I'm having a strange issue with cookie visibility between an authentication servlet and our actual jsp. We're using a servlet to authenticate that the user is a valid user, and if they are, we go ahead and add a cookie to the HttpServletResponse with their referer url (this is so that integrations can be redirected to their own login page on logout). Logout operations go through the same servlet, and the cookie is retrieved, and the user directed back to the stored cookie url. This all works.
However, within my site, if I print out the cookies pulled through the pageContext.getRequest().getCookies() [Or through firebug's console] I do not find the cookie I stored at all. There's literally no trace of it. Yet, when you click the logout link, and are directed back to the authentication servlet, the cookie is found, and the redirect followed accordingly.
The thing is, I need to handle timeout operations in the same ways as logouts, but the timeout check is external to the servlet, in a jsp tag. Since the timeout can't find the cookie, it's just using the standard timout page, which the integrating customer wouldn't want to see.
Any ideas what's going on here?
[ANSWER]
It turned out to be a path issue. I know I didn't paste any code, but I was creating the cookie without setting a path, so the cookie was only visible within the servlet directory. Once I set a path of "/" the cookie was visible throughout the site.
When you say "within my site", does that mean that your site is deployed on a different (sub) domain? Cookies by default are only visible to host they were set from, meaning cookie that was set from "www.example.com" will not be visible to "other.example.com". You can get around that by explicitly specifying cookie domain to be common for both (e.g. "example.com").
How are you doing this redirect?
RequestDispatcher's forward method takes request and response objects, presumably the ones you were already working with. This means that the request object is the same HttpServletRequest object that you were dealing with in the Servlet.
Actually, it turned out to be a path issue. I know I didn't paste any code, but I was creating the cookie without setting a path, so the cookie was only visible within the servlet directory. Once I set a path of "/" the cookie was visible throughout the site.
Related
While using response.sendredirect session lost the value in https protocol, how to resolve this issue in java
Your recent edit does not help more than original post
Not only one case would cause this problem, one possible would be session tracking issue, if it's cookie(by default) check the cookies once you login.
Another one would be because of path session cookie configs, check for cookie path, domain attributes.
Also note in filter or generally anywhere you either redirect or forward a request you cannot do anything with the request and you must consider the request done, best practice would be return the method just after the redirect or forward.
I have a simple webapp on Tomcat with form authentication, and notice that there is a "pre-login" JSESSIONID that's being set whenever a user just goes to the login page, before any login attempt even occurs.
Is this default behavior in Tomcat? Why does Tomcat generate a JSESSIONID just for loading a login page? Shouldn't it generate any session id's only after an actual login? (Not because someone just loads the login page!)
Note: I should mention that my entire webapp (login page and all) is hosted over https; no part of it is exposed via http. Also I am not using JSP. After login, Tomcat generates a second JSESSIONID, different from the first. And that's the one the user uses for the remainder of their session.
But why does it set a "pre-login" JSESSIONID in the first place?
If you use Tomcat means of form auth, it has to store the initial request somewhere to perform the stateless redirect for the auth. After that, it will re-evaluate the request. The SavedRequest is saved in the session. You should disable the changeSessionIdOnAuthentication flag.
I'm trying to scrape data off a website using URLConnection. Need to track my login and session, but the website has apparently denied cookies.
I cannot see cookies from that website. What are the alternatives they could've used to save their session? I see URL re-writing could be one option.
How can I track my login/session in that website?
encodeURL() Use it to ensure session management is handled properly. It takes a URL in, and if the user has cookies turned off, it attaches the jsessionid to the URL in a proper format to be recognized as the session identifier.
When to use it? Every time you have a link, form action, sendRedirect or other URL that goes to the client and your application requires maintenance of a server-side session. You do not need it for server-side forwards and includes.
Storing the Session ID in hidden fields is another option. Check out this tutorial
I'm supporting some project, built using ADF (using JDeveloper 11.1.2.2.0) and deployed to Tomcat 7.0.28.
There was an issue with JSessionID:
IT should be different before logging-in and after it. To solve this, in my method validate() (that is executed when user submits login form) I do the following:
ExternalContext ec = FacesContext.getCurrentInstance().getExternalContext();
HttpSession session = (HttpSession)ec.getSession(false);
session.invalidate();
session = (HttpSession)ec.getSession(true);
//setting some special session attributes
ec.redirect("nextPage");
When I arrive to nextPage I can get session with special attributes set above and go further. Everything works good when I log-in from Firefox or Chrome.
But when I log-in using IE 8.0 and get redirected to nextPage, my code gets session without those special attributes and throws me back to login page.
Using Wireshark I've realized that when Firefox logs-in it sends POST request with user input (username/password), receives answer with new JSessionID in SetCookie parameter, sends another request with Adf-Window-id and receives answer, after that it is redirected to nextPage.
But for IE flow is different: on log-in IE sends two POST request in a row (first with user input, second with Adf-Window-id) and after that receives two answers, each with different JSessionID. It stores the last one and gets redirected to nextPage. Obviously, the last JSessionID belongs not to the session where I've set my special attributes.
I've already spent few days trying to solve this problem by digging configs and Google, with no success. All I can see - IE sometimes can log-in as expected (in this case two answers mentioned above are received in reverse order), but it happens seldem.
Maybe you have faced same problem and solved it? Or maybe I'm doing/expecting something wrong?
Actually what you do cannot work. When you perform Java EE container managed authentication then you authenticate the user session. If you invalidate the session then the user authentication is gone as well. The only way this can work is if you use Basic Authentication, in which case the browser sends use credentials with each request.
Oracle WLS has a proprietary method for this that allows to renew the session ID without invalidating it. Similar seems to exist for Tomcat, see here: http://www.koelnerwasser.de/?p=11
I've solved the problem described by implementing my own servlet.
After successful logon the necessary session attributes are set and the session is not invalidated. Then, user gets redirected into context of my own servlet, which saves all session attributes, invalidates the session, creates new one and restores old attributes. After that, this servlet redirects user further, where he should get after logon. Of course, there are some tricks for security.
I want to keep the jsessionid parameter out of the URLs generated by Struts, but can't seem to find a configuration parameter or similar. To be honest, I don't even know exactly at which level this is handled.
Specifically, Struts (or the servlet engine) puts a sessionid in the URL when it's redirecting with a 302 and the session has not been established before (i. e. the redirect is in response to a request that sent no Cookie header). The response also contains a Set-Cookie header.
Generally, I just don't want the session id in the URL, ever. No cookies, no session.
You can try to check what's your servlet container offers to solve this problem. Alternatively you can write a filter to get rid of jsessionid. Hae a look here for details: http://seamframework.org/Documentation/RemovingJSESSIONIDFromYourURLsAndFixingScache