How can I manage the session in Oracle JET application.
I've been working on small pilot application where I need to check if the user is logged in on every request.
I didn't find any resource on the same as the framework is recently published by Oracle.
JET uses web sessions if you configure it as a web application. So authentication would be managed by the Web server.
Frank
Because of the client nature of JS source, there's no session on the JET side of your application, Session is a (HTTP) browser feature. You might handle session exactly the way you did with a pure JavaScript, JQuery, Angular or everything else application.
There may be two ways to do it
Use web server to manage the sessions.
You can store session values (some data after login REST API call) in local storage or sessions storage based on your need. For managing
session you can check in your app controller and redirect based on
that.
Hope this help, please let me know if you faced any problem. I have recently implemented session in Oracle JET based on the above points.
Related
I need quick help regarding Identity server.
There is a client requirement to not allow any public hosted application to directly talk to the database. In Identity server's case, the Identity server will be hosted publicly for token endpoint, and it queries the database for operational data (went for Db approach with reference tokens because IDsrv will be on NLB). Is there any workaround for this? or is this standard practice?
Thanks
If you don't want IdentityServer to talk directly to the database, you will need to implement & register custom implementations of ICorsPolicyService, IAuthorizationCodeStore, IClientStore, IConsentStore, IRefreshTokenStore, IScopeStore, and ITokenHandleStore, that call off to some an external app that can talk to the database.
Normal operating procedure is to have IdentityServer talk directly to the database. I don't see much merit in separating the two.
FYI: You don't need to use reference tokens if you are using load balancing. Check out the deployment docs.
I want to build an web application in Oracle APEX, where i want users to enter into the database server through the application server, thus i can ensure more security in my application. IF this is hard, then is there any other way where i can ensure more security in a web application in Oracle APEX?
Oracle APEX is a very stable and secure environement.
As is,
you can encrypt and enforce high level passwords for the users
you can lock account to avoid brute force attacks
Devs and admins have accounts locked after a few attempts by default to avoid this issue
The service can be easily configured with any SSL
Webservices, like most of them, can be programmed to use access_tokens and other validations.
To my knowledge any additions security could be configured on the server and firewall. So I would say that you can do I lot, but it is up to you to perform good practices when defining your system's security.
Hope ity helps and good luck! :)
Sorry for any silly question but I am just about to learn about the web.
I have an application (called OFBench) that uses the Selenium library to simulate user browsing behavior of website. The web site is built on the Ofbiz template (nothing more added). I have 2 EC2 servers on Amazon Web Service that running the ofbiz website template and one client on my laptop generating workload (simulating users on website) for the 2 servers. The browser instance used is firefox.
The 2 servers are sit behind a Elastic Load balancer (ELB) and the ELB is configured with application based session stickiness. When the application simulated a login and then do a "Home" request (clicking the home link on the website) the login state is gone which causes following requests fail. Looks like the ofbiz website does not has session cookie. I am not sure where the problem is, but I need to know how session is handled in ofbiz ? Where does it stored ?
I observed that when I open the home page of the ofbiz website there is a session created (reported by server: xxxxxxx.jvm1 generated) and sessions are generated quite often. Not sure why it is the case. I though only when you login or putting stuff in shopping basket should the session being created.
Thank you very much for answering my question !
Just for the benefits of anyone who having the similar problem. When setting up application based session stickiness with ELB you need to give the name of session that actually generated by your web application, in my case, I saw that there are two kinds of session (JSESSIONID, Ofbiz,Visitor) I used JSESSIONID as session cookieName in ELB and the login state is maintained. Please do correct me if there is anything that might goes wrong. Or anything that I did is happen to work. Many thanks
I am using Stripes framework for my webapp. Currently we have a requirement to implement load-balancer. To manage the user session some how I have to store the session data and access it in multiple servers to avoid logging out of users.
I am new to all this. Is there any support comes from stripes that allows to do that.
Thanks in advance for any help.
We have Windows Server 2008 R2 with IIS on in a web farm environment. I initiate a Classic ASP session and every so often, when refreshing the page, it doesn't show but then comes back again.
I go to http://mainurl.com but have two boxes called http://devbox1.com and http://devbox2.com
I put the files onto one of the DEV boxes which replicates to the other one.
After some reading, I guess this is down to a "common" issue with sharing sessions across a web farm instance.
Could someone please help me how to resolve this please?
Update:
As it's not clear in my post. Do not use the Session.SessionID as the identifier for the cookie as this will change across environments (Microsoft recommend never to store the SessionID in a database).
Quote from MSDN Library - Session.SessionID
You should not use the SessionID property to generate primary key values for a database application. This is because if the Web server is restarted, some SessionID values may be the same as those generated before the server was stopped. Instead, you should use an auto-increment column data type, such as IDENTITY with Microsoft® SQL Server™ or COUNTER with Microsoft Access.
Instead use a self generated id value that you then store in your cookie and the database. This way your Session object can be re-created.
There seems to be some discussion about solution using a database. Just to clarify Classic ASP uses Session object stored in memory this means the minute you switch machines load balanced or otherwise you still lose the session.
Interesting article on the IIS.net forums about this topic - iis 7 Load balancing
Quote from Bill Staples (who at the time was Product Unit Manager, IIS)
One thing to consider, however, is what to do with any application / session state. Classic ASP stores session state in memory that only one process can access. As soon as you scale the sites onto more than one machine, you can no longer guarantee that each incoming request for a particular user session is landing on the same machine, which means the client may suddenly 'lose state' between requests. This is why we recommend that you not use the built-in session support in ASP for these kinds of scenario. Instead we recommend you use SQL or another database to store this kind of data.
My recommendation would be to store the Session in a database create a cookie on the client machine then use this cookie to identify the session from the database.
Cookies can be changed so I would still recommend you use secure cookies across an SSL secured website, especially if data is of a sensitive nature.
You should create sticky sessions while working with web farms because most likely you have load balanced system which under standard configuration will point traffic to the lowest loaded node. As result your users will loose session from time to time.
Ask your network admin team to look how to create sticky session for your particular load balancers and network configuration, they should know exactly what this means.Here is one of the examples what this is and how to configure it: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_StickySessions.html. But once again it is depend on what you are using.
**** solution with cookies or database entries not the best way to handle this situation because once again depend on your web farm configuration IIS may simple reject any attempt to overwrite session ID which you have stored in database or if security is tight enough even refuse to connect to page while connecting to other node.