I'm using a URLConnection to login to a page. When I successfully login a session value will be set on the page. After that I want to access an other file on the site, but I can't maintain the session state of the site. Any ideas?
I suggest that you use Apache HttpClient / HttpComponents instead. It has facilities for maintaining a client-side cookie store.
Maintaining session state across URLConnection instances involves:
getting the set-cookie response headers
parsing them, figuring out what they apply to, and storing them
creating and adding cookie request headers for follow-on requests.
Prior to Java 1.6, there were no public Java APIs to do this for you and you had to do it all "by hand". Starting with Java 1.6, there is support in the form of CookieHandler / CookieManager / HttpCookie / CookieStore / CookiePolicy. Refer to the javadocs for details.
Related pages:
http://docs.oracle.com/javase/6/docs/technotes/guides/deployment/deployment-guide/cookie_support.html
http://docs.oracle.com/javase/tutorial/deployment/doingMoreWithRIA/accessingCookies.html
It sounds like the website you are trying to access handles sessions based on cookies. You may need to capture that cookie and add it to future requests. This question may help with that piece:
URLConnection with Cookies?
Read from the URLConnection to see if any cookies are set or a redirect is sent that contains a session id you can send back to the other site.
Related
I am planning to do automated testing of post requests with various parameters on a link. The problem that I face is the link has a sso authentication. When I do a normal post in vbscript or java it directs me to the sso page.
Any idea how it can be done?
since you are working with http-post, I assume that SSO is performed by using Cookies.
In that case, everything you have to do is add those Cookies to your request.
This is done by adding a Header with name 'Cookie' to your request.
This headers value may be of the format 'CookieName=CookieValue'.
In case you have multiple Cookies, you can either add multiple Cookie Headers, or separate them by using a ';'.
In case you fetch those Cookies with a previous request, you can get a hold of the Cookies by evaluating the 'Set-Cookie' Header.
Additional Informations about basic Cookie Handling may be found here
In case you use Apaches HTTP-Components, you can also use its integrated Cookie Store to automatically add Cookies to new Requests.
A good example as how to basically use Apaches HTTP-Client can be found here
The part of how to use Cookies can be found in section 3
I am working on small Java project to programmatically connect to a website with username/password, after login, browse to different links on the site to download some data. First, I need to connect to the website with username/password,
second, while I keep the session open, go to other links to download data.
How do I do this in Java?
Any help will be highly appreciated!
Check out the Apache HTTPClient, it can do all this for you.
Edit: Apache HTTPClient has authentication and cookie handling features included, which will save you a lot of work doing this yourself.
If you want to extract some data HtmlUnit can help you a lot it can manage the authentication and also help you with data extraction.
Investigate with your browser how the web page submits the username/pass data? HTTP Form POST, Ajax, etc..? Use a plugin like Firebug to see network traffic.
You can use URLConnection to create HTTP requests. You will neet to simulate a username/pass login and remember the cookie for use in consequent HTTP requests to simulate a session. Here are some examples: send HTTP POST request, get a cookie, send a cookie.
I want to create a small java application to copy some wiki content from one server to another. The API is based on the XML-RPC.
Basically I have three methods, login, getPage and putPage. I use Apache HttpClient 3.x and managed to use login to login successfully and getPage to get a page from the old wiki correctly.
Authentication is handled with cookies: I log into the new wiki and some cookies are set on the corresponding httpclient. The doku tells me that one of those cookies is used for authentification.
Then I execute putPage with another POST method on the same httpclient and the server responds with a authentication failure message.
The code sequence goes like this (very reduced):
HttpClient client = new HttpClient();
PostMethod postLogin = createNewPostMethod("login", "user", "pw");
client.executeMethod(postLogin);
// Now I'm logged in and the client definitly has stored the cookies
PostMethod postPutPage = createNewPostMethod("putPage", getPage());
client.executeMethod(postPutPage); // the server won't let me put the page
Should it work like that or do I have to add the cookies manually to the second post method and, if yes, how?
Edit / Solution
With the help of the answers to this question I was able to identify and solve the problem, which was outside of the usage of httpclient. At the end it was a configuration issue on the target wiki side. The answers here helped me to ask the right questions in another forum.
Cookies are handled by HTTPClient by default. You shouldn't have to do anything to have cookies work properly.
Source:
http://www.innovation.ch/java/HTTPClient/getting_started.html#cookies
Edit for Apache HTTP Client:
Apache HTTP Client behaves the same :-)
Here is the source:
http://hc.apache.org/httpclient-3.x/cookies.html
You can set manually cookies with HTTP Client but it will handle correctly cookies created during your connection.
HttpClient supports automatic management of cookies, including allowing the server to set cookies and automatically return them to the server when required. It is also possible to manually set cookies to be sent to the server.
Resources :
Apache HttpClient - cookies
I have historically used this when I wanted to accept cookies with HttpClient
postPutPage.getParams().setCookiePolicy(CookiePolicy.BROWSER_COMPATIBILITY);
I have this big issue. My current session is gone every time I made a new request to Server.
I have checked in a lot of places. I can't find what's the problem. I also have included
session-config in web.xml both in tomcat and application. I also enabled to accept cookies to my browsers. Tested in every browser. It's not working.
I am just developing a simple java ee applcation using JSP/Servlet. I am facing the problem only after I have deployed to tomcat in server machine.
One possible cause for this is having a "naked" host name (i.e. one without a domain part). That's fairly common if you're working in an Intranet.
The problem is that almost all browsers cookies will not accept cookies for hostnames without a domain name. That's done in order to prevent evilsite.com from setting a Cookie for com (which would be bad, as it would be the ultimate tracking cookie).
So if you access your applicaton via http://examplehost/ it won't accept any cookie, while for http://examplehost.localdomain/ it will accept (and return) the cookie just fine.
The nasty thing about that is that the server can't distinguish between "the browser got the cookie and ignored it" and "the browser never got the cookie". So each single access will look like a completely new sesson to the server.
After years, I never posted the answer back here. At that time I was busy and forgot about this question. But, today I am looking for a solution in Stackoverflow as usual and saw this notification mentioning I am getting points from this Question. Seems like other developers are facing the same issue. So, I tried to recall how I solved the issue. And yes, I solved by manually put back the session id to track/maintain the session id.
Please see the code that I manually put back jsessionid inside the servlet.
HttpSession session = request.getSession();
if (request.getParameter("JSESSIONID") != null) {
Cookie userCookie = new Cookie("JSESSIONID", request.getParameter("JSESSIONID"));
response.addCookie(userCookie);
} else {
String sessionId = session.getId();
Cookie userCookie = new Cookie("JSESSIONID", sessionId);
response.addCookie(userCookie);
}
First check if the webapp's context.xml does not have cookies="false" configured.
Further it's good to know that cookies are domain, port and contextpath dependent. If the links in the page points to a different domain, port and/or contextpath as opposed to the current request URL (the one you see in the browser's address bar), then the cookie won't be passed through which will cause that the session cannot be identified anymore and thus you will get a new one from the servletcontainer.
If that is not the cause, then check if you aren't doing a redirect on every request using HttpServletResponse.sendRedirect() for some reason. If you do this already on the very first request, then the cookie will get lost. You'll need to replace
response.sendRedirect(url);
by
response.sendRedirect(response.encodeRedirectURL(url));
In Your properties
server.session.cookie.http-only=true
server.session.cookie.secure=true
Remove these settings, it will retain your session id cookie, which is being reset with every request.
I experienced a stale https session cookie (my ad-hoc term) problem, due to a secure flag.
I had this problem when switching between http and https. The cookie stored by https session was never overwritten by http session. It remained in FireFox memory for eternity. It was visible in FireFox Tools / Options / Privacy / Delete single cookies where in Send for field it was Only for secure connections. Clearing this single cookie or all cookies is a workaround.
I was debugging the problem with wget, and I noticed such a header:
Set-Cookie: JSESSIONID=547ddffae0e5c0e2d1d3ef21906f; Path=/myapp; Secure; HttpOnly
The word secure appears only in https connections and creates this stale cookie. It's a SecureFlag (see OWASP). There are ways to disable this flag on server side, which seems like a permanent solution, but maybe not safe.
Or is it a browser bug, that the cookie is not overwritten?
Try adding the Live Http Headers plugin to firefox, and make sure the session cookie is indeed being passed to the browser from the server, and make sure the browser is sending it back again on the next request.
Please verify if the session is not being invalidated in your code someplace. Look for code similar to request.getSession().invalidate();
If there is a load balance configuration, will must have to configurate a route in the network for preserve the requests in the same server. Otherwise, the each request will go to a different server, losing the session attribute.
Edit your tomcat context.xml file and replace <Context> tag to <Context useHttpOnly="false"> , this helped me.
Are you connecting via http or https?
For servlets the session I'd cookie has attributes 'secure' and 'httpOnly'. 'secure' means user agent will only send cookie if transport is secure (https/tls). If your connecting with http a new session is created on each request. 'httpOnly' means the cookie can not be modified by client side script.
I am trying to login and retrieve status information from a HTTPS URL via Java programming. I login through /login.cgi, providing the username and password with a POST request to that script.
The script then verifies the credentials and creates a specific cookie (with session information, user name, etc.) and then immediately calls a Location response header to /home.cgi. Which, I'm guessing, the /home.cgi script verifies the cookie information before continuing to load. Otherwise, it just reverts back to the /login.cgi page.
All of this works fine within a browser because of the way browser's handle cookies/sessions correctly. However, within Java, this is very tricky because I can not get the appropriate cookie to send as a request to subsequent pages. I can not get the correct cookie because I am unable to get the HTTP response back (which holds the correct "Set-cookie" value) in between /login.cgi creating the specific cookie and it calling Location /home.cgi.
Is there something I'm missing or is there a better way that Java can handle cookies similar to a browser? (is there a cookie store, etc?)
Thanks for the help,
Steve
Cookie management is by default not enabled in the java.net HTTP API. If you don't need any specific handling or cross-application cookie persistence (the cookies will be deleted when your application terminates), you can simple enable it with
CookieHandler.setDefault(new CookieManager());
How are you making the HTTP connections and managing cookies?
I would recommend just using commons-httpclient rather than managing this yourself. It will automatically manage cookies for you.