we have a bunch of 'cflocation' tags in our cfmx apps, which lead to the session identifiers getting appended to the url.
Our main concern here is to remove the jsessionid, cfid and cftoken from the url for security measures.
We have tried the following and none of them worked for us:
1. 'addtoken=no' with the cflocation tag
2. tried using cfheader instead of cflocation.
How do we remove the session identifiers from the url?
thanks guys for the prompt answers!
I will try to answer the queries here
I tried replacing cflocation completely with cfheader like so
<cfheader statuscode="302" statustext="Temporarily Moved"/>
<cfheader name="Location" value="destinationURL"/>
We are using cookies to store session info. I am able to see the CFID, CFTOKEN, JSESSIONID cookies successfully being created on the users machine
Mitrah - If i set the 'setclientcookie' value to false, wouldn't that default to URL? Or am i not reading this correctly?
Do i need to tweak the 'cfapplication' tag in someway to make this work
It sounds like you are not using cookies to store your session, but are probably using client variables. If you are using client variables, then CF will automatically put the session tokens in the URL no matter what. This doc explains why.
Try to set setclientcookie = "false" in your application tag.
Related
I am using spring security for user authentication, But here i want to get the previous browser url on userDetailService or loginFailure or loginSuccess.
For that i am trying to get the url from the request object but i got /j_Spring_security_check instead of browser url like:- /service/user/login or /service/customer/login because i have these two different url for login for different user or customer. please suggest any solution
Thanks in Advance
String referrer = request.getHeader("referer");
Note: the HTTP referer is a client-controlled value and can thus be spoofed to something entirely different or even removed. This value should not be used for any critical operation. But why you needs this?
How can I set session cookies to be Http-Only in servlet API 2.5? The Cookie.setHttpOnly method was added in servlet API 3.0.
i need to do the same thing...
i'm thinking of doing a servlet filter, reading the cookies with request.getCookies(), creating the raw cookies (in a StringBuilder; not the object Cookie), appending HttpOnly and using response.setHeader("Set-Cookie", rawCookies) to put them back.
one thing to be carefull about is taking other properties, as in domain, path, secured; not just name and value
will let you know how it goes...
PS: also thought of taking the header with request.getHeader('COOKIES') and using regex to append HttpOnly, but it seems that the header COOKIES will only give you the name and the value property
I think you'll want to create some utility code that will take a Cookie and a flag for whether or not you want HttpOnly. The utility will create the associated string header for the cookie which you can pass to HttpServletResponse.addHeader("Set-Cookie", cookieHeader).
I'm posting some strings in my Session with the call
request.getSession().setAttribute(key, value);
And making the redirect with
response.sendRedirect(urlRedirect);
In almost all cases the values is there after the redirect.
But sometimes I can only read this value in the next page view, not in the redirect. There is no common behavior.
Someone has faced the same problem?
Sessions are backed by a HTTP cookie. On first-time session creation, a cookie will be set in the response header. By default, cookies are bound to a specific context only.
So, if you redirect while the cookie hasn't been set yet, the session will get lost. To go around this, you need to encode the redirect URL.
response.sendRedirect(response.encodeRedirectURL(url));
This appends the jsessionid identifier to the URL which allows the servletcontainer to locate the right session without help of a cookie.
If you don't like the jsessionid thing, then consider implementing a filter like this which ensures that the client is aware of the session cookie before the request enters your controller wherein you fire the redirect.
Also, if you redirect to a different context, it won't be able to access the same session. To go around this, you need to configure the servletcontainer to share the session among the contexts. In for example Tomcat, check the emptySessionPath attribute of the <Connector> element in /conf/server.xml.
Such a behaviour can be caused by caching.
If the page you are redirecting to is retrieved from the browser cache, you obviously can't see the result of setAttribute() on it. So make sure it's actually requested by the browser.
Are you sure you need to do redirect through browser (response.sendRedirect()) and not on the server side (RequestDispatcher.forward())? Latter is faster as there are no network round trip.
The problem was solve by changing the way of submit.
The page was submitting the data only changing the value of location.href to the Servlet Action.
We only call the submit function from the page form, and the session attributes works fine!
I have found a strange behaviour (strange for me, a novice :D) in my project.
Basicly after an action I create or update a cookie (if it exists or not) and send it to the client. The strange thing is that in the jsp I can read the cookie ONLY when I update its value (and I get the updated value, not the old one) but not the first time, when I create it (I can see the cookie using a browser tool but seems that the jsp can't read it).
Is this a normal behaviour? If yes, what do you suggest to do in order to have the cookie information available also at the first time?
Thanks very much!
Roberto
If you create or update a cookie, it will be stored in the response header. If you request a cookie, it will be requested from the request header.
I think your problem is that you're forwarding the same request from servlet to JSP and that you expect that the new cookie is already available in the request header. This is not true. The new cookie is only available in the subsequent requests.
You have 2 options:
Redirect to JSP. A redirect will create a new request.
Store the data of interest as request attribute and let EL in JSP access it.
By the way, I saw in one of your comments that you're using plain Java code to read cookies in a JSP. I would only say that using scriptlets in JSP is a bad practice. You can access cookie values easily in EL as follows:
${cookie.cookiename.value}
[Edit] oh my, now I see that this is an old topic. Hopefully my effors weren't all for nothing :/
Cookies are stored on client, and so if the response doesn't gets to the client yet, its value is not updated, but it should be available on the next requests.
cookies are used to identify clients when they send you any requests. here's what you are doing when you set the cookie up. you are sending the cookie to the client along with response. And when that client send his next request the cookie that you set comes along with it. so, in the jsp page where you are setting up the cookie, you don't have a request from the client with cookie! so you can't read it. but what you can do like what jerjer has said above. (i.e use a temp and store cookie's value in it and don't try to retrieve cookie. just read the temp value). And i see you say you can read the cookie only when you update. You will be able to read cookie's value from future reqests after cookie is set even if you don't update it. Hope this helps.
I wants to know that How can i Manage Session if the client browser has disabled cookie feature..
If I wants to implement it in simple JSP - Servlet, then how can I do that ?
Thanks in advance...
Without cookies, you have two options. The first is passing a sessionId through Urls. This requires a lot of work on the server because every url you send back must have a sessionId appended to it (usually in the form of a query string parameter). For example:
/path/to/page
becomes
/path/to/page?sessionid=ASDFG-ASDFG-ASDFG-ASDFG-ASDFG
The other option you have would be to combine what information you have via http into a "unique" key and create your own session bucket. By combining the Http UserAgent, RemoteIp and RemoteXfip you can get close to uniquely identifying a user, but there is no guarantees that this key is 100% unique.
In the JSP side, you can use JSTL's <c:url> for this.
link
Easy as that. It will automagically append the jsessionid when cookies are disabled.
In the Servlet side you need HttpServletResponse#encodeURL() or -usually the preferred one inside Servlets- HttpServletResponse#encodeRedirectURL() for this.
response.sendRedirect(response.encodeRedirectURL("page.jsp"));
url rewriting
http://www.developertutorials.com/tutorials/java/implement-session-tracking-050611/page5.html
Each URL must be encoded using response.encodeURL("page.jsp")
This will add the Session ID onto the end of each URL so cookies do not have to be enabled.
Note that you will have to do this manually for every single URL in order for it to work.
See this link for more info.