I am using SessionAware of Struts2 for creating session. When we create session JSESSIONID is added in cookies. But when i quit browser then JSESSIONID is delete. So after quiting browser, When i again open application, it shows that user is not login.
How can i do in struts2 that JSESSIONID should not deleted when browser is closed.
The lifetime of a session is coupled with the browser. After you've closed the last instance (window, tab) of the browser, the JSESSIONID expires.
You need to carefully analyze pros and cons of allowing a user to relogin automatically after the browser has been closed, but if you still want to implement the Remember me feature, this is a must-read:
PART II: How To Remain Logged In - The Infamous "Remember Me" Checkbox
That it how session work. If you want to secure your application with login feature, you shouldn't allow an user to access your application easy by just open the browser. How if someone forget to log out.
However, if you still want to store some in browser, use normal cookie and set expiry time.
Related
my requirement is if user logged into website.then if he opens same website in new tab.
then i have to check for an existing session. If one exists bypass the login screen and send them to the welcome screen.how can i do
usually you want to prevent user from logging in when opening a second tab using concurrent session as for keeping track of session that depend on what you are using: example Spring security login which create the session on login (you can set its timeout too).
I am creating one web application in java. I am using session for this application. when i deleting cookie from browser at that time my session is invalidate. i want to prevent that thing.
for ex:
when you are logging in banking website. after logged in website you remove cookie from browser you are still logging in website.
Anyone know how to store session of user when clear the cookies.
There is no way to. If the user deletes cookies, there is no way to identify him in subsequent requests.
There are some "hacky" ways to do it (for example this), but I don't recommend you to do this. What's the reason to? Cookies are standard.
As the title said, I want to remove the cookies when I close a window. I know of the methods for cookies like Cookies.removeCookie(Constants.XXX); And also of cookie.setMaxAge(0);
for removing cookies. But that is done on clicking logout.
I want to remove cookies on window close or when application has stopped running. Because whenever, I am debugging the application, whenever I rerun the application, I see the cookie is still there even though I am not logged in, and the session has not started for the user. So there is a conflict, where the cookie is already set even though, the user has still not logged in !
Its a GWT Application.
First of all, it's important to differentiate between a cookie on the client side, and a session on the server side (I think you already knew that).
Usually, for a clean logout, you'll want to call session.invalidate() on the servers side, and Cookies.removeCookie(...) on the client side.
But not every 'logout' is clean:
The logout request may not make it to the server
The browser may crash even before you call removeCookie - so any attempt to remove a cookie on window close will be unreliable
On the server side, you can use timeouts (see the link provided by #thinksteep: How we call logout servlet on browser close event).
For the client side cookie, you can set an expiryDate/maxAge. Or you can use "session cookies": These are the cookies where you don't set expiry or maxAge at all. Most browsers will delete "session cookies" automatically when the browser restarts - but please see Firefox session cookies.
All of this may mean, that cookies are maybe not the best technology for your use case: In general, a cookie is by design available in all browser tabs, and the concept of a browser session doesn't even always end, when the browser/window closes (what would it mean on a smartphone anyway?). This is desirable for many current web sites (users don't have to log in explicitly every time), and many users have come to expect this kind of behavior.
For sites that want a "one tab = one session" policy, it's possibly better to store a token e.g. in a Javascript (or GWT) object, and send it with every request. This way, you can log in separately - even as different users - from multiple browser tabs, and once a tab closes, the token is gone. Please note, that a tab may still get restored by the browser on session restore. (I would always combine this technique with a httponly cookie, to avoid certain kinds of attacks.)
I developed the webapplication with Struts2.after logging to the my application copy the url and paste to the same browser with different tab then its going to directly without restrict.in that situation i want restrict it.
but same url copy and paste to another browser its working fine .only same browser and different Tab then only problem
This is because your browser has stored your login authentication in the session. It will remember this until you either
Close all windows of the browser or
Choose New Session from the menu
If your question is about your development cycle take a look op answer of #Keppil.
If however you are asking about real user experience this is more complicated. Browser indeed remembers your session ID in cookie and sends it on each request. To override this mechanism you can create your own tokens that will be always appended to URL.
When token is supplied it should send redirect response to URL without token.
The server side should throw user to login screen every time the token is not supplied and the request is not from redirect.
I have never tried to do this and I am not sure you really want to implement this. The ability of browser to connect to same session even if user opens another tab or browser window is very convenient and widely applicable.
What is the best way to keep the same session when you open the same java webapp in another tab in the browser with passing parameters like username/password in most secured way.
The purpose behind is to navigate the webapp to next navigation page after doing some request to some service.
I am doing it at the client side.
This is a thought coming to my mind right now:
To add the parameters in the URL (not secure)
.....
In your server you can check if the incoming request has a valid session or not, if it has a valid session, retrieve the username or similar identifier from the session.
Depending upon the user you can show him/her the home page which they will enter if they had actually logged in the system.
If you want to show response based on the last action, then you can have the last action as part of your session and rules on your server which should fetch the correct page depending upon the last action.
For e.g. gmail will always show you the inbox if you have a valid session in one tab and you again open gmail in another tab.
If this is handled at the server level it is highly secure as you there is no need to append, send user credentials.