In my proj there is a requirement that every request should have new session but if we hit same url in multiple tabs or open same browser twice and hit the url then it is considered as one sessionand we getting inconsistent result.There are some settings in ie browers that resolves my problem but im wondering if we can do it programmatically.Im using struts 1.3.
I really think that you should take another approach to solve this problem, more on the client side than the server side or maybe mixing both. Off the top of my head I can think on generating a unique ID on javascript each time you load the page (meaning open another tab) and keep this ID as a tab identifier, then you could use these ids on your server side to match the information for each page. Why this should be like this? Because http servers doesn't know anything about browser tabs, they "statelessly" receive requests and send responses and sessions are kind of artificial, they're just tracked by a simple cookie sent from and to the browser which helps the server to know who is talking to.
Related
what I want to do is to build a web application(proxy) that user use to request the webpage he want and
my application forward the request to the main server,
modify HTML code,
send to the client the modified one.
The question now is
How to keep my application between the client and main serevr
(for example when the user click any link inside the modified page-
ajax request - submit forms - and so on)
in another words
How to grantee that any request (after the first URL request) from the client sent to my proxy and any response come first to my proxy
The question is: Why do you need a proxy? Why do you want to build it - why not use already existing one like HAProxy ?
EDIT: sorry, I didn't read your whole post correctly. You can start with:
http://www.jtmelton.com/2007/11/27/a-simple-multi-threaded-java-http-proxy-server/
If the user is willing to, or can be forced1 to configure his clients (e.g. web browser) to use a web proxy, then your problem is already solved. Another way to do this (assuming that the user is cooperative) is to get them to install a trusted browser plugin that dynamically routes selected URLs through your proxy. But you can't do this using an untrusted webapp: the Browser sandbox won't (shouldn't) let you.
Doing it without the user's knowledge and consent requires some kind of interference at the network level. For example, a "smart" switch could recognizes TCP/IP packets on port 80 and deliberately route them to your proxy instead of the IP address that the client's browser specifies. This kind of thing is known as "deep packet inspection". It would be very difficult to implement yourself, and it requires significant compute power in your network switch if you are going to achieve high network rates through the switch.
The second problem is that making meaningful on-the-fly modifications to arbitrary HTML + Javascript responses is a really difficult problem.
The final problem is that this is only going to work with HTTP. HTTPS protects against "man in the middle" attacks ... such as this ... that monitor or interfere with the requests and responses. The best you could hope to do would be to capture the encrypted traffic between the client and the server.
1 - The normal way to force a user to do this is to implement a firewall that blocks all outgoing HTTP connections apart from those made via your proxy.
UPDATE
The problem now what should I change in the html code to enforce client to request any thing from my app --- for example for link href attribute may be www.aaaa.com?url=www.google.com but for ajax and form what I should do?
Like I said, it is a difficult task. You have to deal with the following problems:
Finding and updating absolute URLs in the HTML. (Not hard)
Finding and dealing with the base URL (if any). (Not hard)
Dealing with the URLs that you don't want to change; e.g. links to CSS, javascript (maybe), etc. (Harder ...)
Dealing with HTML that is syntactically invalid ... but not to the extent that the browser can't cope. (Hard)
Dealing with cross-site issues. (Uncertain ...)
Dealing with URLs in requests being made by javascript embedded in / called from the page. This is extremely difficult, given the myriad ways that javascript could assemble the URL.
Dealing with HTTPS. (Impossible to do securely; i.e. without the user not trusting the proxy to see private info such as passwords, credit card numbers, etc that are normally sent securely.)
and so on.
I'm trying something similar to this: Detect when browser receives file download
I'm using Chromes Developer Tools to monitor my cookies and my problem is that the cookies I set in my server side code (java in my case) are only visible on the request. Not when I check the Resources tab in Chrome Dev Tools.
I think it might have something to do with the fact that my request is submitted by constructing a hidden form and submitting this (I'm using ExtJS 4.2.2).
All I can see in my Resources tab is the JSESSIONID cookie from Tomcat.
Can anyone help me set cookies from java that I can read in JavaScript after the request completes?
Screenshots:
There are lots of ways to do this but heres one that would allow you to drop the cookie approach. You really should be setting your cookies to HttpOnly for security reasons unless you have a use case that requires it.
Expose your submit button in some sort of Iframe so users can submit
the file while still remaining on the primary page.
Detect when a click occurs in the iFrame and start polling through
AJAX at some URL such as "/FileUploadStatus".
On the server side once the file is completed upload set a session
attribute such as
HttpSession session = request.getSession(false);
session.setAttribute("fileUploadStatus",true);
When the AJAX request hits the servlet at /FileUploadStatus, check the session variable to see if the the file upload servlet has changed the value of fileUploadStatus to true. If so then return an indication to the client to stop polling and update
the page and clear the session attribute on the server.
NOTE: Detecting a click in an iFrame is hairy stuff across various browsers. You might have to just start polling the second they access your "Upload Page" and simply wait.
Alternate Solution: You could also form a direct connection using the new WebSocket API. THis approach runs the fastest but not all browsers support websockets.
Recently I used a Mac application called Spotflux. I think it's written in Java (because if you hover over its icon it literally says "java"...).
It's just a VPN app. However, to support itself, it can show you ads... while browsing. You can be browsing on chrome, and the page will load with a banner at the bottom.
Since it is a VPN app, it obviously can control what goes in and out of your machine, so I guess that it simply appends some html to any website response before passing it to your browser.
I'm not interested in making a VPN or anything like that. The real question is: how, using Java, can you intercept the html response from a website and append more html to it before it reaches your browser? Suppose that I want to make an app that literally puts a picture at the bottom of every site you visit.
This is, of course, a hypothetical answer - I don't really know how Spotflux works.
However, I'm guessing that as part of its VPN, it installs a proxy server. Proxy servers intercept HTTP requests and responses, for a variety of reasons - most corporate networks use proxy servers for caching, monitoring internet usage, and blocking access to NSFW content.
As a proxy server can see all HTTP traffic between your browser and the internet, it can modify that HTTP; often, a proxy server will inject an HTTP header, for instance; injecting an additional HTML tag for an image would be relatively easy.
Here's a sample implementation of a proxy server in Java.
There are many ways to do this. Probably the easiest would be to proxy HTTP requests through a web proxy like RabbIT (written in java). Then just extend the proxy to mess with the response being sent back to the browser.
In the case of Rabbit, this can either be done with custom code, or with a special Filter. See their FAQ.
WARNING: this is not as simple as you think. Adding an image to the bottom of every screen will be hard to do, depending on what kind of HTML is returned by the server. Depending on what CSS, javascript, etc that the remote site uses, you can't just put the same HTML markup in and expect it to act the same everywhere.
I developed the webapplication with Struts2.after logging to the my application copy the url and paste to the same browser with different tab then its going to directly without restrict.in that situation i want restrict it.
but same url copy and paste to another browser its working fine .only same browser and different Tab then only problem
This is because your browser has stored your login authentication in the session. It will remember this until you either
Close all windows of the browser or
Choose New Session from the menu
If your question is about your development cycle take a look op answer of #Keppil.
If however you are asking about real user experience this is more complicated. Browser indeed remembers your session ID in cookie and sends it on each request. To override this mechanism you can create your own tokens that will be always appended to URL.
When token is supplied it should send redirect response to URL without token.
The server side should throw user to login screen every time the token is not supplied and the request is not from redirect.
I have never tried to do this and I am not sure you really want to implement this. The ability of browser to connect to same session even if user opens another tab or browser window is very convenient and widely applicable.
If a user opens 2 web pages simultaneously they will create 2 sessions.
Usually this would not matter but it does create a problem for remember me functionality when attempting to rotate cookie tokens as recommended in the persistent login cookie best practices. There seems to be no way to rotate both cookies correctly where both sessions are opened simultaneously.
How can I resolve this?
I use Tomcat and Struts 1, but I think this is framework independent.
extending #Thilo answer He is correct, any subsequent access to other page will follow send the cookies for that domain. e.g open gmail, login and now open gmail in other tab or window it send the cookie for that domain. since the cookie hold the session information on any subsequent request only session id/value will be changed.
You can check it using firebug and its extension fire-cookie.
On matter of avoiding remember-me problem as said in the link you specified it is more to design problem as how you are handling it.