hash), it helps you when a user tries to fool your server, by providing cookie A from user A by session user B.
Related
Can we put authentication token in session object?
For example:
session.setAttribute("authToken",authTokne);
In my case I have to use authToken in every request call.
In service layer i am using third party services. In each request i need to pass authentication token. Getting authentication token is also a one request. I need to do many request calls step by step. At first request i am getting token and holding it in object level. After some time i need to make another request from different location(another class/object), now token is not available here. For this one more request i need to send for token. So avoiding this every time new call for a token, Can i put this token in servlet session varaible?
In term of security reasons is it good approach?
The all session data is kept on the server, so you can put anything you want there. The browser user is associated to the session via sessionId in a cookie (looked up by container upon request). When a user connects to server, a cookie is dropped on the browser with sessionId. Upon return the browser sends this sessionId back so you can lookup the session (usually a Map) to track data associated with the user and their current session. Session cookies can be set to persist through browser closing or expire when browser closes or after a certain time.
Storing the auth token in session is fine, but you will not be able to find a session based on auth token stored in it if the browser doesn't support or doesn't store cookies. If a user has no cookies (maybe a custom app that calls URLs), you would add an auth-token to the URL so that the user only logs in once per session. In this case you would create a data store which contains session data and associate both sessionId from browser and auth token to the same data. This is how I have done mobile/web/api session data management in the past.
What problem are you trying to solve?
We have few application running on the same tomcat something like: app1.local, app2.local, app3.local...
When a user authenticates in one of them, we get cookies from JOSSO in our realization of AgentFilter, where we make some operations with JOSSO_SESSIONID.
Cookies contains only JSESSIONID and JOSSO_SESSIONID.
They are always different, then a user switches between app1, app2 and app3, but I found, that "SESSION_INDEX" on the JOSSO server is always the same for the user.
Seems like "SESSION_INDEX" is only updated for the user, until he quits or gets a timeout, and I think that SESSION_INDEX is like JOSSO_SESSIONID for our IdentityProvider, not ServiceProvider that we created for each of our instances(app1, app2, app3).
So the question is:
How can I pass that "SESSION_INDEX" in the cookies from JOSSO to our Agent Filter? Or maybe not in cookies?
Maybe I can use josso_assertion_id somehow to get the value of session_index?
I only know how to use josso_assertion_id to get JOSSO_SESSIONID.
I will be grateful for any help!!!
When a user has an associated HttpSession object and then want to "log out" of the application you would invalidate that HttpSession which in turn would remove it from the map that the ServletContext keep of all sessions. But this only removes it on the server side, what happens on the client side? Does the user still keep keep the cookie with the session ID which now no longer has a corresponding session object on the server and keeps sending this to the webserver? And what happens when the user wants to login again after logging out?
I imagine the sessionId cookie will still be kept, but since this sessionId will not match any session object in the server's memory, it will be discarded by the server next time user tries to login again. On the server side it will be quite transparent, request.getSession() will return a new session object automatically.
I would like to add to the answer of maksimov.
Although the cookie is still present on the client side, it is possible for the server to delete the cookie also on the client side. Spring Security does that when a user logs out. Here's the code:
Cookie cookie = new Cookie(cookieName, null);
String cookiePath = //cookie's path
cookie.setPath(cookiePath);
cookie.setMaxAge(0);
response.addCookie(cookie);
The important instruction is cookie.setMaxAge(0). Setting the max age to 0 means the cookie has to be deleted. Thus, the server may ask the client to delete the cookie by sending it the same cookie with a max age of 0.
I need to implement a simple remember me option in a java servlet with cookies, without using any advanced framework.
First, at login, I create the cookie and send it in response to the browser (client). The value to be stored in the cookie is just a simple hash from username + password.
How should I manage the incoming request from the browser, sending the cookie?
My approach is to check between registered users if there is any user that has the hash from username + password equal to the value in the cookie?
Is this approach correct?
Also, I did not understand exactly what is the mechanism of the expiration date. Does the browser delete the cookie when it is expired, it not, how do I check if the cookie is expired?
As long as you're not using HTTPS the method you suggest is highly insecure. I would suggest to generate some sort of session token (e.g. use java.util.UUID.randomUUID()) and set this as cookie and store it somewhere on the server side so you later can identify the user associated with this session id in the cookie.
This gives you the opportunity to reset a certain session cookie if you think there's some fraud happening and there's no direct relation between the user name/password and the cookie id you use. But note: this method is still vulnerable to a man-in-the-middle attack.
Concerning the expiration: yes the cookie becomes invalid and might get deleted by the browser if it is expired. But you can set the cookie to something in the year 3000, so it lives forever.
I understand that if we use the following statement
HttpSession session = request.getSession();
Will create the Unique session id, Create Cookie and associate Cookie with the Session id.
and helps the container to keep track and identify the clients.
Yes, My question, is there a possibility for me to see the cookie header and Unique Id created by this statement request.getSession()?
You can retrieve a HTTP Header using
HttpServletRequest.getHeader.
Although a session can be created by calling HttpServletRequest.getSession(true)
it's rather done by the webcontainer. As edl already wrote HttpServletRequest.getSession().getId() returns the session id.
You can see it using any HTTP header tracker tool. Firebug for example shows the headers in the Net panel. Here's a screenshot (click here for full size):
Any newly created cookie will appear as Set-Cookie header in the response. The client will send the same value back as Cookie header in the subsequent requests in the same session so that the server can identify the client session. For a JSP/Servlet webapplication, your interest is the cookie with the name JSESSIONID.
You can use session.getId() for the ID I believe. Not sure about the header.
I found more information in the following URL
http://www.javacertifications.net/javacert/session.jsp