I have next use case:
We have webstore where user can select some goods and then buy them. He can add goods to his cart before login to application. All of this items must be stored in his session. When user click "pay" button we will ask his credentials/card/etc.
My problem: When I login before add items to cart all works correctly. But when I try to add items to cart as anonymous user, items are not storing. I always receive different JSESSIONID after refreshing each page as anonymous user.
I decide create simple application which illustrate my problem. I think it can't be fixed without my sources.
Here is my application:
https://github.com/AlexTestAccount/simple_test
It very simple. It contais only one controler and session bean where I try save something.
For run it you need gradle, tomcat and define enviropment variable CATALINA_HOME,
than you can use:
gradle deploy
p.s. Sorry for my english
Enable Debug log level for org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
There must be a log statement when you login:
>Invalidating session with Id '<originalSessionId>' <and : without> migrating attributes
If it prints "without migrating attributes" then you need to configure spring securitys SessionFixationProtectionStrategy.migrateSessionAttributes to true (but this should be the default)
An other problem maybe is, that tomcat change the session when you switch from http to https.
To verify that this is the problem: first switch to https (NOT loggedin) and item to your cart and then check if they disappear. But tomcat should normaly preserve the session content while switching from http to https (but not the other way around).
Sorry guys, it was environmental issue.
I just clean all my cookies for localhost and now all works.
Related
For the following scenario where a user logs into my application and closes the browser and then restarts browser after some time and hit my application url then the user should get logged in automatically.
for this scenario my friend suggested to try to use spring Remember-me feature.
while i was trying to understand spring remember me concepts, in every example a check box is used.
Can i implement it without checkbox?
Or this is a wrong approach?
You can easily implement is without a checkbox, but this is generally not a good idea if the site is publicly available on the internet. Imagine a user goes to the library and logs into your site, unless he remembers to click logout, the next user will automatically be logged in as the previous user (and most users just close the browser to log out).
When you post the login page, the remember-me checkbox is sent along as a normal post key-value pair. So if you always want remember-me, you can simply create a hidden field, with the value the checkbox would have when checked.
<input name="remember-me" type="hidden" value="on">
I have a Tomcat 7 web server.
After login to it I can see under Cookies that there is jsessionid which, from what I have read is saving the id of the session instance between the user and the web server.
But the thing I cannot understand is that after I login and I stay in the browser.
I can stop the server, even un install it from the system and re-install it.
and then after I restart it I can continue navigating in the website without needing to enter credentials or anything like that, as if nothing happened in the background - I just can move on with the same jesssionId.
So basically I will divide my question into sub-question so it will be easier to answer:
1. How is it even possible that after stopping the service or even un install it it can still happen?
2. How excatly is the jesessionID created? I mean is it possible that it is the same jsession id?
3.When exactly does the jsessionID is being created?
4. Is it possible to change this behavior and "invalidate" the session so the user will have to re-enter his credentials?
5. Following question #4, what is common in most of the services? demand to login again or to enable the use of the old session id ?
Thanks a lot!
In answer to your questions:
Tomcat's session Manager will serialize session data and save it to a file to persist it across restarts. You can disable this.
Tomcat's SessionId Generator determines the exact way the id is created.
Here a good answer for when session ids are created: Under what conditions is a JSESSIONID created?
If your goal is to invalidate sessions after a Tomcat restart, you can do this by disabling session persistence.
Typically a user would want to be considered "logged in" until they click a "log out" link or button in your application. You can also adjust the session expiration time if you want the session to expire after a period of inactivity. How exactly this should work is up to you and depends on your application's use cases.
I have a WSO2 Identiy server installed and i have written some java code to get user information with oauth 2. For this I am using OLTU. I have connected correctly and after negotiating the access_code, I ask for the userinfo endpoint like this:
https://<serverIP>:9443/oauth2/userinfo?schema=openid
I get user info correctly in JSON format:
{"email":"xxxx#xxx.aa","name":"xxx","family_name":"xx","preferred_username":"xxx","given_name":"xx"}
What I find is that no role information is returned. I have created some custom roles and asigned the users. They don't have any permisions asigned.
Do I have to configure anything in the server? The request has to be made in any other way? What am I doing wrong?
There are two ways to add this claim mapping. It's depends on your requirement.
To get this done has to add a role claim mapping under "http://wso2.org/oidc/claim" claim dialect. This can be done in following ways
Case 1 : For fresh WSO2IS before first startup
Go to <IS_HOME>/repository/conf/claim-config.xml file<br/>
Add following configuration under <Dialect dialectURI="http://wso2.org/oidc/claim"><br/>
<Claim>
<ClaimURI>Roles</ClaimURI>
<DisplayName>Roles</DisplayName>
<AttributeID>role</AttributeID>
<Description>role of the user</Description>
<DisplayOrder>10</DisplayOrder>
<SupportedByDefault />
</Claim>
Case 2: For already running server.
Login to the Identity server management console as admin user.
Click the Configure button to access the Configure menu
Click on http://wso2.org/oidc/claim Dialect.
Click on "Add New Claim Mapping" and set the above details.
(There you will get an error which is known issues. But that value will store. Then again edit it and set Mapped Attribute again)
Then restart the server. Now you can get user info with roles
I am having problems in Java while managing sessions. All works perfect(I create and get/set values in the session), until I redirect with a link (the link is in a JSP). Then, the session is lost.
My server is Tomcat, and my browser is a Firefox browser. I am using Struts 2.
Thanks for your time ;-)
The standard time for the session to automatically get erased is about 30 minutes (for example in Tomcat), but it depends on the configuration.
If you write session.invalidate(), your session gets erased too.
Your session gets automatically lost if you close every tab in the browser you opened the session (even is you have other windows with the same browser).
Is your link inside the same application server? If it does, it shouldn't get lost if you are not doing things I said before.
If you accept cookies in your navigator, your code may call invalidate() when you go on this page. Check filters too.
One possibility is that your current session cookie is marked as "secure", and the 'href' is an "http:" link. This will cause the browser to not send the cookie, and depending on your webapp structure a new session may then be created automatically.
In my Java EE application, I have a problem with sessions. Different users can login to the application and the specified user can see the data for which he is authorized. He should not be able to see other user data. To differentiate users, we are using Client_ID. As soon as the user logs in we are fetching this Client_ID from the database and setting it in session like this:
session.setAttribute("Client_ID",user.getClient_ID())
We access this session value throughout the application and fetching the relevant data to that Client_ID. This works fine when users work on a single browser, but the problem is this:
Suppose there is a SuperAdmin, who needs to look all the clients under him. SuperAdmin logs in as client_1, and again as client_2. SuperAdmin has logged in both times using the same browser. When I refresh the client_1 browser, I am seeing the client_2 details, which should not happen.
I think our application is using the same session for two different logins in the same browser. What would be solution for this problem? I should see the correct data for the particular client when I refresh the page.
Don't use cookies for storing Session ID, but use request parameter instead.
So each opened tab will request the own session. With cookies you have only one cookie for all tabs in browser.
P.S.:
I think that it's incorrect to log in under 2 or more users within one browser at the same moment. Your application should detect that client_1 is already signed it and restict log in for other users from the same browser until logout. For example, Google's applications work in such way.
Also would be great if SuperAdmin have a feature to see client_1 or client_2 data without log in. This will save him/her from remembering dozens of passwords and will increase performance of work (time is moneys, isn't?).
If you want multiple tabs within the same browser instance to see different things, then you will have to rework your session management and key things off of the URL.
The session is shared between browser tabs (true for most browsers), so logging in with one tab will affect the sessions for other tabs.
The solution is to use roles instead of multiple logins. You would give client_1 SuperAdmin role, and client 2 doesn't. This would reduce the need to login twice.
But in any case, you should only allow one user to be logged in at once. The process of logging in should invalidate the previous session. I forget the exact code in Java EE, but it is something like session.invalidate().