I'm trying to scrape data off a website using URLConnection. Need to track my login and session, but the website has apparently denied cookies.
I cannot see cookies from that website. What are the alternatives they could've used to save their session? I see URL re-writing could be one option.
How can I track my login/session in that website?
encodeURL() Use it to ensure session management is handled properly. It takes a URL in, and if the user has cookies turned off, it attaches the jsessionid to the URL in a proper format to be recognized as the session identifier.
When to use it? Every time you have a link, form action, sendRedirect or other URL that goes to the client and your application requires maintenance of a server-side session. You do not need it for server-side forwards and includes.
Storing the Session ID in hidden fields is another option. Check out this tutorial
Related
I require the URL of the previous page from where the user is redirected to my application.
I tried using request.getAttribute("javax.servlet.forward.request_uri")
But it returns the value as null.
The user is required to bypass a login page before he enters my Application.
Also request.getHeader("Referer") is blocked by Firewalls.
please suggest a way to obtain the previous page URL for Statistics of my application.
Thanks in advance.
you need to maintain the state of user by using session tracking as we are using HTTP protocol. You can use cookies, Hidden Form Field, URL Rewriting, HttpSession.
I think this will help. You can also share your code to get the better idea... Thanks
I'd like to embed an ajax application into a wordpress site. The ajax application will communicate with servlets running on tomcat. Now the servlets need a way to verify if a request originates from a user that is logged in to wordpress. How does this commonly get solved?
AFAIK, wordpress is stateless and does not use sessions, which makes me curious how a logged in user in wordpress can be tracked.
The second problem is, how can a servlet request wordpress to verify if a given user is still logged in?
Any advice is welcome,
Thank you.
The only thing that you can do is read the cookies. And that will work only if you are using the same domain (or subdomain and the cookies are valid for all subdomains). The session cookie might not give you sufficient information, however. You can't read a PHP session from a Java app, and generally, you can't mix two applications that way.
As a little workaround, you can check with javascript who is the currently logged user (by finding the username in the DOM), and send that with ajax, but that is not secure at all.
I am using SWF Uploader to upload files. I am using java in server side.
Flash is invalidating Java Session automatically. SWF team didn't found any fix till now.
After some searches, i have found this link, which discusses an idea to handle this problem in ASP.
In basic PHP we pass the session id as a POST parameter and manually restore the session.
In ASP.Net we also post the session id and use a Global.asax to catch the values
before the session is restored and dynamically add the right cookies.
Like that do we have any option to restore the session in java?
I also gone through this StackOverFlow post. But i am not able to understand what they are telling exactly. Maybe its because, i am not sound enough in java session.
Especially upload_url: "Controller?action=33&JSESSIONID=<%=request.getSession().getId()%>", this line. What is he achieving with that line. What is Controller & action=33.
Any suggestions of restoring the session from client side or server side would be more appreciative!!
Thanks!
If I read the linked SO question correctly, the problem is not invalidation of the session id, but the way the server treats the flash object: It is considered an additional client, not as part of the rest of the browser window. Therefore, 2 separate sessions are created, causing the id to be different or null upon upload.
The solution is to manually look up the correct session id, or force the server to assign the correct id to a new session. This is done by forwarding the jsessionid to Flash as a variable, and later adding it as a GET parameter to the HTTP upload request, so it can be retrieved on the server and you can use it to look up the correct session.
In the example, the author uses Controller as the name of the servlet, and action=33 is probably used to invoke some method on it. This is specific to this particular application, but not important for your solution.
What matters to you is the end of the string: &jsessionid=<%=request.getSession().getId()%>
This JSP code essentially adds the java session id to a variable containing the upload request URL. You can do this in plain Java or any other language that has access to the correct session id - what matters is that it is transmitted to the Flash plugin first, then added to the upload request, then sent back to the server again, and then used to find or create the correct session id to process the upload with.
This is the code the author used to create a new session cookie:
if (request.getParameter("JSESSIONID")!=null) {
Cookie userCookie = new Cookie("JSESSIONID", request.getParameter("JSESSIONID"));
response.addCookie(userCookie);
}
I'm using gwt on my glassfish server, and I'm attempting to make some of my RPC calls authenticated via cookies. Is this possible? Are there any examples out there of how to code it?
Depending only on the cookie for authentication will make your website/services vulnerable to Cross-Site Request Forging/XSRF/CSRF attacks - read more on that in Security for GWT Applications.
The best way would be to double check the value you get from the cookie and with the one that's been transported to the server by some other means - as part of the request (header, a custom field, etc).
Other than that, there are many tutorials covering the subject - just search for Java (servlet) authentication - it doesn't have to be GWT-specific. The Google Web Toolkit Group also has many threads about the subject.
I assume that you use GWT's RPC servlet for handling requests made by the client.
One option that comes to my mind is to write and configure a ServletFilter which can examine the cookie, before the request reaches GWT's servlet.
You might rethink using cookies as it is a potencial security hole.
Why not put your communication to HTTPS?
Can you not just use the standard 'session' scope, i.e.
request.getSession()
A pattern I use in GWT apps is to have a separate 'old fashioned' login form which sets up the session. The GWT app's host page is then displayed after they have successfully logged in.
If the necessary values aren't in the session, then the user isn't logged in. Your service should return an exception, maybe, which instructs the GWT app to redirect to the login page, or display an error.
Best way managing session in Java. I heard that cookies are not reliable option for this as they gets stored into browser and can be accessed later on? Is this correct? If possible please come up with the answers with the coding example.
Which is the best among:
URL Rewriting: Server will add an additional parameter at the end of URL link
Hidden parameter in Form: server will add an additional parameter at every form in HTML
cookie: Server will ask browser to maintain a cookie.
The session management (client identification, cookie handling, saving session scoped data and so on) is basically already done by the appserver itself. You don't need to worry about it at all. You can just set/get Java objects in the session by HttpSession#setAttribute() and #getAttribute(). Only thing what you really need to take care of is the URL rewriting for the case that the client doesn't support cookies. It will then append a jsessionid identifier to the URL. In the JSP you can use the JSTL's c:url for this. In the Servlet you can use HttpServletResponse#encodeURL() for this. This way the server can identify the client by reading the new request URL.
Your new question shall probably be "But how are cookies related to this? How does the server do it all?". Well, the answer is this: if the server receives a request from a client and the server side code (your code) is trying to get the HttpSession by HttpServletRequest#getSession() while there's no one created yet (first request in a fresh session), the server will create a new one itself. The server will generate a long, unique and hard-to-guess ID (the one which you can get by HttpSession#getId()) and set this ID as a value of the cookie with the name jsessionid. Under the hood the server uses HttpServletResponse#addCookie() for this. Finally the server will store all sessions in some kind of Map with the session ID as key and the HttpSession as value.
According to the HTTP cookie spec the client is required to send the same cookies back in the headers of the subsequent request. Under the hood the server will search for the jsessionid cookie by HttpServletRequest#getCookies() and determine its value. This way the server is able to obtain the associated HttpSession and give it back by every call on HttpServletRequest#getSession().
To the point: the only thing which is stored in the client side is the session ID (in flavor of a cookie) and the HttpSession object (including all of its attributes) is stored in the server side (in Java's memory). You don't need to worry about session management youself and you also don't need to worry about the security.
See also:
Authenticating the username, password by using filters in Java (contacting with database)
How to redirect to Login page when Session is expired in Java web application?
How to implement "Stay Logged In" when user login in to the web application
All Java web frameworks support cookies or URL-encoded session IDs. They will chose the correct approach automatically, so there is nothing you need to do. Just request the session object from your container and it will handle the details.
[EDIT] There are two options: Cookies and a special URL. There are problems with both approaches. For example, if you encode the session in an URL, people can try to pass the session on (by putting the URL into a mail, for example). If you want to understand this, read a couple of articles about security and build app servers. Otherwise: Your Java app server will do the right thing for you. Don't think about it.
The cookie just stores the session ID, this ID is useless once the session has expired.
Servlet specification defines the API for accessing/setting session data in standard J2EE application. Also it defines that session data is stored on the server-side and nothing is transferred to the client except the session identifier. There are 2 mechanisms how session id is transferred:
1) request URL e.g. jessionid=....
2) cookie
Mechanism is determined automatically based on client capabilities.
EDIT. There is no best option, there is servlet specification that defines the way.
Http is a stateless, client-side pull only protocol.
To implement a stateful conversation over it, Java EE Web Server need to hide some information (which is sessionid) in client-side and the mechanism it can use should follow HTTP and HTML spec.
There are three ways to accomplish this goal:
URL Rewriting: Server will add an additional parameter at the end of URL link.
Hidden parameter in Form: server will add an additional parameter at every form in HTML.
cookie: Server will ask browser to maintain a cookie.
Basically, modern web server will have a "filter" to choose which way to use automatically.
So if Server detected that browser already turn off cookie support, it will switch to other ways.
2 important questions:
Which web technology are you using? JSF, Struts, SpringMVC or just plain servlets/JSPs.
Servlets/JSPs already give you the session support you need. JSP Example: Hello, <%= session.getAttribute( "theName" ) %>
I really don't think you have something to worry about cookies, since the data is stored safely in the server and handeling the cookie is done automaticlly.
Is your application installed on a single server?
If YES than you have no problem, use the servlet session option.
if NO than you gotta find another way to do this. Like using a sticky session, or maybe parse the entire session object in the requests/responses as a field. This option indeed requires you to take security measures.