I try to create a session connecting an Android phone to a Java backend.
For this I call an url looking like this: https://sub.domain.com/path-web/rest/user/init
HTTP/1.1 302 Found
Location: https://path.domain.com;jsessionid=SOMEID.frontend2
Content-Type: text/plain; charset=UTF-8
Content-Length: 0
Connection: close
Set-Cookie: JSESSIONID=SOMEID.frontend2;
Path=/; Secure; HttpOnly
Date: Fri, 24 Oct 2014 08:32:17 GMT
This causes my http library, in this case okhttp to try to follow the redirection to https://path.domain.com;jsessionid=SOMEID.frontend2.
This now fails because parsing this url with java.net.URI produces an URI with a null host.
Also Chrome want open the url at it is.
Is the url created wrong from the backend or is the parsing of the url wrong in java.net.URI?
What can I do to work with urls like that?
As described in the comments. The url is not valid and therefore not parsed from java.net.URI.
Related
I need to use the "Range" header to continue downloading a partially downloaded file with my android app.
conn.setRequestProperty("Range", "bytes=" + this.downloadedBytes + "-");
And when I log it to logcat I see only what I've
conn.getRequestProperties().toString()
{Range=[bytes=3129-]}
My server is responding with a HTTP 416, range cannot be satisfied. I see this response in the apache access log. I get an IOException (java.io.FileNotFoundException), which is my guess as to how it deals with a 416, just like it would a 404. And that is a totally normal response, except that curl works perfectly to that same file!
curl -I --header "Range: bytes=3129-` ...
I get the expected HTTP 200 response:
Last-Modified: Fri, 27 Mar 2015 15:26:59 GMT
Accept-Ranges: bytes
Content-Length: 1915
Cache-Control: max-age=0
Expires: Fri, 27 Mar 2015 19:17:33 GMT
Vary: Accept-Encoding
Content-Range: bytes 3129-5043/5044
Content-Type: text/html
What am I missing on the android/java side here? What about the request is making apache serve back a 416 when curl works just fine?
I'm trying to access a site/servlet with a required authentication, which pops-up a window and ask for username and password. However when I try to access it through my "proxy servlet" I can't get the pop-up working although the client side gets this kind of HTTP response:
Cache-Control private
Content-Length 2429
Content-Type text/html;charset=ISO-8859-1
Date Mon, 02 Apr 2012 09:52:44 GMT
Expires Thu, 01 Jan 1970 07:30:00 SGT
Server Apache-Coyote/1.1
Set-Cookie JSESSIONID=039823E2FAB18C59C9B351F2C6B1909E; Path=/manager/; HttpOnly
WWW-Authenticate Basic realm="Tomcat Manager Application"
Isn't it when client (browser) gets response like this with WWW-Authenticate it will show a popup?
Browser should receive status code 401 (as in this basic authentication example) to present the pop-up window to the user. It won't work with 200 or any other status code in spite of WWW-Authenticate header.
If I run a webapp under the uri /myapp then as soon as the app is accessed via http://example.com/myapp, the URL changes to http://example.com/myapp/. Is there any way to prevent this?
When you have such a behaviour your web (or application) server returns a
301 Moved Permanently
when the URL without slash is requested.
You can see a similar example when getting http://www.google.es/services
HTTP/1.1 301 Moved Permanently
Location: http://www.google.es/services/
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Wed, 11 May 2011 15:24:06 GMT
Expires: Fri, 10 Jun 2011 15:24:06 GMT
Cache-Control: public, max-age=2592000
Server: sffe
Content-Length: 227
X-XSS-Protection: 1; mode=block
After this first HTTP get to http://www.google.es/services
(without slash), the browser makes a second HTTP get to http://www.google.es/services/ (with slash). You can trace the HTTP requests with Network tab in Firebug, for example.
You can check your web/application server configuration, and maybe you can change this behaviour.
I have java application running under tomcat which is fronted by apache webserver.
In my code I set cookie domain as
.example.com
but still my cookies shows up under www.example.com instead of under example.com in the client browser. What is so strange google analytics cookies shows up under example.com but my own code cannot store cookies under example.com?
Apache server is setup such that requests for example.com shows up as www.example.com in the client browser address bar if that is related to the issue ? I do need this otherwise different session id are generated for example.com and www.example.com which is bad for my applicaton.
Apache server is setup such that
requests for example.com shows up as
www.example.com in the client browser
address bar if that is related to the
issue ?
I am not 100% sure, but this looks like the root of the problem. How does Apache make the client browser to display www.example.com instead of example.com? Most probably, by redirecting each request for example.com to www.example.com. When the browser processes redirection, it sends a request for www.example.com and from that point on thinks that it is working with www.example.com.
Now, what happens when there is a Set-Cookie in the response header? It will obviously treat it as coming from www.example.com. There is no way a browser would allow such cookie to set its domain to .example.com because it would be a security problem. Imagine that mysite.somefreehosting.com sets a cookie for the domain .somefreehosting.com. Then someothersite.somefreehosting.com would receive this cookie which may lead to a lot of trouble. The standard specifies that such cookie should be rejected, but I wouldn't be surprised if some browsers are smart enough to handle such cases and to treat .example.com as www.example.com.
To be sure, I recommend that you check what exactly your site sends to the browser by sending a request with something like lwp-request script. You'll see what redirections are happening and what headers are actually set in the response, like this:
alqualos#ubuntu:~$ lwp-request -sSed http://google.com/
GET http://google.com/ --> 301 Moved Permanently
GET http://www.google.com/ --> 302 Found
GET http://www.google.co.il/ --> 200 OK
Cache-Control: private, max-age=0
Connection: close
Date: Sat, 18 Dec 2010 18:54:57 GMT
Server: gws
Content-Type: text/html; charset=windows-1255
Content-Type: text/html; charset=windows-1255
Expires: -1
Client-Date: Sat, 18 Dec 2010 18:54:57 GMT
Client-Peer: 173.194.37.104:80
Client-Response-Num: 1
Set-Cookie: PREF=ID=368e9cfd56643257:FF=0:TM=1292698497:LM=1292698497:S=s-Jur84NgaNH5Mzx;
expires=Mon, 17-Dec-2012 18:54:57 GMT; path=/; domain=.google.co.il
Set-Cookie: NID=42=bZ6goDV_b2MiWlTMONwiijaON5U_TBGB2_yNheonEwA1GVLU77EhyfUhk9Wvj70xTFrpvGy4s_aBp1UZtvRRnsnYjacjz_UVx0_iSr9R3nYXMyRtwkS5qV98_Egb16pZ;
expires=Sun, 19-Jun-2011 18:54:57 GMT; path=/; domain=.google.co.il; HttpOnly
Title: Google
X-XSS-Protection: 1; mode=block
I want to fetch a web page from a ASP.NET site that is only accessible from within a session. I'm using Apache HttpClient. I first open the main page of the site, then I search for the link to the "goal" page, and then I fire up a GET request for the "goal" page. The problem is that when I get the response for the second GET request, I always get the same (first) page. If I open the site with Firefox or Google Chrome I get the "goal" page.
From the first response from the server I get the following headers:
HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 19:03:56 GMT
Server: Microsoft-IIS/6.0
Platform: Mobitel Pla.NET
Node: 4
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: ASP.NET_SessionId=0vpgd055cifko3mnw4nkuimz; path=/
Cache-Control: no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Content-Length: 7032
I inspected the traffic with WireShark and all headers look OK. I send the correct cookie back to the server on the second GET request.
I'm using Apache HttpClient. I have only one instance of DefaultHttpClient and I reuse that for the second request. I have BROWSER_COMPATIBILITY Cookie Policy.
Any ideas?
You need send back this header from the client (send back the cookie you received) in all your further requests:
Cookie: ASP.NET_SessionId=0vpgd055cifko3mnw4nkuimz; // and all other cookies
That should do the trick
I found my stupid mistake.
The mistake was that I was sending the second GET request to a link, without replacing the ampersand character codes.
Ex:
/(0vpgd055cifko3mnw4nkuimz)/Mp.aspx?ni=1482&pi=72&_72_url=925b9749-b7c7-4615-9f1a-9b613c344c82
That is wrong, because I send & instead of &
The RIGHT way to do it is:
/(0vpgd055cifko3mnw4nkuimz)/Mp.aspx?ni=1482&pi=72&_72_url=925b9749-b7c7-4615-9f1a-9b613c344c82