I need to get current session Id without hitting the session (to give it a chance to expire).
I've used Cookies from Servlet code in order keep the session not-touched and then make the session expires after its timeout time.
I am using the following code:
public static String getSessionId(HttpServletRequest request)
{
String sessionId = "";
String logMsg = "";
if (request != null)
{
String sessionTimeout = PropertiesReader.SESSION_TIMEOUT_SCHEMA;
if (sessionTimeout != null && SessionHelper.SESSION_TIMEOUT_FIXED.equalsIgnoreCase(sessionTimeout))
{
logMsg = "FIXED: Getting SessionId from Cookies with activating the session";
Cookie[] cookies = request.getCookies();
if (cookies != null)
{
for (Cookie cook : cookies)
{
if ("JSESSIONID".equalsIgnoreCase(cook.getName()))
{
sessionId = cook.getValue();
break;
}
}
}
} else
{
logMsg = "PER_USAGE: Getting SessionId from Session";
sessionId = request.getSession(false) != null ? request.getSession(false).getId() : "";
}
}else
{
logMsg = "Request object is null";
}
logger.info(logMsg + ", sessionId=" + sessionId);
return sessionId;
}
One one OC4J app server, it works fine. although on another oc4j server, the code of accessing cookies makes the session keep active and don't timeout!
EDIT:
I really stucked!, I've trying to place afilter to remove the JSESSIONID cookie and remove all cookies from the HttpServletRequest, but when I call getSession(false) on the request passed to the servlet, I got a valid Session!
class CookieRemovalHttpServletRequestWrapper extends HttpServletRequestWrapper
{
public static final String COOKIE_HEADER = "cookie";
public static final String JSESSIONID = "JSESSIONID";
public CookieRemovalHttpServletRequestWrapper(HttpServletRequest request)
{
super(request);
}
#Override
public String getHeader(String name)
{
if (COOKIE_HEADER.equalsIgnoreCase(name))
{
return "";
}
return super.getHeader(name);
}
#Override
public Enumeration getHeaderNames()
{
Enumeration e = super.getHeaderNames();
List l = new ArrayList();
while (e.hasMoreElements())
{
String headerName = (String) e.nextElement();
if (!COOKIE_HEADER.equalsIgnoreCase(headerName))
{
l.add(headerName);
}
}
return Collections.enumeration(l);
}
#Override
public Enumeration getHeaders(String name)
{
if (COOKIE_HEADER.equalsIgnoreCase(name))
{
return new Enumeration()
{
public boolean hasMoreElements()
{
return false;
}
public Object nextElement()
{
return null;
}
};
}
return super.getHeaders(name);
}
#Override
public Cookie[] getCookies()
{
Cookie[] cs = super.getCookies();
List<Cookie> cokRet = new ArrayList<Cookie>(cs.length);
for (Cookie c : cs)
{
if (c.getName().equalsIgnoreCase(JSESSIONID)) continue;
cokRet.add(c);
}
return cokRet.toArray(new Cookie[] {});
}
}
And really think to forget all about Session and just use the session Id as just a unique identifier to the user, and do it myself the hard way.
As to your code, don't do it the hard way, use HttpServletRequest#getRequestedSessionId() and HttpServletRequest#isRequestedSessionIdValid() instead to check the requested session ID and if it is valid.
if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
// The session has been expired (or a hacker supplied a fake cookie).
}
As to your concrete problem:
the code of accessing cookies makes the session keep active and don't timeout!
No, the code doesn't do that. It's the HTTP request itself which does that. It is not true that whenever you don't call getSession() or something, the session timeout won't be postponed. It will be postponed on every single HTTP request fired by the client, regardless of whether you need the session in the code.
To learn about how sessions work, you may find this answer helpful: How do servlets work? Instantiation, sessions, shared variables and multithreading
The session expiring isn't dependent on your code accessing the session, it depends on the user making a request with that session. Every time the user makes a request, the session's timeout will reset itself.
If you want to not have the user's request re-set the timeout (ie. have a fixed-length session), then you will need to do additional things for configuring the session, including possibly using a different filter to handle sessions.
The session is not timeout, that is correct behavior, because request was accepted and session expiration is updated in any case.
Related
Recently I started using Spark Java Framework (2.7.2) to create a lightweight web application. One of its requirements is that the application must be deployed to an Apache Tomcat Server 8.5.
I've managed to set things going, but I have not been able to set any custom cookie.
I have used the following method but none worked.
response.cookie("my_cookie", "value");
response.cookie("/path", "my_cookie", "value", -1, false, true);
It seems like tomcat is setting correctly the JSESSIONID cookie but I have no control over this cookie generation and I would like to generate a random and unique cookie, in order to be used for user authorization.
EDIT:
The control flow for setting the cookie is this
// In the main application
before("/*", AccessController.setSession);
// Method for setting an existing session
public static Filter setSession = (Request request, Response response) -> {
// If the user is not set in the session
if (!SessionUtil.hasSession(request)) {
// Obtain the cookie session ID
String sessionId = SessionUtil.getCookie(request);
System.out.println(sessionId);
// Obtain the user according to the session ID
User user = app.getUserFromSession(sessionId);
System.out.println(user != null);
// if does exists we set the session
if (user != null)
SessionUtil.setSession(request, user);
}
};
// Methods for the session
public static boolean hasSession(Request request) {
if (request.session().attribute("user") == null)
return false;
return true;
}
public static String getCookie(Request request) {
return request.cookie(COOKIE_NAME);
}
public static void setSession(Request request, User user) {
request.session().attribute("user", user);
}
This is called when a login is succesfull. Cookie is stored in the user database persisting sessions
public static void setSession(Response response, String cookie) {
response.cookie(COOKIE_NAME, cookie);
}
Background: I need to create a filter which aims to capture the http response of a servlet whenever it is hit for the first time. Post that on subsequent servlet hit, I need to send the same http response back which i captured earlier. For this, i am saving the servlet response in a text file and send the same as part of response whenever servlet is accessed from second time.
Now, in my application, every screen is painted by 2 servlets. First servlet(for which i am saving http response) sends back basic template along with some dynamic xml data along with xsl name. During load of DHTML response of first servlet, 2nd servlet is called to fetch XSL. As part of security, during first servlet hit, xsl name is added as part of session attribute which is verified when second servlet is called to fetch xsl.
Now, The issue is when i capture http response of first servlet in the filter and re-send the same as part of subsequent hit, session attributes are coming as null in second servlet. (Ques 1: Why?)
Now, to think of the work around, i am adding the session attributes in a concurrenthashmap when I save the http response in the text file. And when the servlet is hit second time, i set the session attributes explicitly and send the response from text file. Now, again, during second servlet hit, these attributes are coming as null. To inspect more, i tried printing the concurrenthashmap in dofilter method. What i observed is that the value of the session attributes are getting null on subsequent servlet hit. (Ques 2: Why?)
public class ServletResponseMocker implements Filter {
private ServletContext context;
private ConcurrentHashMap<String,String> hmURI_FileNameMap=new ConcurrentHashMap<String, String>();
private ConcurrentHashMap<String,List<String>> hmURI_SessionAttrLMap=new ConcurrentHashMap<String, List<String>>();
private String rootPath;
public void init(FilterConfig fConfig) throws ServletException {
this.context = fConfig.getServletContext();
rootPath=System.getProperty("WAR_ROOT_PATH");
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
String uri = req.getRequestURI();
boolean bToBeProcessed = false;
if (uri.startsWith("some/pattern"))
bToBeProcessed = true;
if (bToBeProcessed) {
res.setCharacterEncoding(System.getProperty("CHARSETTYPE"));
OutputStream out = res.getOutputStream();
byte responseContent[] = null;
String filename = null;
if (hmURI_FileNameMap.containsKey(uri)) {
filename = hmURI_FileNameMap.get(uri);
responseContent = Utils.readBytesFromFile(rootPath + "\\somefolder\\"
+ filename);
res.setContentType("text/html;charset=UTF-8");
res.setContentLength(responseContent.length);
HttpSession session = req.getSession(false);
if (session != null) {
if (hmURI_SessionAttrLMap.get(uri) != null)
session.setAttribute("ClientXSL",
hmURI_SessionAttrLMap.get(uri));
}
res.setHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
} else {
filename = uri.substring(uri.lastIndexOf("/") + 1) + ".vdb";
hmURI_FileNameMap.put(uri, filename);
ResponseWrapper wrapper = new ResponseWrapper(res);
chain.doFilter(request, wrapper);
HttpSession session = req.getSession(false);
// This session attribute is set by some filter in chain and is
// always not null here.
List<String> clientXSLList = (List) session
.getAttribute("ClientXSL");
if (clientXSLList != null) {
hmURI_SessionAttrLMap.put(uri, clientXSLList);
}
responseContent = wrapper.getData();
/*Writing data to text file*/
}
out.write(responseContent);
out.flush();
out.close();
} else {
// To identify the 2nd servlet of the screen which is same for all
// screens
if(uri.startsWith("/someother/pattern/com.second.servlet.fetchXSL")){
HttpSession session = req.getSession(false);
if (session != null) {
// Below session attributes always comes as not null during
// fisrst time screen loading. However, comes as null when
// static response is sent for subsequent servlet hit.
List<String> clientXSLList = (List) session
.getAttribute("ClientXSL");
if (clientXSLList != null)
this.context.log("Getting clientXSL list from session:"
+ Arrays.toString(clientXSLList.toArray()));
}
}
chain.doFilter(request, response);
}
public void destroy() {
}
}
Ok Found the issue.
For Ques 1: I overlooked the code present in second servlet. It clears the session attributes whenever it is hit. Therefore when i capture the http response of first servlet being hit second time, session attributes already got null. And hence, they were coming as null in second servlet.
For ques 2: Issue was with my code in filter.
List<String> clientXSLList = (List) session
.getAttribute("ClientXSL");
if (clientXSLList != null) {
hmURI_SessionAttrLMap.put(uri, clientXSLList);
}
The session attributes were added in a list which was added as part of session. And then when i was copying the session attribute, i was not cloning it. Hence, the same getting cleared. To resolve this, now i am creating the clone and then adding it to my concurrenthashmap as below.
ArrayList<String> clientXSLList = (ArrayList<String>) session
.getAttribute("ClientXSL");
if (clientXSLList != null) {
hmURI_SessionAttrLMap.put(uri, clientXSLList.clone());
}
#Override
public void sessionDestroyed(HttpSessionEvent arg0)
{
boolean isRemoved = sessionIdSet.remove(arg0.getSession().getId());
if (isRemoved)
{
arg0.getSession().invalidate();
System.out.println(arg0.getSession().getAttribute("userName"));
System.out.println("session destroyed");
}
}
Suppose the attribute userName was testUser at the time of login. So after timeout in my java console I get null and session destroyed printed. So if it is null that means when I do following in my jsp I should get null but instead still I get testUser
$("body").click(function(event){
var property="<%=session.getAttribute("userName")%>";
//Here I expect property to be null as session is destroyed
//and it prints null in java so it should also here.
alert(property);
//But what i get here is testUser
}
Using Spring interceptor
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws ServletException {
boolean allowRequest = true;
String requestUri = request.getRequestURI().toString();
HttpSession session = request.getSession(false);
logger.info("Pre-intercepting request URI: " + requestUri);
try {
if(null != session) {
String sessionBelongsTo = (String) session.getAttribute("CUR_TYPE");
String user = (String) session.getAttribute("userName");
System.out.println(user);
if(!requestUri.endsWith("/login") && !requestUri.endsWith("/loginauth") && !requestUri.endsWith("sap-ui-core.js") && !requestUri.endsWith("/main")) {
if(null == user) {
logger.info(""
+ "Login required, redirecting to LOGIN page");
response.sendRedirect(request.getContextPath() + "/login");
allowRequest = false;
}
else {
logger.info("Login not required");
}
}
}
else{
logger.debug("session is null.redirecting to login");
session = request.getSession();
response.sendRedirect(request.getContextPath() + "/login");
allowRequest = false;
}
}catch(IOException ioe) {
logger.info(ioe.getMessage());
allowRequest = false;
}
return allowRequest;
}
Using interceptor makes an redirect call GET http://localhost:9090/app/login which is successfull but redirect never really happens.
You are mixing two different codes. You have to realize, where and when each code is executed - JSP on the server when the page is requested and rendered (i.e. before the response is send to the browser) and Javascript in the browser, after the browser receives the already generated response.
I.e. <%=session.getAttribute("userName")%> is processed on the server, and your browser receives e.g. var property="johndoe"; - the JSP code is NOT executed again when your onclick handler is executed.
I have a servlet like the following
public class Ticket extends HttpServlet {
private static final long serialVersionUID = 1L;
public Ticket() {
super();
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// check cookies
Cookie[] receivedCookies = request.getCookies();
if(receivedCookies != null){
Cookie user = receivedCookies[0];
response.getWriter().println("user: " + user.getValue());
response.addCookie(user);
// check session
HttpSession session = request.getSession(true);
Object atribVal = session.getAttribute(user.getValue()); // get a current state
if(atribVal == null){
response.getWriter().println("current state: null");
}
else{
response.getWriter().println("current state: " + atribVal.toString());
}
String newState = TicketMachine.getNextState(atribVal); // get a new state based on the current one
response.getWriter().println("new state: " + newState);
if(newState == "COMPLETED"){ // ticket completed, destroy session
session.invalidate();
return;
}
else{ // move to the next state
session.setAttribute(user.getValue(), newState);
}
}
}
}
I am trying to store a state of a ticket machine for each user who requests a ticket. I'm running this on Oracle WebLogic Server and testing it using cURL get requests that looks like the following
curl --cookie "user=John" 127.0.0.1:7001/myApp/Ticket
I would expect it to move through states as they are defined in the state machine, but it always returns the same lines
user: John
current state: null
new state: NEW
The ticket machine is quite simple
public class TicketMachine {
public static String getNextState(Object currentState){
if(currentState == null)
return "NEW";
switch(currentState.toString()){
case "NEW":
return "PAYMENT";
case "PAYMENT":
return "COMPLETED";
}
return null;
}
}
What am I doing wrong here?
When session is created it adds to response cookies session parameters such as session id. Your command to cURL does not stores cookies from server. You have to store cookies as follows curl --cookie oldcookies.txt --cookie-jar newcookies.txt http://www.example.com.
Also read section about cookies at http://curl.haxx.se/docs/httpscripting.html
I am trying to use a HttpSessionListener to check for a cookie and get the IP address of the request.
However I don't have access to the HttpServletRequest in the listener to pass to STKUserCookie or to get the IP.
public STKUserCookie(HttpServletRequest request)
public void sessionCreated(HttpSessionEvent se) {
HttpSession httpSes = se.getSession();
if ( se.getSession().getAttribute("STKUserSession") == null) {
STKUserCookie userCookie = new STKUserCookie(request); <------- ERROR on this line "request" not available
String userBadge = userCookie.getUserID();
STKUserDAO userDAO = new STKUserDAO();
STKUser user = userDAO.getUser(userBadge);
if (user != null) {
user.setIpAddress(se.getRemoteAddr()); <------- ERROR on this line "getRemoteAddr" not a method of se
userDAO.updateLogin(user);
httpSes.setMaxInactiveInterval(36000); //set to 10 hours
httpSes.setAttribute("STKUserSession", user);
}
}
}
The above used to be a scriptlet that I was including in all my jsp pages and I am trying to refactor it into a listener, rather than a filter since I only want it to be called once per session to reduce overhead. Or should I not worry about the overhead and stick the method into a filter??
Don't worry about the overhead of a no-op filter. It is negligible.