In my MVC Core application I'm using sessions to track logins. This works great, but is an issue when my web application goes idle/restarts, as the sessions clears and all users gets logged out. I've modified my application to store the session data in a database caching-table, through calling and setting services.AddDistributedSqlServerCache(options) & services.AddSession(options) in the Startup ConfigureServices method, as well as calling app.UseSession() in the Configure method.
I seem to have done everything correctly; when a new client for the first time sets a session value it's saved in the caching-table, and when Sesion.Get is called the session ExpiresAtTime table-value updates.
So, considering that the session data is saved to the table, why is it not being grabbed on restarts? It isn't a cookie issue, the cookie expiration value is set to 10 years, and the session idle timeout value is set to 2 weeks. It seems like the Session data is just being handled through IIS memory, yet is being saved to my caching db-table, which I find very weird.
Related
We are using Vaadin 14 on a Tomcat9.
A session is immediately created in Tomcat as soon as the login page of our app is called up. If a lot of sessions have been created here (e.g. penetration test), the Tomcat takes a very long time to delete them. The CPU load also rises to 100%.
Is it possible to prevent the automatic creation of a session and only create one after the login?
We have reduced the session timeout in Tomcat so that there are not so many open sessions.
You can not use Vaadin (for your Login) and no sessions. Vaadin stores the
state of the UI in the session and there is no way around it:
A user session begins when a user first makes a request to a Vaadin servlet
by opening the URL of a particular UI. All server requests belonging to
a particular UI class are processed by the VaadinServlet class. When a new
client connects, it creates a new user session, represented by an instance of
VaadinSession. Sessions are tracked using cookies stored in the browser.
https://vaadin.com/docs/latest/advanced/application-lifecycle/#application.lifecycle.session
So you have to prevent this and not send your users directly into the
Vaadin application (first). In your case you could provide a login form
or some SSO gatekeeper to "protect" your resources.
I created a public app in Oracle Apex 20.1
I set session management like that --> session management
Application has no authentication and every page is public.
Unfortnently in the application logs I found many erros with Your session has expired message. It occurs multiple times in exactly same time. In user column there is a null value instead of nobody.
Logs from application
I would appreciate any advice how to fix my app
This is expected behaviour, there is nothing wrong with your application. Every page rendering in apex is a session - that is also true for public pages. The user is set to "nobody" indicating that the session is not authenticated. When a user leaves his browser open, eventually the session will time out.
You can increase the session idle time in Shared Components > Security attributes, but sessions will still timeout when they're idle for longer than this value.
The entries you're seeing in the application log seem to be coming from an ajax request, not from a page rendering action. This is hard to diagnose with no info about your application. I'm assuming you have a dynamic action or some javascript code with a timer to refresh the page or a page region. Once the session expires, those ajax requests start erroring out. What you could do is figure out what component/process is throwing the error message and put some logic in it so it only fires if the session is valid (using APEX_CUSTOM_AUTH.IS_SESSION_VALID)
I'm using spring security core in my grails application. My app has lots of ajax calls which call controllers. Controllers in turn, depend on some session variables to fulfil the request. I'm currently able to correctly display the ajax login form on session timeout. However, it creates a new session with only the newly created user object. All other objects stored in session are lost.
Is there a way to reload session variables after a user logs back in after session time out?
the purpose of the session scope is that it's wiped when the session ends. if you need to share data between sessions, you should rethink your architecture and persist the data in a database (server side), or a cookie (client side)
(moved from comments into an answer)
I want to store some information of current session's user when a session is getting invalidated (because of time out). How can I do that?
If this helps, I'm using Spring Security 3.1. So if there is any configuration in Spring I'm having no trouble understanding that.
There is a thing in Spring Security as Session Expiration. When a session expires, a filter catches it and I can have my desired information from it.
However the problem is when a session gets invalidated (because of timeout). Because, for the next request there will be a new session created and I'm not able to have access to the old one. I want to know how I can customize session invalidation ?
How can I increase the security of my sessions?
$this->session->userdata('userid')
I've been throwing this little bad boy around for my ajax calls. Some cases I haven't. Then I was like, is this really secure using id from the DOM? what if the DOM is changed to hack user accounts data? So then I was like I guess anytime a user is doing something relating to their id, only sessions should be referenced. Am I right?
Referenced like so:
$this->some_model->do_data_stuff($dataId, $this->session->userdata('userid'));
Then I read this:
While the session data array stored in the user's cookie contains a
Session ID, unless you store session data in a database there is no
way to validate it. For some applications that require little or no
security, session ID validation may not be needed, but if your
application requires security, validation is mandatory. Otherwise, an
old session could be restored by a user modifying their cookies.
http://codeigniter.com/user_guide/libraries/sessions.html
I'm not going to be storing financial data but I don't want any data on my site corrupted ever. Does SO use session validation? How much overhead will this validation cost? How would a session be hacked? What are some things to look out for with session security?
Using CodeIgniter sessions with database is going to be fairly secure. You just don't have to trust the input that the user gives. Even if you are using AJAX, the CodeIgniter session will work just like any standard call, so the same security goes on.
What happens with the CodeIgniter session is that the server stores the cookie, and every time the user does an action that would change the content of the cookie, it is first compared to the previous cookie.
If the user changes the content of the session cookie in the browser, CodeIgniter will notice on the next server call, and create a new session for the user, basically logging him out.
CodeIgniter doesn't really need the data stored in the cookie in the user's browser, and as long as you're using
$this->session->userdata('userid');
you're going to get trusted server-side data. The user can't change that. Furthermore, the cookie can be encrypted, and you should have it encrypted. Just look in config.php of CodeIgniter.
There are several other protections around the session data: the short refresh timeout (usually 300 seconds), it checks if the IP changed, and if the browser changed. In other words, in the worst case scenario, the only way to spoof the session data is by having the same version of the browser, having the same IP, getting direct access to the computer to copy/paste the cookie, and getting this done within 5 minutes.
So, watch out for the guy sitting beside you!