i have an application running on Tomcat 7.0.27 which is our organization network and second application which is running on Amazon Web services( which is nothing but Tomcat 7.0.42). The application that is running on amazon is inside the iframe of the first application. The application running on the Amazon is self contained i.e all the files that it needs resides inside of the same tomcat container and don't communicate with the first application.I see that entire site works fine in FireFox and chrome. But having problems in safari. In Safari the launch of the second application is Successful( which is nothing but a POST) but the subsequent Request( which is GET) fails. So in code what we are doing is that after the POST we are putting a Java Object in the session like this
SessionData result = new SessionData(request,oauthCredentials);
request.getSession().setAttribute(SESSION_ATTR_TC_DATA, result);
So after the POST the first request that come is GET, when this request come in we try to get the Java object that we put in the session like below.
SessionData result = (SessionData) request.getSession().getAttribute(SESSION_ATTR_TC_DATA);
request.setAttribute(SESSION_ATTR_TC_DATA, result);
But in Safari i see that the session id(JSESSIONID) in POST is different From that in GET and the soSessionData=null; I see that the Session Id is same in case of FIREFOX/CHROME.
I see that from a URL/IPAddress
http://one.roses.flowers.org/ #IpAddress=141.21.19.87
http://test-dev.elasticbeanstalk.com/ #IpAddress=64.261.831.97
I am not creating any sessions by writing the code. Tomcat is handling it.
But this Whole Thing work across all the browsers when the First tomcat/second tomcat running inside our organization Network. I see that from a URL/IPAddress
http://one.roses.flowers.org/ #IpAddress=141.21.19.87
http://five.oranges.flowers.org/ #IpAddress=141.21.19.88
Why would Safari behaves indifferently in this case?
What made it work in Safari is by turning off cookie restriction to accept from Third party. Same is true for the IE as well.The default setting is not to acccept 3rd party cookie. For FF/Chrome the default option is to accept 3rd party cookies.
I have used Webscarab tool to debug this issue.
The application that was inside of the iframe was on AmazonWebservices the URL pattern was totally different from the origination Site. so that made browser think that these calls are made from/to some external site. So based on the Browser cookie setting the browser severed up the Application inside of the iframe.
Also, the 2 URL look like this to the browser.
http://one.roses.flowers.org/
http://test-dev.elasticbeanstalk.com/
We added the Alias/cname to the project on the AmazonWebservice(AWS) server in the higher environment(QA/PROD) something shown below. By adding alias to the url browser don't consider the URL coming from 3rd party as both has same domain name. Now the solution is independent of the browser cookie settings.
http://test-dev.elasticbeanstalk.com/ ---> http://aws.newsite.flowers.org
Related
The Problem
When redirecting from a servlet using response.sendRedirect(redirect_url);, the JSESSIONID cookie is not passed by the browser to the destination. A new JSESSIONID is created for every redirect, and it is impossible to track the user.
Note: This problem is only occurring on my new server implementing https and a domain name; the session ID is properly tracked when I run the web app locally or on another server without SSL or a domain name. Edit: I have set up another site on my server without SSL, and the issue persists. This seems to narrow the issue down to having a reverse proxy Apache.
An Example
The Login servlet on my web app attempts to store the user information in a session attribute then redirects to the MyCards servlet. I am using a redirect so that the URL will display mydomain.com/MyCards instead of mydomain.com/Login. The MyCards servlet attemtps to access the session attribute but finds nothing, and therefore redirects back to the Login servlet. This worked perfectly before deploying the project on my new server with SSL and domain name.
My Setup
Ubuntu 20.04 on DigitalOcean droplet
Apache Web Server (apache2) ... I have enabled mod_sessions, not sure if that's relevant.
Tomcat 9
Reverse proxy in Apache VirtualHost to Tomcat (I can post my .conf file if requested)
A redirect in Apache VirtualHost from HTTP to HTTPS
JDK 11
Possible Solutions
Using a forward instead of a redirect. The session ID is not lost when using requestDispatcher.forward(request, response);. As I mentioned above, I want the URL to reflect the destination for an intuitive user experience, which does not occur when using a forward.
Implementing your own session cookie, as in this answer, and manually storing sessions with a map, as in this answer, which strongly advises against such a facility. Based on my understanding, doing so poses security threats to user data. Also, if the browser is not passing the JSESSIONID cookie, I don't understand why it would choose to pass the manually implemented cookie unless the SameSite attribute is set to None (also bad).
Verifying that the webapp's context.xml does not have cookies="false" configured. Done that.
Using encoded URLs with response.sendRedirect(response.encodeRedirectURL(url));. Again, for the sake of having a clean URL (which the user could bookmark or type in) is preferable, and encoding the session ID into the URL is not.
Using relative URLs instead of absolute URLs...
"A session is only maintained if the redirection is being sent on the same port, host and webapp [and protocol?]. If redirection is done within the same application, using relative paths is the best practice." I tried both redirect_url = "/MyCards" and redirect_url = "MyCards", no luck.
Possible Reasons
Perhaps I am unknowingly switching between HTTP and HTTPS, which is a change in protocol and will not preserve the session ID. Of course, my intention is to remain secure and stay exclusively in HTTPS. Edit: I have set up another site on my server without SSL, and the issue persists. This seems to narrow the issue down to having a reverse proxy Apache. When accessing the web app directly on Tomcat (i.e. with <server_ip>:8080/MyWebApp), the session is tracked properly on redirect. However when using mydomain.com, the session ID is lost on every redirect.
Something to do with naked domains.
Other?
Edit: Maybe the issue is occurring because of the way the client, Apache, and Tomcat interact via the reverse proxy. Does the proxy cause the domain/port to change on every request/response?
My Questions
Why exactly is the session ID lost when using a redirect to a relative URL to a servlet in the same web app on the same server? Shouldn't the redirect occur entirely on the server-side, preventing a new request/session from being created? Since the relative URLs (which I thought would preserve the session) did not solve the issue, does this indicate some problem with my server setup (e.g. unintentional switching between protocols)?
What is the best practice for maintaining the user session ID, even when the user has cookies disabled? Is there no way around URL encoding when cookies are disabled? Or should the app be implemented exclusively with forwards rather than redirects? If so, is there a workaround to changing the URL to reflect the destination?
Note: this is my first post, so I don't have the reputation to comment. I will edit the post with any needed information.
I am facing a very strange issue.
Issue is we have a web application (war)which is built using angular 4 and it also has a "Servlet filter" which scans each and every request for a token and if that token is not available servlet filter will navigate to third party login page.
If token is available , it simply loads index.html and other data.
Token and some other params will be available as session cookies to current web app.
I have accessed the app URL and logs in to app and performs some actions in app and closes the browser window without logging out and I tried to open the same URL again , Servlet filter is not getting called.
If I refresh the browser window, filter is getting called.
If I clear the browser cache Servlet filter is getting called . I have observed same behavior in chrome and firefox.
I did check localhost access log, I don't see my request there.
Can anyone have any ideas on what is the issue and how to fix this issue ?
Reason is Google Chrome is caching so request is not all going to server. But when I refresh chrome is sending the request to Server. When I disable cache , everything is working fine. A good lesson about caching.
We are trying to use pretender.io to our application which developed in AngularJS, Spring and Hibernate konnectnow.com which hosted at amazon server.
Here are the steps I followed:
Signup at prerender.io and got token: cFeRZcsv3JnAftreuhMO
Checked documentation and understood that I need to install middleware and decided to use Spring one.
In web.xml added pom added as mentioned https://github.com/greengerong/prerender-java
Added !# to the URL in all the pages.
Restarted tomcat server.
Logged into pretender.io with login details and found that nothing getting crawl.
For testing purpose the url konnectnow.com/#!/planpage changed to konnectnow.com/?_escaped_fragment_=/planpage
Nothing comes up, got error page isn’t working.
Checked Crawl Stats at pretender.io and found that as:
Status Code: 505, Cache Hit: Miss, Response Time(sec): 1.51sec, URL:
http://localhost:8080/#!/planpage
Not sure why it takes local host.
Can some one help me how to make this work.
We recommend using html5 push state instead of the #! in your URLs if possible. Html5 push state is better since nothing after a # is sent to the server, which can lead to issues for the crawlers that are checked by their user agent (Facebook, Twitter, etc).
You should set the forwardedURLHeader in order to have the Prerender Java middleware use a different host for your website instead of your proxy URL.
https://github.com/greengerong/prerender-java#forwardedurlheader
I also see that you posted your prerender token publicly so we regenerated your token to prevent someone else from using it. Please find your new token when you log into your Prerender.io account. I've also emailed you there.
I'm trying something similar to this: Detect when browser receives file download
I'm using Chromes Developer Tools to monitor my cookies and my problem is that the cookies I set in my server side code (java in my case) are only visible on the request. Not when I check the Resources tab in Chrome Dev Tools.
I think it might have something to do with the fact that my request is submitted by constructing a hidden form and submitting this (I'm using ExtJS 4.2.2).
All I can see in my Resources tab is the JSESSIONID cookie from Tomcat.
Can anyone help me set cookies from java that I can read in JavaScript after the request completes?
Screenshots:
There are lots of ways to do this but heres one that would allow you to drop the cookie approach. You really should be setting your cookies to HttpOnly for security reasons unless you have a use case that requires it.
Expose your submit button in some sort of Iframe so users can submit
the file while still remaining on the primary page.
Detect when a click occurs in the iFrame and start polling through
AJAX at some URL such as "/FileUploadStatus".
On the server side once the file is completed upload set a session
attribute such as
HttpSession session = request.getSession(false);
session.setAttribute("fileUploadStatus",true);
When the AJAX request hits the servlet at /FileUploadStatus, check the session variable to see if the the file upload servlet has changed the value of fileUploadStatus to true. If so then return an indication to the client to stop polling and update
the page and clear the session attribute on the server.
NOTE: Detecting a click in an iFrame is hairy stuff across various browsers. You might have to just start polling the second they access your "Upload Page" and simply wait.
Alternate Solution: You could also form a direct connection using the new WebSocket API. THis approach runs the fastest but not all browsers support websockets.
I have a need to be able to share a session between an apache httpclient and a web browser.
My SWT program authenticates the user via httpclient, when the user first uses the program. Later there is a need to launch a default web browser, using the same session. I'm able to launch the user's default browser using: http://johnbokma.com/mexit/2008/08/19/java-open-url-default-browser.html
I would like a general solution, if possible. If not possible, than I would settle for a solution for IE, Chrome or FireFox. I would then try to figure out how to do it for the other two browsers.
That's possible by adding the value of the session cookie in the URL opened by the default browser. The exact syntax of the URL depends on the webserver used. Here is an example with Tomcat: Supporting Sessions Without Cookies in Tomcat