I want to differentiate between:
New session created by time-out of previous session.
A new session created by opening the page in new session of a browser.
Is there a way I can identify these two in a new HTTPServeletRequest?
You can implement SessionListener and manage to get new session and old session mapping,
However to decide where to redirect upon new login (as you commented)
you should store referrer header in session
For example:
after session has been destroyed
user gets redirected to login page
get the referrer header put it in session and on successful login read it from session and redirect there
Related
I want my web application to resume its session when the browser is restarted. So I had use the following code in cookie Filter to create SESSION cookie for any request other than login and logout.
HttpSession browserSession = httpRequest.getSession();
Cookie cookie = new Cookie("SESSION", browserSession.getId());
cookie.setMaxAge(Integer.MAX_VALUE);
httpResponse.addCookie(cookie);
If I login to my appl and restart the browser and access url, it's getting login automatically (as expected). But if I logout in that session and then try to login in that session, it's not getting logged in. What's causing this issue?
when i fetch cookies from request(httpRequest.getCookies()), i get 2 cookies with SESSION name , one is browser created and one is which my code created but while debuging both are having the same max age i.e -1 when i set my cookie max age as Integer.MaxValue()?? why is this happening
You can try deleting the coockie when logged out, this way user will be identified by the coockie created while logging in and will be valid for a session (from login to logout) and as soonest as user logs out earlier coockie will be deleted.
I have one requirement in which session id should invalidate after login and new session id should regenerate,
like this Pre-cookie and Post Cookie should not be same and Post cookie should be validate at server side.
I used this piece of code to invalidating the session :
req.getSession(false).invalidate();
req.getSession(true);
I am able to change the session id but it will logout. I tested same scenario using burp tool suite. I got these results:
While Login :
Cookie: navi=1-1-0-; SOSESSIONID=pxtc730f4259; SSO_ID=4419102748602016135; CSSOSESSIONID=20971435-a754-43d5-aa56-7083e2dba55b; JSESSIONID=jpofvmzlses2
Connection: close
Upgrade-Insecure-Requests: 1
After Login :
Cookie: SSO_ID=; navi=1-1-0-; SOSESSIONID=ssnuqpjpal2i; SSO_ID=323568307087821651; CSSOSESSIONID=20971435-a754-43d5-aa56-7083e2dba55b; JSESSIONID=jpofvmzlses2
Connection: close
But After that if I am clicking anything in GUI, I am redirecting to Login Page.
Can you please help me how to regenerate session id after login so that same id should not continue through out ?
To handle session fixation, you can invalidate the session and start new session before login the user.
Once you take username and password, invalidate the old session and create new session and then check for login credentials, This should solve the issue.
I need make sessions in Java web application.
I found that sesstion makes in servlet calass by method getSession().
But i have a question about session parameters. For example i send to server login/pass and save it into session atributes. Okey. Next time i do something on client and send new params to server. Where i gonna send it? In another or same and i gonna use if else for handle params like this?
Another question: How to use params which i put in session(login/pass) in another classes?
UPDATE
I read about sessions. And have new question. How to use session params in enother class. I mean after login i send new params on server, read it in servlet and want to take a login/pass from session and send it with new params into another class.
As part of your request handling in a doGet or doPost method, here is how you can get session and use it to get and set variables.
//Obtain the session object, create a new session if doesn't exist
HttpSession session = request.getSession(true);
//set a string session attribute
session.setAttribute("MySessionVariable", "MySessionAtrValue");
//get a string sessson attribute
String strParam = session.getAttribute("MySessionVariable");
//get an integer sessioin attribute
Integer param = (Integer) session.getAttribute("MySessionVariable");
//set an integer session attribute
session.setAttribute("MySessionVariable", new Integer(param.intValue() + 1));
Session is associated with each request . Now it depends whether client join the session or not there are three overloaded methods of getSession() to get more about them please go through the documents. Now if session is aleady associated with the request get existing session set the attribute in session and vice-versa if not create new session and do the same.
if the server used only cookie-based sessions, and the client had disabled the use of cookies, then a session would be new on each request.
I hope this helped.
Hi in jsp of JavaScript i am checking userdId in session or not it always have session id if session expires also, but i checked in java Action class after session expires userid is null but not in jsp. code link
Try alerting the sessionId in your javascript code. You will find that the sessionId is different after the old one has expired.
Also check what the code is doing when a new session is created. It might be setting the userid in the new session.
How can we manage session Object if the cookies is disabled ?. how url encoding is used for this?
The servlet container will handle this for you. If you look at the url in the first time you hit your site, it will have used URL re-writing to append a JSESSIONID to the URL.
This is because the first time the server responds to the client it doesn't know if the client supports cookies or not. It has also written a cookie with the session id in, so on the second request it checks for the cookie and if present stops using URL re-writing, if not it carries on.
You have to use encodeRedirectURL in response object, Please refer this blog it will helpful for you.
http://mytechbites.blogspot.com/2009/08/servlet-session-management-when-cookies.html
it adds jSessionId at the end of URL to map request with session you probably need to configure your server for that too
Use HttpServletResponse.encodeURL() to append jsessionid to your URL, but it is considered harmful.
Find more details here
HTTP Sessions are the recommended approach. A session identifies the requests that originate from the same browser during the period of conversation. All the servlets can share the same session. The JSESSIONID is generated by the server and can be passed to client through cookies, URL re-writing (if cookies are turned off) or built-in SSL mechanism. Care should be taken to minimize size of objects stored in session and objects stored in session should be serializable. In a Java servlet the session can be obtained as follows:
HttpSession session = request.getSession(); //returns current session or a new session
Sessions can be timed out (configured in web.xml) or manually invalidated.