I have a JSP-Servlet based Web application where I would like to achieve the following scenario.
I need to set the HTTP session alive time programmatically when I am creating the session.
I need to invalidate the session even though the user is actively using the application, which is why the classic Session Time out configurations in the deployment descriptor and session.setMaxInactiveInterval() will not work for me.
Thus, When I am creating the session, I need to make sure I provide the exact amount of time for which the session will be active.
Let me know how I can achieve this scenario. Thank you.
Related
in my webapp, using spring #scope : session i have made scope of bean as session. My problem is if i login as admin in one tab of browser to web app and login as normal user in another tab of browser the data are being shared amoung them. How to avoid this.
If i am using two different browsers the problem is not occurring. Kindly suggest where am i doing wrong.
I have placed
#scope session in all bean classes and controller classes
.
Try the following:
Force the creation of a new session on user login. Right now it may happen that when the second user logs in, the server reuses the existing cookie information and reuses the existing session.
If the previous hint didn't work, try disabling cookies in Spring in favor of URL rewrite. Check this post.
Our Tomcat creates session IDs with the following format:
jsessionid=a345465820fce654354646ae.(server-name);
Is it possible to configure it so that server-name is not part of session id?
I think you need to implement your own session manager to change the format of JSESSIONID. I am not sure what you want to achieve but this question might be of interest, you also have a link to the session manager HOW-TO at Tomcat.
How to generate custom JSESSIONID, based on some hash of user's data in order to replicate session
However, if you have an Apache server in front of your Tomcat it might be easier to create your own cookie and use that instead of JSESSIONID. You can do this by using the mod_header and there is an example of this in the mod_proxy_balancer documentation.
Hope it helps you forward.
I have read different articles on Session Management and am aware of the different ways of implementing the same.
However below are few questions that I wanted to understand:
How session management is implemented in a real world application (e.g. cookies,url rewriting)?
What would be the steps and which is the best way to do the same?
What way should one prefer over another?
How is session management done wrt different data centers/clusters?
Thanks!
Its security risk to use cookies and url rewriting for sensitive data management. The best mechanism is to use http session in conjunction with https.
In real world scenarios, http session is used carefully to avoid bottle necks. simply rather than adding an entire object to session, an attribute which can be used to obtain an entity from database is carried over the session. bottom-line is that sessions need to be kept light weight.
session best practices include removing the session and invalidating it once its use is completed.
in EJB context, its always better to avoid Stateful session beans. If used, the bean has to be invalidated as the last invocation of the bean.
I would like to totally disable session creation and management in my web app to eradicate the memory (and other resource) usage currently associated with Tomcat's standard session manager. This includes disabling sesison cookies and/or url rewriting as, if I'm succesful, there will be no sessions to track.
My web application has a single servlet that passes the xml it receives to an API/engine. This engine can run inside or outside a servlet container and it creates, tracks and manages sessions in its own way. I have zero need for the sessions in Tomcat and I'd like to reduce to the barest minimum the resources Tomcat uses for session management.
I ran some searches on the topic. The searches came up with some topics, including some on this website. It appears that the tightest way to address this issue is to create your own Manager implementation that, bascially, provides an 'empty' implementation that does the barest minimum. (There were some alternative suggestions but I found them to be relatively weak. These suggestions included "just don't call getSession()", and "set the 'cookies' attribute of a context to false". I think implementing a session manager that does what I want is better than these suggestions and it is the path I have elected to go down.)
Given this information, that rolling your own session manager is a good way to go, I then downloaded the Tomcat source code to take a look at code related to a Manager implementation. It all looks doable but it looks like a few hours work for me to come up with my attempt at a sesssion manager. Before committing to that path and the work involved, I thought I'd put it out there - Does anyone have a minimal session manager implementation for Tomcat they can share? One that does nothing would be best, but I'll take anything including tips and battle stories from anyone who has written their own session manager. I am working with Tomcat 6.
I am using MySql 5
Hi I am using/start learing JDBC. Well I got stuck here: After an user authenticated, I would like to start/generate the session for the user. How do I do that?
In php, I know, we can start by using the "start_session()" function. Is there any similar function in JDBC?
If there is no such kind of functions, how do we create/start session? I am really new to JDBC, so this question may sound stupid to you all, but I really cant find the answer over the internet and thats why I ask this question here. (My best resource)
Oh ya, btw, if its possible, can you include in the answer about the session destroy/delete as well? Thanks in millions
EDIT
Okay, looks like this question abit too easy(or too tough??). Maybe could try this one, is there any other way that java can unique identify an logged in user beside using session??
start_session in php creates a user session if it does not exist.
In the jave web app we have a HttpSession class whose instance is created by doing:
request.getSession(boolean)
This call : Gets the current valid session associated with this request, if create is false or, if necessary, creates a new session for the request, if create is true.
This has nothing to do with JDBC calls - that are mainly related to connection establishment and execution of queries.
Assuming you are talking in the context of web application. There is a session provided by the Servlet container. You authenticate the user and set the credentials in the session of that user, to re-use whenever necessary, for example to know the privileges of the user etc..
Regarding JDBC, we usually go with connection pooling mechanism. So, it has nothing to do with the HTTP session of the user. We get the connection from the pool, and place it back once done. If you need to manage transaction or something you can look into JTA.
[Edited]
Try to look at the code of this Simple Login application. I am sure it will help.
Maybe the JDBC programming modl doesn't look quite the same as php.
Have you tried turorials auch as this, note the use use of Statements and ResultSets. You don't see a "Session"
JDBC is only about interacting with databases (and things that look like them); the concept of a user session doesn't have anything to do with interacting with a database.
As the user Vinegar has suggested, if you are doing Java web development, there is a session implementation available.
I suggest you provide more info on what you are doing and if that includes some sort of web development (I'm assuming yes, since you come from a PHP background).