JSESSIONID getting twice in cookie - java

I am using jboss 5.1 server and struts framework . The following are usecases
Usecase 1
1)Cleared the browser cache and loaded browser with my application url
(say /loadLogin.do)
2)In code httpSession = request.getSession(false); when i check httpSession its not null and has some jessionid say 123
3)Now i invalidate the session httpSession.invalidate();
4)Again i create a new session httpSession = request.getSession(); now this time a new jessionid is created say 456
5)Finally when i check my cookie it shows 2(two) jessionid's
Set-Cookie: JSESSIONID=123.node1; Path=/loadLogin
Set-Cookie: JSESSIONID=456.node1; Path=/loadLogin
Usecase 2
1)Don't clear cache
2)Suppose the browser already has the url (i.e. login to the app and then logout and then try logging in again , this time browser shows url in its dropdown)
3)This time when i check cookie only 1 jessionid is present ..
Can someone plz tell me , is the how the server behaves , or something to do with the way session is being handled in application

I've dealt with this problem too half year ago. it was very frustrating problem. But I solved it.
You first cancel new created session and then create new one.
if (getHttpRequest().getSession(false).isNew() == false) {
getHttpRequest().getSession(false).invalidate();
getHttpRequest().getSession(true);
}

Related

JAVA SESSION Cookie issue

I want my web application to resume its session when the browser is restarted. So I had use the following code in cookie Filter to create SESSION cookie for any request other than login and logout.
HttpSession browserSession = httpRequest.getSession();
Cookie cookie = new Cookie("SESSION", browserSession.getId());
cookie.setMaxAge(Integer.MAX_VALUE);
httpResponse.addCookie(cookie);
If I login to my appl and restart the browser and access url, it's getting login automatically (as expected). But if I logout in that session and then try to login in that session, it's not getting logged in. What's causing this issue?
when i fetch cookies from request(httpRequest.getCookies()), i get 2 cookies with SESSION name , one is browser created and one is which my code created but while debuging both are having the same max age i.e -1 when i set my cookie max age as Integer.MaxValue()?? why is this happening
You can try deleting the coockie when logged out, this way user will be identified by the coockie created while logging in and will be valid for a session (from login to logout) and as soonest as user logs out earlier coockie will be deleted.

IBM WebSphere Application/Portal Servers, TAI and HttpSession and Cookies

I have IBM WAS 6.1 and Portal 6.1. Also i have a TAI which works when user login/logout in/out Portal. I want to work with HttpSession in TAI. Shortly my task is next: when user logging in i want to save some parameter in memory and as a key i want to use ID of HttpSession (or something else?).
For an example, while user logging id of httpsession is "foo". Than, user logged in and working in Portal, and press Logout button, portal logged out user using internal mechanize and than my TAI catch this request and now i have a http session with Id "bar". So, WAS changed http session. This means i can not user http session to save any parameter, because WAS recreates it for logging out. But i have to save some parameter while user logging in, and use it while he logging out.
Also i can't use Cookies for some reasons. Any idea how i can save ID based on HttpSession?
Or i have to know who(Portal Uid of user) pressed logout button in TAI. It is also helps me to resolve my problem.
UPDATE #1.
Also, for some reason WAS(?) delete custom cookie. I add custom cookie in TAI and WAS deleting it, i can not find my own cookie. Any idea where and why? There also http server beyond was and client, but i checked it - he shouldn't delete it.
I did not resolve question about http session, but i resolved problem with a cookie.
Right cookie:
Cookie cooky = new Cookie();
cooky.setPath("/");
cooky.setDomain("domain.com");

Session from JSP to Servlet lost (Cookie changes)

I come back with the same question but this time more documented. i have a web application with many servlets and JSPs. The application has a LogIn option. In the LogIn servlet i start a new session, and after placing some informations in the session i go forward to a JSP.
LogIn.java relevant code:
HttpSession sess = request.getSession(true);
sess.setAttribute("GLN", user);
rd.forward(request, response);
After I forward, I get a Jsp page called Insert.jsp where I get the sessions attributes.
Insert.jsp relevant code:
HttpSession sess = request.getSession(false);
if (sess != null){
out.println(sess.getAttribute("GLN"));
}
After this i have a form that directs me to a servlet Adaugare.java. Here i do the same thing:
Adaugare.java code:
HttpSession sess = request.getSession(false);
Here comes the problem. Later edit: This returns null, as no session exists. Then i forward to same Insert.jsp file and there, even if i have HttpSession sess = request.getSession(false);, a new session with a new session ID is created different from the first one. So obviously
out.println(sess.getAttribute("GLN")); returns null.
This is the long story. The short version:
When i go from a servlet to a jsp, session is ok, when i go from a jsp to a servlet, session is nowhere to be found . Then a new session is created when i forward to a JSP. Practically it creates a new cookie. If i print the contextPath from JSP and serlet, it's the same.
But here is the strange thing. This happens when i run the application on a apache with a mod_jk. When i run the app from a tomcat, it works fine.......
Please help, i've been stuck for 2 weeks on this problem.
Answer to dan: (Text to long for comment and need to wait 7 hours to reply my own question)
I deleted all comented lines. Hope that is ok. I'm not the one in charge with the server, but the one who is told me it's not multiple workers.
worker.list=jk-status
worker.jk-status.type=status
worker.jk-status.read_only=true
worker.list=jk-manager
worker.jk-manager.type=status
worker.list=balancer
worker.balancer.type=lb
worker.balancer.error_escalation_time=0
worker.balancer.max_reply_timeouts=10
worker.balancer.balance_workers=node1
worker.node1.reference=worker.template
worker.node1.host=localhost
worker.node1.port=8109
worker.node1.activation=A
worker.balancer.balance_workers=node2
worker.node2.reference=worker.template
worker.node2.host=localhost
worker.node2.port=8209
worker.node2.activation=A
worker.template.type=ajp13
worker.template.socket_connect_timeout=5000
worker.template.socket_keepalive=true
worker.template.ping_mode=A
worker.template.ping_timeout=10000
worker.template.connection_pool_minsize=0
worker.template.connection_pool_timeout=600
worker.template.reply_timeout=300000
worker.template.recovery_options=3
If the requests are balanced between multiple workers you should set the session stickiness flag to true. See: http://tomcat.apache.org/connectors-doc/reference/workers.html for more details. You should try:
worker.balancer.sticky_session=True

why session have session id after session timeout in jsp?

Hi in jsp of JavaScript i am checking userdId in session or not it always have session id if session expires also, but i checked in java Action class after session expires userid is null but not in jsp. code link
Try alerting the sessionId in your javascript code. You will find that the sessionId is different after the old one has expired.
Also check what the code is doing when a new session is created. It might be setting the userid in the new session.

how can i redirect to login page after session time out in jsp?

Hi i am developing application using struts and jsp. in jsp we are using Ajax calls , after session timeout, we are redirecting to log in page. but the problem is the log in page is displaying same div tag.i am checking user in session or not in javascript of jsp but always session have userid value, it never going to be null, if session expires also.
Two things
Configure a Welcome page as Login Page in web.xml
Create a filter and configure in web.xml , this should be the first filter in web.xml
In the filter check if the session is new the user should be guided to the login page , else the request should be processed.
Recently I made a tutorial about this exactly. Maybe it can be helpful. Is the same solution that abhi proposed but with an example.
http://classfoundexception.blogspot.com.es/2012/04/how-to-secure-struts-13-application.html
Every time the new request comes, you should check and validate session at server side.
Also this timeout is handled by web server.Once time out is occurred, automatically server redirect user to session logout URL. You may change this configuration in conf files of server.
For more info see this
To handle Session Timeout/Expire for Ajax Call Request and to dispatch it to login page follows these steps.
1) In Your jsp wherever ajax function are written Set a header before your ajax send request.
req.open("POST", Servlet_PATH, true);
req.setRequestHeader("X-Requested-With", "XMLHttpRequest"); //set header
req.send();
2) In a Filter get the header like this and if session is null send as an Response Error
httpRequest.getHeader("X-Requested-With");
if (session == null) {
`if(httpRequest.getHeader("X-Requested-With")!=null && httpRequest.getHeader("X-Requested-With").equals("XMLHttpRequest")){`
`logger.info("Ajax Expired...");`
`((HttpServletResponse)response).sendError(403);` // Response error set
`return;`
`}}`
3) In jsp whereever ajax code is written check request.readystate and request.state like this
if (req.readyState==4 && req.status==200)
{
//your logic
}
else if(req.readyState==4 && req.status==403){
alert("Your Session is Expired.Please Relogin.");
window.location.href = "<%=request.getContextPath()%>/jsp/login.jsp";
}

Categories