I'm trying to do a file upload in Flex using it's FileReference class.
This works great in IE, but bombs in FireFox and Chrome. The issue is that Flex starts a new process for the POST but does not pass the authenticated user cookie with this request. The server gets the request, but attempts a redirect to the login page and... BOOM - 2038 Error!
I read here that I can pass the cookie information in the URL. I have not gotten this to work yet. Here are my questions:
Is this a standard feature in all servers to accept cookies in the URL (ours is Glassfish)?
Does the cookie portion of the URL start with the semi-colon (";")?
Can I add more than one cookie value and are those also delineated with semi-colons?
You can't pass cookies in the URL. You can pass session ID if server supports it. Java Servlet containers do support it (it's in Servlet spec) by using jsessionid path parameter. Just make sure ;jsessionid=... is right after the path, before query (it's called "path parameter" for a reason).
To your questions:
servlet containers do support jsessionid path parameters. In general, you can't pass any cookie this way.
Yes, path parameters start with semicolon.
No, those are not cookies. You can have multiple path parameters (separated by semicolon), but they won't be visible as cookies on the server side.
Related
I post this question cause i've passed lot of time to find the solution and find nothing about this on SO.
I'm using a .NET WebAPI as back end and store the user informations in the session.
For any reasons the session is lost in Chrome.
I receive the Set Cookie with the session id on my first request but the session is not set in Chrome but is set in IE.
I've try to change the web.config several time and change the configuration of the server but nothing changed.
I'm using fetch API for call my services.
Fetch does not send cookies by default. If your cookies are not HTTP only, you have to set them manually in the headers collection.
The issue is on the fetch and not on the server side.
The strange thing is that it's work on IE. Apparently IE don't have the same policy for the fetch API.
You have to make sure to add the property credentials to include or same-origin to keep the session on your request.
Warning : Put credentials to include fire a security error in Chrome.
The same-origin value resolved my problem.
Example of request :
fetch(uri,{
method:'GET',
credentials:'same-origin'
})
.then()
.catch()
There are following column names under "User-defined cookies":
1. Name
2. Value
3. Domain
4. Path
5. Secure
What I should enter in all above mentioned fields and how it is useful?
HTTP Cookie Manager is smart enough to automatically take care about cookies. Being added and enabled it fetches cookies from Set-Cookie response header and adds them to the next request enabling client-side state management, cookie based authentication, etc. Moreover, it provides access to cookies via JMeter Variables assuming CookieManager.save.cookies=true property is set in user.properties file (lives under /bin folder of your JMeter installation).
In regards to fields like Name, Value, Domain, etc. - this way you can define your own custom cookies or override existing cookies if i.e. you need to hard-wire a request to this or that node behind the load balancer, simulate activity of certain user, whatever.
See Using the HTTP Cookie Manager guide for more details on this useful test element.
I am trying to redirect to foreign domain url from my servlet. But the redirection adds ;jsessionid=ghdssdf... at the end of url. I do not know how I can prevent appending jsession id to my url. My app is running on Websphere
resp.sendRedirect(resp.encodeRedirectURL("https://www.facebook.com/mymage"));
end the directed url can be seen in browser as https://www.facebook.com/mymage;jsessionid=dfsdfsd
It appears that you're confused by the badly chosen method name encodeRedirectURL(). It does not perform any "URL encoding" ("dealing with special characters") as the method name implies. It merely performs "URL rewriting" by appending the current session ID as path parameter. This is intented to be used when rendering internal links on the web page (usually via JSTL <c:url> in JSP pages, or JSF <h:link> in Facelets pages), so that the HTTP session is maintained in case the client has cookies disabled.
You don't need it here at all. Just pass the URL outright:
response.sendRedirect("https://www.facebook.com/mymage");
See also:
In the context of Java Servlet what is the difference between URL Rewriting and Forwarding?
Unrelated to the concrete problem: URL rewriting could be turned off by adding the below entry to webapp's web.xml, which instructs the container to use a "Cookie only" policy as to maintaining the HTTP session.
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
I am developing an application that will serve multiple customer-organizations, each of them should be given access based on a fixed url. Example: domain/myapp/CustomerOrg1
Previously I always registered a new WAComponent-subclass for each of these entry-points. That does work but there has to be a better solution, I would like a single component-class to find out which URL the request uses (to then respond with the customer-org's homepage)
I tried:
registering a WARequestHandler-subclass; and it allows me to find out the full path (incl. /CustomerOrg1) but I am outside of any session and don't know how to get into one.
registering a WAComponent-subclass as /myapp, and it works in that it also handles /myapp/CustomerOrg1 automatically, however when I try to find out the URL used (by self session url inspect) it claims to be only the base-url (/myapp).
Try
self requestContext request uri
and if you are not in a component but any object you can do
WACurrentRequestContext value request uri
Please be aware that the uri you get in the answer by Norbert is in a production environment a value that has already been processed, and possibly modified, by your (Apache/nginx/etc) webserver responsible for static content and load balancing.
I would like to load cookies everytime and everywhere in my website because when my RoR application receives and accepts an "external" HTTP request (ex: REST API), cookies are not loaded (see RFC2109). So their values are inaccessible.
Cookies are accessible only when the HTTP request is made "internally" in my application.
new_cookies = {"Cookie" => "mycookie=1234;myothercookie=4567"}
Net::HTTP.get( URI.parse( http: //app1.website.com/users ), new_cookies)
All browsers will automatically send any cookies you set from your domain, you can check them simply by calling request.cookies from any controller method. It doesn't matter if the request was initiated from within your application (such as a 302 redirect) or not.
I just tried this with Firecookie:
Created a cookie "mycoolcookie" for the domain ".stackoverflow.com"
Went to stackoverflow.com, firebug showed that the cookie was sent in the request header.
Went to meta.stackoverflow.com, firebug showed that the cookie was sent in the request header.
Went to chat.stackoverflow.com, firebug showed that the cookie was sent in the request header.
A cookie is sent automatically by the browser, the server can never request for a cookie to be sent to it.
REST APIs are generally stateless, therefore you should avoid the use of server-side sessions or client-side cookies. If you want to indicate that a user only grabs resources belonging to them, use the Rails nested resources approach, that results in a call like:
http://abc.com/user/user001/books
For all books that belong to user001.
If you are looking to implement security, first you have to use HTTPS instead of HTTP. For the actual implementation you can use Basic Authentication and set the username/password in the request header or you can use something like OAuth which sets up a token for the user that they pass in with each request.