I need to learn how a tomcat server identify different hosts to create unique sessions. Does it do it
according to Ip ?
Based on answer to this question, I want to be able to create multiple sessions for single client, on a server which uses simply httpServletRequest.getSession() to create new sessions. Is possible to give a predefined session Id to a server, so that that server creates that new session bound to that session Id ?
It doesn't do any identification. Each time a request comes in and you ask for a session to be created, it creates one. The generated session ID is sent to the browser in a cookie, and the browser sends back this cookie for all subsequent requests, which allows Tomcat to find the associated session.
I can't really understand what you're trying to achieve. A session doesn't identify a server. It identifies a specific client of a web app. Each client has its own session ID. Assigning a session ID to a server doesn't make much sense to me.
Turns out if you dont have any cookie, you are treated as a brand new user, and it gives you a new cookie. So not sending a cookie is enough to obtain another session Id.
Related
I know following are the ways to maintain or session tracking in java but looking for a good one
URL rewritting
Hidden form fields
cookies
Session object like setAttribitute() and session.getAttribute()
If the client browser has blocked accepting and storing cookies then last 2 ways are not valid.In hidden form fields I need to pass the hidden values in each and every page inside form.So suppose If I am just using response.sendRedirect() Then hidden form field is of not use.The remaining is URL rewriting in which I will pass JsessionID in the URl.So My question by knowing the sessionID isnt the unauthorized persons can able to access the pages.
For example There are 3 pages login,register,send.So after login user can register and/or send.So if any one knows the sessionID cant he/she go direct to register/send page.If yes Please tell me how to prohibit this
As of Servlet 3.0 (Apache Tomcat 7 onwards) if you use SSL then you can configure your application to track sessions based on the SSL session ID. The downside is that everything has to be over SSL. The advantages are that the session is strongly tied to the SSL connection. Only the user that created the connection to the server that has the correct SSL session has access to the session. Even if an attacker knows the session ID, they can't access the session.
One word of caution, this form of session tracking is the least widely used so it may not have been as heavily tested as the more usual cookie and URL re-writing mechanisms.
Have a look at this link which outlines Best practices for using HTTP sessions
Including
javax.servlet.http.HttpSession.invalidate()
Use HTTPS
With standard solutions you can't.
You can add some measure of security by adding request originator IP address verification, but that's also fooled easily. (to clarify some here means very tiny itsy bitsy little bit of)
So the secure route is to not use URL Rewriting to maintain session in secure application.
However you may be able to get some security by keeping the JSessionID as a separate encrypted attribute that which will be decrypted by a middle-ware or a load balancing server sitting between the client and your application servers. This of course is just a thought, I haven't, fortunately ever had to try something like that out :-)
Session tracking & authentication are two diff things don't club them.
Understanding your requirement I see you want to secure the sessionid of the user.
Evasdroping: If someone is listing to the request & response in the middle he can take the sessionid and use it. The best way would be to use a SSL. This ensures no one is listening in the middle.
Sessionid stolen from Client side: Normally this should be taken care by the browser and OS. So your user is as secure as the system he has.
We are facing one issue in a Struts application deployed in JBOSS clustered environment with load balancer and sticky session
Issue description
1) This issue happens in a user registration functionality which has 2 pages, register1.do and register2.do page
2) When user clicks on registration url, https://ourwebsite.com/register1.do
Two GET request are made
GET register1.do (Gets 1st registration page and sets few values in session)
GET captcha.do (This loads a captcha image to be shown on register1.do)
3) Sometimes what happens is GET request to register1.do sets a JSESSIONID cookie and the GET request to captcha.do over write JSESSIONID cookie set by first request. This causes problem in 2nd registration page as it fetches some of the values stored in session and as the session is overwritten by captcha no values can be obtained.
see below image
4) This scenario does not happen every time, once this issue occurs and if we go back to register1.do page a refresh(F5)/hard refresh (Ctrl + F5) then GET request to captcha.do does not over write JSESSIONID cookie and user registration works fine.
Moreover this happens only in clustered environment, in single JBOSS environment it works fine.
Can anyone please help me to identify what could be possible problem
here ?
Why session does not get over written when we do a page refresh ?
Update your apache mod_cluster binaries to mod_cluster 1.2.6.Final which are available here.
This solved it for me, which was jumping servers after every single refresh. Hopefully that helps.
I also experienced the same problem with jboss eap 6.1 and in load balancer i'm going with mod_cluster configuration I changed algorithm from server per session to entry per session and sticky session is working well and good .Go through the following to know about entry per session and server per session.
Entry-per-Session means that the device creates additional client-table entries whenever a source IP opens a new session (unique source port). This gives the unit more accurate tracking of the number of sessions, but it's behavior is to continue sending all the traffic from the client's source IP to the same server.
In Server-per-Session mode, the device tracks the unique source ports the same way, but when the client opens a new session, the device makes a new load-balancing decision for the new session. This way multiple sessions from the same client IP can be 'sprayed' among all the servers rather than being stuck to a single server.
I am searching for a Java library (or a simple class) that is able to manage server sessions for any protocol. My application is not related in any way to HTTP. The sessions have to stay alive between different connections, just like HTTP cookies do.
I guess the way to go is:
client connects to server
client sends the login informations
server replies with a status and a session ID (a long string, just like JSESSIONID or PHPSESSID)
client sends requests to server (with existing or new TCP connections), always providing the session ID
client asks to logout
server deletes the session and invalidates the session ID
I'm just looking for something existing regarding the session management part, even if it's really easy to implement. Otherwise I guess a Map and a random string generator will do the job.
http://docs.oracle.com/javase/1.5.0/docs/api/java/util/UUID.html#randomUUID%28%29
http://www.javapractices.com/topic/TopicAction.do?Id=56
randomUUID() method could be useful in java.util.UUID see above links. It guarantees the id is unique.
If you want to make your session data to be scaled across multiple nodes, you can even try out frameworks like hazelcast, infinispan etc. They also have a provision to generate unique id across nodes.
Hey all I was trying to create a java program which will remain logged in on server whenever i browse on website no authentication will be required even if i run the program later on i.e. my program should store some cookie file on client side and also tell the browser that this session should lasts for quite a long time. And whenever i run the program this should send the cookie details, that this is recognized and the user is logged on, to the server.
So how this should be done using HTTP protocol.
Thanks. :)
The browser (client) stores a session cookie containing a key-value pair. The key is usually JSESSIONID, and the value is a unique identifier. It is received by the client as a response of his request to the server, which initiates the session.
Whenever a request is made to the server, the browser sends that key-value pair in a special http header ("Cookie"). The server then reads that header, obtains the identifier, and finds the corresponding session.
Why don't you guys use Google before asking?
See the following:
HttpURLConnection class
HTTP cookies description
How to use HTTP Cookies in Java
Once a user is logged in, I create a Java session and store their userid and sessionid (sid) in the session, these two parameters are sent to GWT client and they are stored there in a base GWT client presenter (not as cookies). I am using MVP Architecture.
Every call made to sever there after is sent with these two parameters userID and SID, so I verify this on server, that the current session on server is equal to the session id provided and it belongs to given userid.
IF all is OK, only then I process the RPC request further.
Also, I am planning to make all my RPC handlers to extend a common RPC Handler which will accept these parameters.
I am new to GWT and GAE, any help will be greatly appreciated.
Thanks.
Using SSL and sending the session ID in the payload of every request are two good first steps. This LoginSecurityFAQ provides a good explanation with more details.
Anyone that can intercept the traffic on the wire/airwaves can take control of the user's session UNLESS you're sending session state over ssl/https.