I want my web application to resume its session when the browser is restarted. So I had use the following code in cookie Filter to create SESSION cookie for any request other than login and logout.
HttpSession browserSession = httpRequest.getSession();
Cookie cookie = new Cookie("SESSION", browserSession.getId());
cookie.setMaxAge(Integer.MAX_VALUE);
httpResponse.addCookie(cookie);
If I login to my appl and restart the browser and access url, it's getting login automatically (as expected). But if I logout in that session and then try to login in that session, it's not getting logged in. What's causing this issue?
when i fetch cookies from request(httpRequest.getCookies()), i get 2 cookies with SESSION name , one is browser created and one is which my code created but while debuging both are having the same max age i.e -1 when i set my cookie max age as Integer.MaxValue()?? why is this happening
You can try deleting the coockie when logged out, this way user will be identified by the coockie created while logging in and will be valid for a session (from login to logout) and as soonest as user logs out earlier coockie will be deleted.
Related
I have one requirement in which session id should invalidate after login and new session id should regenerate,
like this Pre-cookie and Post Cookie should not be same and Post cookie should be validate at server side.
I used this piece of code to invalidating the session :
req.getSession(false).invalidate();
req.getSession(true);
I am able to change the session id but it will logout. I tested same scenario using burp tool suite. I got these results:
While Login :
Cookie: navi=1-1-0-; SOSESSIONID=pxtc730f4259; SSO_ID=4419102748602016135; CSSOSESSIONID=20971435-a754-43d5-aa56-7083e2dba55b; JSESSIONID=jpofvmzlses2
Connection: close
Upgrade-Insecure-Requests: 1
After Login :
Cookie: SSO_ID=; navi=1-1-0-; SOSESSIONID=ssnuqpjpal2i; SSO_ID=323568307087821651; CSSOSESSIONID=20971435-a754-43d5-aa56-7083e2dba55b; JSESSIONID=jpofvmzlses2
Connection: close
But After that if I am clicking anything in GUI, I am redirecting to Login Page.
Can you please help me how to regenerate session id after login so that same id should not continue through out ?
To handle session fixation, you can invalidate the session and start new session before login the user.
Once you take username and password, invalidate the old session and create new session and then check for login credentials, This should solve the issue.
I have IBM WAS 6.1 and Portal 6.1. Also i have a TAI which works when user login/logout in/out Portal. I want to work with HttpSession in TAI. Shortly my task is next: when user logging in i want to save some parameter in memory and as a key i want to use ID of HttpSession (or something else?).
For an example, while user logging id of httpsession is "foo". Than, user logged in and working in Portal, and press Logout button, portal logged out user using internal mechanize and than my TAI catch this request and now i have a http session with Id "bar". So, WAS changed http session. This means i can not user http session to save any parameter, because WAS recreates it for logging out. But i have to save some parameter while user logging in, and use it while he logging out.
Also i can't use Cookies for some reasons. Any idea how i can save ID based on HttpSession?
Or i have to know who(Portal Uid of user) pressed logout button in TAI. It is also helps me to resolve my problem.
UPDATE #1.
Also, for some reason WAS(?) delete custom cookie. I add custom cookie in TAI and WAS deleting it, i can not find my own cookie. Any idea where and why? There also http server beyond was and client, but i checked it - he shouldn't delete it.
I did not resolve question about http session, but i resolved problem with a cookie.
Right cookie:
Cookie cooky = new Cookie();
cooky.setPath("/");
cooky.setDomain("domain.com");
I want to differentiate between:
New session created by time-out of previous session.
A new session created by opening the page in new session of a browser.
Is there a way I can identify these two in a new HTTPServeletRequest?
You can implement SessionListener and manage to get new session and old session mapping,
However to decide where to redirect upon new login (as you commented)
you should store referrer header in session
For example:
after session has been destroyed
user gets redirected to login page
get the referrer header put it in session and on successful login read it from session and redirect there
I am using jboss 5.1 server and struts framework . The following are usecases
Usecase 1
1)Cleared the browser cache and loaded browser with my application url
(say /loadLogin.do)
2)In code httpSession = request.getSession(false); when i check httpSession its not null and has some jessionid say 123
3)Now i invalidate the session httpSession.invalidate();
4)Again i create a new session httpSession = request.getSession(); now this time a new jessionid is created say 456
5)Finally when i check my cookie it shows 2(two) jessionid's
Set-Cookie: JSESSIONID=123.node1; Path=/loadLogin
Set-Cookie: JSESSIONID=456.node1; Path=/loadLogin
Usecase 2
1)Don't clear cache
2)Suppose the browser already has the url (i.e. login to the app and then logout and then try logging in again , this time browser shows url in its dropdown)
3)This time when i check cookie only 1 jessionid is present ..
Can someone plz tell me , is the how the server behaves , or something to do with the way session is being handled in application
I've dealt with this problem too half year ago. it was very frustrating problem. But I solved it.
You first cancel new created session and then create new one.
if (getHttpRequest().getSession(false).isNew() == false) {
getHttpRequest().getSession(false).invalidate();
getHttpRequest().getSession(true);
}
Hi in jsp of JavaScript i am checking userdId in session or not it always have session id if session expires also, but i checked in java Action class after session expires userid is null but not in jsp. code link
Try alerting the sessionId in your javascript code. You will find that the sessionId is different after the old one has expired.
Also check what the code is doing when a new session is created. It might be setting the userid in the new session.