I am using session id to store files uploaded by a particular user and when user clicks on a button, these files get downloaded. However, there is a problem that I am facing. When I am creating the file, the session id which comes in is different than any other request within same session by same user. Which results in two different session ids and due to which user faces problem in downloading that file. Same thing works file in IE. This happens only in Firefox. Jaxb is used for web services and flex for GUI. Can someone help determining what is going wrong here and in which layer?
The problem may occur based on the fact that file-upload (and maybe download, too) in ActionScript will generate a separate session with its own lifecycle. I faced this problem in one of my Flex-based applications where I used PHP for the backend.
The problem was that a user had to have the ability to upload media files but only when he is logged in to the application. When starting a new file upload ActionScript will process the upload under a separate session with its own session ID. I figured it out only because the user has been redirected back to the login-screen when the upload started due to conflicting sessions for user and file upload.
You should consult the API documentation of ActionScript's FileReference class to get a starting point what exactly will happen during file upload/download.
The problem that you have that issue only in Firefox can be originating from your Flash Player version installed for Firefox. Maybe there are some bugs or other issues which are browser-specific.
Related
I have been testing a web application with Spring MVC, and I'm currently developing a editor page for accounts. This JSP page is able to edit one or more accounts, serving for different purposes. For example, a common user can edit account data on this page. On the other hand, administrator users can edit multiple accounts on this page. In terms of logic (for me), the edition of multiple accounts to an administrator user works like this:
The user selects a list of accounts.
The list reaches the controller.
The controller stores the list of accounts.
The controller directs the user to the edit page.
The user fills out the editing form.
The form is sent to the controller.
The controller retrieves the list of accounts previously saved.
Editing form data is reflected in the list of records.
The list is deleted from storage.
My problem appears when the user does not perform step 5, and decides to do something else. Without the removal of the list from storage, the server will suffer from memory leak. It would be very important to detect the user's exit, which would cause the system to remove the list automatically.
I'm choosing to save the list of accounts to be edited on the server side to prevent it from being saved on the user side, where the user could well tamper the data.
I might as well use JavaScript to detect when a user leaves a page, but he/she may well turn off Javascript, which results in the same problem. Therefore, this is an impractical solution.
I have not yet developed the implementation of it, so I'm just projecting right now. Can anyone help me with this? Am I doing something wrong?
Is there an error in my logic, or am I leaving something of use?
OBS: I'm using Tomcat 8.0, and Spring MVC 4.1.1, with the Java JDK 8.
That's the whole purpose of session management. Your web server does it for you.
When you use Java EE or any other session technology, the server is supposed to deal with timeouts, cleaning the session objects. This happens based on user idle time. How does the server know users are idle? Because for every request sent by the browser, his session id is sent in a cookie.
Usually, the timeout threshold is a changeable period of time (usually defined at web.xml). This value may need to be tuned, based on the available network/memory resources and expected simultaneous users.
In fact, sessions+cookies are the only flexible and secure way to deal with the stateless nature of HTTP.
There are variations of this, namely, conversation or view scopes, where the user may have a session per tab. But the principle is the same: put stuff in session and get them later by session id (a cookie at client side).
Finally, you should not rely on the browser to do server stuff. This would not be reliable.
Now I have a problem:
user opens web app page, gets javaScript (ModuleName.nocache.js);
Then I update client side (roc requests, view etc).
user didn't close web app tab in browser, didn't update page. He clicks somewhere and gets random explosion. For example, RPC doesn't work, servlets moves anywhere, there is many errors or not.
Now I want to implement scenario:
User must have cookie attribute with web app version.
By request I see it and in response force him to update page (don't know how).
If user's request can't be delivered gwt force him to update page (don't know how).
But I think there must be a best-practice-way to solve this problem.
Catch IncompatibleRemoteServiceExceptions and StatusCodeExceptions in your AsynCallbacks. The first one tells you the client-side code is not compatible with the server-side code; the second can tell you that there no longer is a RPC servlet there (look for a 404 status code).
You can then show a message to the user prompting him to reload the page (this is what Google Groups does for example).
That said, there are some ways to mitigate this if the changes are relatively small: you can keep the old serialization policy files around server-side so the server can process requests from different client versions. The changes have to be somehow backwards compatible though.
You could then detect the client version on the server-side (either using a list of the latest serialization policy files and checking whether the client is using one of them or an older one; or using a request header or cookie) and include something in the response (response header or cookie) telling it there's a new version.
Or you could regularly poll the server (obviously not using RPC though) for the latest version of the app.
Another approach:
If it is empty (if not, go to next step), save the com.google.gwt.core.client.GWT.getPermutationStrongName(); in your LocalStorage or in your Cookies and finish the flow.
When your app loads, get the permutationStrongName again, and check if the saved one is different.
If it is different force to request to the server everything (if you want/need "break" async process you can use GQuery - promises). Then, replace in your LocalStorage or Cookies the new gwt's permutation id.
You can do this always that your app is loaded (is not a big deal). And you can now when the version on your server has changed.
I am developing a java web application using JSF and I will like to find out if it is possible for me to hold (and save) user information in an different location, say a file, and then when the user confirm their email before the date is save to the database.
I don't yet understand certain thing. What I intend to know is if it is possible to use serialization for this problem.
You need to persist the user on the database before it has confirmed its email.
You need to set him a status NOT_CONFIRMED which can be transformed to CONFIRMED.
Until he has confirmed, you should not allow the application login for users which are found, but having an illegal status like NOT_CONFIRMED.
There's no benefit in saving the user data somewhere else for most usecases.
HTML5 proposes the local storage API which permits storing data in the browser of your client. Since the user is not logged, you'll be unable to recognize him from another computer, so it's fair that the data will be available only on the browser he wrote it in.
You can then transfer the data to your server once the user is connected (htis feature is used by Google documents, offline gmail etc...). If you're using GWT, a java API is available to access the native browser API, otherwise, you'll need some js coding
Best Regards,
Zied Hamdi
http://1vu.fr
I am a newbie for this security purpose and php files
I came to know about htaccess when i saw my files and databases are not secure.
I am filling listview in Android application from JsonArray parsing.This JsonArray is coming from Server when a specific URL is clicked on android application
There is a php file on server and there i have echoed the result .
Now the problem is with the data access .When I use that url on PC from browser ,It prints all the data on the browser.
NOw how can I give access to only those user who are using my android application.
I have heard of htaccess file but dont know how to use it and write it
Or is there any other way to secure or get rid of direct accessing from browser
You can use htaccess file but I think there better way.
.htaccess file is fine-tuning ruleset for Apache server. It can reprogram request completely. I use it normally with Static files.
But in your case dynamic php page. Which means you can pass a security session key.
When people login to your app they create session key. SSID This will be alive for some limited amount of time. like 1 hour. And every request required it.
No correct SSID means no data.
I am using SWF Uploader to upload files. I am using java in server side.
Flash is invalidating Java Session automatically. SWF team didn't found any fix till now.
After some searches, i have found this link, which discusses an idea to handle this problem in ASP.
In basic PHP we pass the session id as a POST parameter and manually restore the session.
In ASP.Net we also post the session id and use a Global.asax to catch the values
before the session is restored and dynamically add the right cookies.
Like that do we have any option to restore the session in java?
I also gone through this StackOverFlow post. But i am not able to understand what they are telling exactly. Maybe its because, i am not sound enough in java session.
Especially upload_url: "Controller?action=33&JSESSIONID=<%=request.getSession().getId()%>", this line. What is he achieving with that line. What is Controller & action=33.
Any suggestions of restoring the session from client side or server side would be more appreciative!!
Thanks!
If I read the linked SO question correctly, the problem is not invalidation of the session id, but the way the server treats the flash object: It is considered an additional client, not as part of the rest of the browser window. Therefore, 2 separate sessions are created, causing the id to be different or null upon upload.
The solution is to manually look up the correct session id, or force the server to assign the correct id to a new session. This is done by forwarding the jsessionid to Flash as a variable, and later adding it as a GET parameter to the HTTP upload request, so it can be retrieved on the server and you can use it to look up the correct session.
In the example, the author uses Controller as the name of the servlet, and action=33 is probably used to invoke some method on it. This is specific to this particular application, but not important for your solution.
What matters to you is the end of the string: &jsessionid=<%=request.getSession().getId()%>
This JSP code essentially adds the java session id to a variable containing the upload request URL. You can do this in plain Java or any other language that has access to the correct session id - what matters is that it is transmitted to the Flash plugin first, then added to the upload request, then sent back to the server again, and then used to find or create the correct session id to process the upload with.
This is the code the author used to create a new session cookie:
if (request.getParameter("JSESSIONID")!=null) {
Cookie userCookie = new Cookie("JSESSIONID", request.getParameter("JSESSIONID"));
response.addCookie(userCookie);
}