I have a servlet ,it creates the session and I need to pass that session to another servlet,
Is that possible ?
Yes you can.
Sessions are not specific to a servlet it is managed by your servlet container. So even if you forward request from one servlet to another and use request.getSession()the session will persist, provided you dont call the invalidate() or session timeout didn't occurs and both the servlets belong to same web application.
To add on :
When the first request comes from a user he is assigned a session and all further request\response will have in same session unless the session expires either due to session timeout or invalidate() method was called. The container manages session with two methods:
URL Rewriting.
Cookies.
Related
UPDATE: After doing analysis for my original problem which is listed in the second section i found the issue could be due to 304 response below is the detailed explanation.
I have developed a web application where users clicks on the link and its takes him to servlet where i set few session variables and then forward it to jsp. First time when i access the application things work fine after closing browser and then opening browser and accessing application i get null pointer exception in jsp because it is trying to access session data the reason it i am getting 304 response for the servlet , so this means that servlet is not invoked and my jsp are getting called ? since servlet is not called session values are not set .
Is my understanding correct?
I am observing this only in IE9
--------------------- My original question is below --------
We have integrated Siteminder in our application , I have observed that siteminder cookie SM session is created for different domain where as my application specific cookie is created for proper domain.
For every request i see new smsession value but my application cookie remains same , even though the cookie remains same the values which I set in session using servlet are not available in my jsp.
I have printed the jsession id, the jsession id is same for all request.
Below is the flow.
User hits a URL siteminder intercepts it and asks for credentials once user successfully logs in he is redirected to servlet where i set few values in Session then i dispatch the control to index.html which has two frames . I am loading two jsp for these frames and in these jsps i am trying to access the session values which i am unable to get .
I am observing this behaviour only in IE9 but IE8 behaves correctly,
First time access works fine second time does not in IE9
Can anybody let me know if change in smsesson incurs changes in httpsession for java app ? i don't think so as Jsession id remains the same.
What could be possible reason for this.
Have you checked if the jsps being called in the frames has the same session id as the one in the servlet?
To give you background on SMSESSION and JSESSION:-
The SMESSION id cookie keeps getting changed by the web agent periodically and is usually tagged to the base domain. Example - If the application is hosted at a.b.com - the JSession ID will typically be set to the domain a.b.com and the SMSESSION will be set to the b.com domain. This is the default Siteminder behaviour since it assumes that all applications in the b.com domain need the cookie for SSO. You can change this using the ACO for the agent by either setting the domain name explicitly or setting the scope of the domain that needs to be used.
Unless your application has logic which depends on the value of the SMSESSION id and modifies the java session, the JSessionID cookie is not impacted by the change in the value of SMSESSION
After doing analysis i found that it was 304 response for the servlet which was causing issue. When application was accessed first time there was no issue but next since when i try to run the application it would result into issue because browser would have cached responses , hence server would send 304 response because of this servlet would not be called and session would not be set .
Can i access session variable of one site in another(same IIS)
site1:
aaa.xxx.com
Session["name"]="balaji"
site2:
bbb.xxx.com
string name=Session["name"].ToString()
Is it possible?
ASP.NET session state enables you to store and retrieve values for a
user as the user navigates ASP.NET pages in a Web application. HTTP is
a stateless protocol. This means that a Web server treats each HTTP
request for a page as an independent request. The server retains no
knowledge of variable values that were used during previous requests.
ASP.NET session state identifies requests from the same browser during
a limited time window as a session, and provides a way to persist
variable values for the duration of that session.
source : MSDN
This can be achieved using Query String.
Call the second site URL with a query string with it. http:\\bbb.xxx.com?name=balaji
Handle the query string in the second site.
More info - How to use Query String
We have a need to make a call to a servlet from an external application which is making a post request.
The servlet looks at the request, performs some processing and sets a attribute on the request or session and redirects to a JSF page which needs to retrieve the attribute set on the request or the session and do additional stuff.
For both cases I have been unable to retrieve the attribute/parameter set on the session or request from the managed bean and upon further debugging, it revealed that the session ids were different in servlet and in the managed bean.
Since this is a request coming from an external application, there is no session in the servlet so doing request.getSession(true); which is creating a new session in the servlet.
I was under the understanding that since these were part of the same application and using the same context that they would have the same session. Is my understanding incorrect?
Is there a better solution to this issue? (I did consider creating a Filter but thought might have the same issue with the session)
Any help in understanding better or resolving this issue will be appreciated.
As to how sessions work, carefully read this: How do servlets work? Instantiation, sessions, shared variables and multithreading.
In fact, the external application should have sent the very same session cookie as the JSF application is using. An alternative would have been to provide a callback URL including the jsessionid path fragment, which is composed as follows:
String url = "http://example.com/context/servlet;jsessionid=" + session.getId();
Again another alternative would be to generate an unique ID (with java.util.UUID) referencing an entry in application scope or even the DB and set it as request parameter in the callback URL. You should only manually cleanup it when the session is destroyed. You can use a HTTP session listener for that.
I needed to redirect the request to another action with TempData for specific requests.I know TempData uses session to store data.
If a request reaches to server01 and the request redirected with TempData to another action , will the request remain on server01 or may it goes to server02 ? If it goes to server02 , I will not be able to handle TempData properly.
Is there a way to keep the request on server01 for specific redirections ? or do i have to create a cookie which points the data on my db and check the request if cookie exist ?
Regards
Note: Loadbalancing is handled by a device out of the network where the servers located and the servers are not in a IIS Web Farm.
Is there a way to keep the request on server01 for specific redirections ?
You need to use StateServer or SQLServer to store your sessions instead of InProc. Another possibility is to configure your load balancer to always send requests from the same IP to the same server.
All those are very bad ideas of course. The best way to achieve that is to simply get rid of the session and TempData and design your application in a stateless, RESTFul manner. My favorite sessionState mode is the following:
<sessionState mode="Off" />
my question upfront is:
When changing from http to https: How do I enforce on Tomcat that the value of the JSESSIONID / (i.e. the session cookie) gets changed?
Here's my situation:
I assume we are having a potential security issue in our application and wonder how to fix it.
We run a JSF1.2 / Seam2 application inside of a Tomcat 6.x and force the usage of session cookies (no sessionid in URLs).
We allow http access, but when a user logs in we switch to https and stay on https.
We also do have a Filter that adds 'secure' to the cookie whenever the request is coming through https to ensure that the session cannot go back to http.
(somehow I thought Tomcat would do that automatically)
I noticed that the JSESSIONID doesn't change when switching between http and https.
This suggests to me that an attacker could potentially spy out the session cookie through http and then hijack the session.
So how can I tell Tomcat to use a different JSESSIONID when changing to https?
(Or if thats the default behavior: What could lead to this not happening anymore?)
Thanks for any hints/ideas!
some time (years actually) I posted this filter here that we use to renew the session ID after the login:
https://issues.jboss.org/browse/JBSEAM-2450
We call newSession() just after a login to mark the session-ID to be renewed on the next GET request (POST requests don't work well due to the restore of the view state, but the POST/REDIRECT/GET with Seam will issue GETs quite often).
You might want put it into your filter -- or you just mark your session to be refreshed in the next GET request. Just make sure that you don't renew your session when processing a JSF POST request.
Someone else also provided a Tomcat Valve to solve this
Best regards,
Alexander.