I have a cookie that is formatted like partA:partB. The colon is not escaped in any fashion. I need to read this cookie in a JSP script, and request.getCookies() is only returning partA. I can't change the cookie because it is used in multiple applications, and fixing the cookie would break production code. Any ideas how I can read the full value of this cookie?
You should be able to read the Cookie header directly using the HttpServletRequest.
Related
I have an application using Spring Boot where I set a HttpOnly cookie. In the browser I can inspect it and see that it's well set as HttpOnly. With this I avoid the client side from using javascript on it.
But, do I have to do anything on the server side when reading the cookie? As far as I understand, I cannot use javascript to read the cookie but I can still create a non HttpOnly cookie with the same name and value as the HttpOnly one just using a browser plugin. On the server side, wouldn't I need to verify the cookie and whether it's HttpOnly?
I've tried doing that by just getting the list of cookies from the request but it seems all of them have the different fields set to a default value. The only fields I can read are the name and the value of the cookie.
Is this the expected behaviour?
This is, indeed, the specified behaviour.
The Set-Cookie Header transmits information like HttpOnly to a client. But a call from the client to the server uses the Cookie header, which only includes cookie names and values (but no further information). Therefore, the server cannot derive this information from the Cookie header alone. It is simply not there.
This is specified in RFC 6265 „HTTP State Management Mechanism“ in Section 5.4 „The Cookie Header“:
4. Serialize the cookie-list into a cookie-string by processing each
cookie in the cookie-list in order:
1. Output the cookie's name, the %x3D ("=") character, and the
cookie's value.
2. If there is an unprocessed cookie in the cookie-list, output
the characters %x3B and %x20 ("; ").
Since the information is missing, it is often set to a default value.
I know how to pass the jsessionid to the URL. I encode the url, which will look like this:
mysite.com;jsessionid=0123456789ABCDEF (http)
Does there exist a built-in method to retrieve the jsessionid from the URL, using Java? I found this method in the javadocs, isRequestedSessionIdFromURL, but it doesn't help me actually retrieve the value. Do I have to build my own retrieval method?
Thank you.
JSP has an implicit session object, similar the request object. It is an instance of java.servlet.http.HttpSession, which has the method getId().
So, you should be able to just do session.getId() in your JSP page.
Cookieless sessions are achieved in Java by appending a string of the format ;jsessionid=SESSION_IDENTIFIER to the end of a URL. To do this, all links emitted by your website need to be passed through either HttpServletRequest.encodeURL(), either directly or through mechanisms such as the JSTL tag. Failure to do this for even a single link can result in your users losing their session forever.
session.getId() should be able to get you the session id. WLS would be doing the actual parsing of the URl to retrieve the session id once it identifies that the session id is not stored in the cookie or in hidden form fields. The sequence usually is Cookie - URL - Hidden Form Fields.
I'm new to Java. I'm writing an application to link to a vendors Flash site. I have my BlazeDs based program talking to their site. I'm running into a problem where a session cookie is not getting set. The problem is that the host doesn't return it as a "set-cookie" header.
Their site returns the following cookieDirectives to set the SMSESSION cookie
cookieDirectives
Externalized Object
flex.messaging.io.ArrayCollection
[0] String SMSESSION={CONTENT STRIPPED FOR CLARITY}; max-age=-1;path=/; domain=.-----.com
I can set the cookie in my amfConnection as follows:
amfConnection.addHttpRequestHeader("Cookie", resultString);
However, that only gives me the one cookie and there are several others I need. The others have been set earlier by the host and are set using a "Set-Cookie" header.
How can I either add this cookie to the existing ones or recover the existing cookies so I can manually add them.
I was able to resolve this by changing my approach. Instead of relying on my amfConnection to handle the cookies I grab the session id using httpclient, store it in a variable, and then push my cookies to amfConnection.
http://www.hccp.org/java-net-cookie-how-to.html
According to this link I was trying to create cookie and send cookie to enter in a cookie site. But it is not working. Is there is any problem in that. I have some confusion on the method setRequestProperty of URLConnection. I don't understand what are they trying to send by passing "Cookie"? Is it only a string or name or value??
urlConn.setRequestProperty("Cookie", myCookie);
"Cookie" in this case is a way to tell the setRequestProperty method that the argument (which is really just a String) should be treated as a cookie.
setRequestProperty may be more useful for many kinds of properties, but addRequestProperty would be more useful for cookies, because you can have multiple cookies per request. The properties are specified in RFC 2068 -- read especially section 14.
Do a browser pass the cookie name and cookie value saperately or both in one string ? Do it also pass domain or not??? I want to know what happens in the case of a java browser.
Cookies are sent as HTTP header, which is a pair of strings.
What kind of java browser are you talking about?
If you want to make a HTTP request in java, I'd suggest you use HTTPClient.