What is the best way of implementing session, I am thinking at server side managing sessions like creation, validity of session based on that will be responding to Extjs4 client, Is it best way ?
In app.js I have used launch config as :
launch: function(){
Ext.create('Myapp.view.LoginForm')
}
LoginForm : will show log in dialog and invoke log in controller for communicating with server for authenticating the credentials provided by the user.
So when ever user refreshes the page Extjs is asking for log in that is because of I am not cheeking the session in here, How should be the session details stored in Extjs client and check to avoid prompting the log in unless user has log-out ? and How to manage user session ?
Please help me
You can do that with the help of cookies and java script....
Related
I am using SessionAware of Struts2 for creating session. When we create session JSESSIONID is added in cookies. But when i quit browser then JSESSIONID is delete. So after quiting browser, When i again open application, it shows that user is not login.
How can i do in struts2 that JSESSIONID should not deleted when browser is closed.
The lifetime of a session is coupled with the browser. After you've closed the last instance (window, tab) of the browser, the JSESSIONID expires.
You need to carefully analyze pros and cons of allowing a user to relogin automatically after the browser has been closed, but if you still want to implement the Remember me feature, this is a must-read:
PART II: How To Remain Logged In - The Infamous "Remember Me" Checkbox
That it how session work. If you want to secure your application with login feature, you shouldn't allow an user to access your application easy by just open the browser. How if someone forget to log out.
However, if you still want to store some in browser, use normal cookie and set expiry time.
Hi guys this is my first post.
I want to send authentication request from my site to server enabling session while redirecting to other page using HTML or PHP or any thing related.
so far i have set up a redirector on my server to my directory page on my site after login from server , but as soon as i login on my server it redirects to my page but sends me back from my site to server login page without any logs generated on my server
i was wondering if i could enable session from my web page using form and PHP
my server uses login.cgi
server is on HTTPS and site is on HTTP
hoping to get help really getting frustrated
Thank you
I think according to your question, you haven't added a session handler yet to your pages. you need to add something like following code to the page that you are redirecting after successfully log-in,
session_start();
if(!isset($_SESSION['LOGIN_USER'])){
header('location:../index.php');
}
In your Login Page, you need to add a session handler something like this,
session_start();
if(isset($_SESSION['LOGIN_USER']) && !empty($_SESSION['LOGIN_USER'])){
header('location:../members/members_area.php');
}
You can use Session Management concept of java, Please refer this link,
Session Management in Java
In java you have to maintain Session in this.
i want to implement SSO in an application for that i have a SiteMinder policy server at the application which provide the login (say application 1) and also have installed the Siteminder webagent on the server of other application which am going to login through SSO (say application 2). This siteminder thing is already done by some other team. Now i want to get the siteminder session and from that session i want the HTTP_SM_USER this is all with the help of WebAgent. After getting the user i want to validate the user against the DB of 2nd application. Can anyone guide me how can i proceed with this work ?
The SM agent usually adds an HTTP header with the user ID to the incoming request. You can inspect this header in your code to determine the user. Note that this header does not come from the browser, the SM agent inserts it before the request is handed to your application.
I'm developing a vaadin 7 application with user authentication and authorization using jaas with a realm defined in the application server (glassfish).
I have this requirements:
A user can stay logged in for some time, so that he doesn't need to enter his password every time.I do this by setting the session timeout of the http session.
The vaadin session can lock some resources and while locked, no other session can use this resource. All locked resources are released when the vaadin session is closed.
I set the heartbeat intervall to only 15 seconds.
I'm not able to get both requirements to work at the same time.
If I set the http session timeout to a minute, the resources are released a minute after closing the browser, but the user is not authenticated the next time.
If I set the the https session timeout to some days, the user is authenticated for this time but the vaadin session is not instantly closed after 3 missed heartbeats. It will only be closed when the user uses the application the next time with the same http session.
How is it possible to achieve both requirements?
Here more information the the technology I'm using:
Glassfish 4
web-app 3.1
vaadin 7.1.7
vaadin-cdi 1.0-SNAPSHOT
Thanks for any Help
You might want to have a look st Spring Security and especially Remember-Me Authentication - an alternative I personally would use instead of trying to implement a secure persistent login myself.
If you want to go the DIY path:
I think that trying to separate the Vaadin from the Http Session is not such a good idea. The Application lifecycle section of the Vaadin book says:
When a new client connects, it creates a new user session, represented by an instance of VaadinSession. Sessions are tracked using cookies stored in the browser. … [The Vaadin Session] also provides access to the lower-level session objects, HttpSession and PortletSession, through a WrappedSession.
Perhaps you could change your solution of the first requirement ("A user can stay logged in for some time, so that he doesn't need to enter his password every time.") to by separating the login credentials from the http session?
You could store some timed-stamped and unique-id as a cookie (with expire-date) and customize the VaadinServlet with your own SessionInitListener and SessionDestroyListener to check for it (and set it) and either require the login credentials or accept the credentials from the client depending on the checks you do on the server.
There is some ambiguity in your question, but I believe you can resolve it by using your own close() method. You could create your own Vaadin Application class, with a custom close() method, or use TPTApplication and override its close() method:
http://vaadin.com/directory#addon/toolkit-productivity-tools:vaadin
Make sure the close is called when the session is closed, and do your cleanup there. This will also be called when the session ends.
If you can't ensure this (ie. if the user just closes the window and you don't have some javascript to deal with this), you can intercept the window close with Vaadin, but its quite a bit more work. When the user tries to close the window, you interrupt the process, do what you need to do via a callback, and then let the close occur. The details on how to do the interrupting from vaadin are shown here:
https://vaadin.com/forum/#!/thread/44621/44668
https://vaadin.com/forum/#!/thread/83207/83206
The callback is client side only, so you will have to make a call to the server (Get/POST via javascript) that will pass along the session id to a servlet that you have listening for this. The servlet would then release the locks using the passed in session id.
The key is listening for the window to close and being able to respond to it appropriately.
I am using GWT for my client side application. I am not using GWT/Java for the server. However, I am not sure how I can handle session management. The GWT application resides on one page, all server calls are done via AJAX. If a session expires on the server... let's assume the user didn't close the browser, but left the application open, how could my server notify the application that the session has expired and that the client side portion should show the login screen again?
What is meant by client side session management? That seems inherently insecure.
I'm not looking for code. I'm looking for ideas, techniques, potential solutions etc. I've considered Comet http://en.wikipedia.org/wiki/Comet_(programming), but that doesn't seem like that will work very well without using Java on the server side. Maybe, I'm wrong? I don't want to poll the server either.
Any thoughts or insight?
Without knowing how you're doing your RPC is working, its hard to give good advice.
If your AJAX service requires a user to be authenticated (IE have a valid session), it is ok to just send a 401 error saying that the user is invalid. Client-side can interpret the 401 error as a message that it should set the user up for re-authentication.
We handled this in our application, by detecting when the server sent back a redirect to the login screen (it would come through the response to the Ajax call), and popped up a dialog asking the user for their password again, but pre-filled their username. We then posted that to the same place the login page does, as if it was the login page, and so the user was logged into this new session automatically. Finally we just re-submitted the ajax call again, so it was a seamless process to the user (eg: they didn't have to click the action again).
Since we stored all the state on the client, and not in session variables we didn't have any problems trying to persist data across sessions.
What should happen if the session expired on the server-side, then the next time the client sends a request to the server, it will either create a new session, or, more likely, send back a message to the client that it is trying to access a page without a session, and send them to the login screen. However, you will still need to wait until the client sends a message to the server.