I am using GWT for my client side application. I am not using GWT/Java for the server. However, I am not sure how I can handle session management. The GWT application resides on one page, all server calls are done via AJAX. If a session expires on the server... let's assume the user didn't close the browser, but left the application open, how could my server notify the application that the session has expired and that the client side portion should show the login screen again?
What is meant by client side session management? That seems inherently insecure.
I'm not looking for code. I'm looking for ideas, techniques, potential solutions etc. I've considered Comet http://en.wikipedia.org/wiki/Comet_(programming), but that doesn't seem like that will work very well without using Java on the server side. Maybe, I'm wrong? I don't want to poll the server either.
Any thoughts or insight?
Without knowing how you're doing your RPC is working, its hard to give good advice.
If your AJAX service requires a user to be authenticated (IE have a valid session), it is ok to just send a 401 error saying that the user is invalid. Client-side can interpret the 401 error as a message that it should set the user up for re-authentication.
We handled this in our application, by detecting when the server sent back a redirect to the login screen (it would come through the response to the Ajax call), and popped up a dialog asking the user for their password again, but pre-filled their username. We then posted that to the same place the login page does, as if it was the login page, and so the user was logged into this new session automatically. Finally we just re-submitted the ajax call again, so it was a seamless process to the user (eg: they didn't have to click the action again).
Since we stored all the state on the client, and not in session variables we didn't have any problems trying to persist data across sessions.
What should happen if the session expired on the server-side, then the next time the client sends a request to the server, it will either create a new session, or, more likely, send back a message to the client that it is trying to access a page without a session, and send them to the login screen. However, you will still need to wait until the client sends a message to the server.
Related
I have some doubts about how to send a message from a Java Rest Server, to an Angular Client. I have read about WebSockets, but Im not sure if it suits what im looking for.
We use a token-based authentication , and when a client logouts, we choosed to simply remove token from client. Until here everything is correct. Problem is that our system includes a functionality that allows admins to logoff online users. As clients can't notice that they where logged off, they can't remove token. I'm looking for a way to send a message from server to an specific client, so It can logouts from ClientSide, and remove its token.
Is WebSocket best way to do this?
Thanks in advance.
Here is what I would do. When a user is logged off, which can actually also happen when the session expires, nothing will happen until the user performs an action. This action might require a backend call which can then return a 401 html code.
When you really immediately want to redirect the user to a login page, you might indeed need web-sockets or if that is not an option, hit your backend with a certain interval to validate the session
I have java web application using struts 1.x. Recently my application has gone through penetration testing and our testers found some security holes. Let me explain. In my application i have 2 users called ‘Admin’ and ‘user’. First our PenTester logged to my application as ‘Admin’ and they use ‘Burp tool’ to intercept the request and copy the whole request content into notepad and then forward the request. Now My application log in as ‘Admin’. They use another browser instance to login as “user” and use burp tool to intercept the request. This time they removed the whole request content and copy back the whole request content of ‘Admin’ and then forward the request. Now my application logged in as ‘Admin’ without asking any user id/password? How to restrict this situation? I already stored userid in my session variable after successful login of each user. The moment they intercept the request and copy the ‘admin’ request content, my session variable userid also changed to ‘admin’. How to validate this situation? Your help is really appreciated.
That is not really that much of an issue since the first part "copy the whole request content" is not easily doable if you have a proper HTTPS / SSL connection. That only works if the PC the user is logged in on as an admin is compromised in which case: nothing you can do about it anyway because they can just sniff the keystrokes and get the plain password.
If on the other hand you communicate without the S, namely just HTTP then the solution is: get a certificate and switch to HTTPS.
Apart from that your application can pin a session to an IP which means if the session id / cookie is stolen and someone else uses it you can detect an IP mismatch and ask for credentials again.
To prevent direct replay attacks like copying the request and sending it again you can introduce a hash that incorporates the timestamp or alternative measures, see. How do I prevent replay attacks? . The problem however is that copying the entire request means copying the cookies as well and if the "admin" cookie is copied this measure will not prevent you from "generating" a new hash based on the now admin user.
I am trying to clear the HttpSession if the consumer close the browser window. I dont know how to do it, Please help me anyone
Thanks & Regards
Chakri
If you could get the browser to (reliably) notify the server that the user had closed the window, then the server could call session.invalidate() as per the original Answer provided by ejay_francisco.
The difficulty is getting the notification to happen reliably. There are various ways to detect the window close; e.g. as covered by these Questions (and similar):
Trying to detect browser close event
javascript to check when the browser window is close
javascript detect browser close tab/close browser
You could then write the (javascript) close event handler to send a specific request to the server.
However, I don't think any scheme is going to be able to deal with cases where the user's browser dies, the user's machine is shut down, and similar scenarios. So if you need the session to be cleared 100% of the time, then you are probably out of luck. I don't think it can be done.
It can be archived in a little diffrent way.
use a javascript event known as "window.onbeforeunload"
e.g
window.onbeforeunload=mylogic_function();
function mylogic_function()
{
window.location.href = "path to the servlet which inavalidate the session";
}
Have a dedicated servlet which job is only to deactivate the session
Try this ..hope this will work
EDITED :
try reading the answer on this Page
"HTTP is not a continuous-conversation protocol where the client connects to the server and they trade information asynchronously until
the client disconnects.
Instead, each HTTP client request acts like it logs in, does one
thing, then logs out. This request/response cycle repeats until the
client stops sending requests.
At NO time is the server allowed to send a response to the client
unless it's in response to a specific actual request and only one
response is permitted per request.
So you cannot have a server post a "you timed out" page to the client.
The closest you can get is to respond with a "you were timed out"
response page if/when the client makes a request.
The other common thing people want to do is to notify the server that
the client has closed a browser, window, or tab. There is no protocol
defined for the World Wide Web to deal with that. If the user closes a
server window/tab, the server is not notified by the client. Since
there is no ongoing session to be dropped (remember, the connection
only lasts long enough for the server to accept a request and return a
response), there's no way the server will know that the client went
away."
SUMMARIZATION :
YOU CAN'T DO IT
Possible Workaround :
You simply need to rely upon the session timeout. The timeout could happen at any time and you cannot even know if the user is even looking at one of your pages when it occurs. It's likely they're off looking at videos of kittens at the time.
Short answer: you can't. Fortunately, sessions expire automatically after a period of time; check your servlet engine documentation to see how to set this timeout period.
I felt that there should be a way to do it from JavaScript; unfortunately, JavaScript doesn't seem to have an onWindowClose handler.
if you close the browser it is already clear the session
but if you want to force to clear the session
usesession.invalidate();
or if you want to remove specific session use session.removeAttribute("<sessionName>");
I have this weird issue where my Liferay portal logs out when I try to refresh the page or go to some other page the same application when there is an AJAX call waiting for response.
What might be the cause for this?
Some things that come to my mind:
You're using mixed https/http operations (e.g. logged in on https, doing ajax on http without the session cookie, getting a new one that's not authenticated
Your Ajax call goes to a different domain name/IP, so that it doesn't contain the session cookie, thus is not logged in
Your Ajax call contains some ;jsessionid=2345 URL content, overriding session cookies, starting a new session
Some filter/intrusion detection false-positives on the request and terminates the session
Your backend code explicitly logs out the user.
This is in rough order of diminishing returns.
It might be good to use a network monitor and inspect the requests/responses. Use Firebug or the similar tools for any other browser.
I developed the webapplication with Struts2.after logging to the my application copy the url and paste to the same browser with different tab then its going to directly without restrict.in that situation i want restrict it.
but same url copy and paste to another browser its working fine .only same browser and different Tab then only problem
This is because your browser has stored your login authentication in the session. It will remember this until you either
Close all windows of the browser or
Choose New Session from the menu
If your question is about your development cycle take a look op answer of #Keppil.
If however you are asking about real user experience this is more complicated. Browser indeed remembers your session ID in cookie and sends it on each request. To override this mechanism you can create your own tokens that will be always appended to URL.
When token is supplied it should send redirect response to URL without token.
The server side should throw user to login screen every time the token is not supplied and the request is not from redirect.
I have never tried to do this and I am not sure you really want to implement this. The ability of browser to connect to same session even if user opens another tab or browser window is very convenient and widely applicable.