Grails and android App -
For each request (get or post) that I send from an same android app in succession, the session id that i get in a grails controller is different. I expect the session to be the same.
Grails and Web -
if I run the similar request from web browser the session id in the controller remains the same.
Why the session id could be changing, when I call request from an android app to grails server?
Since your api works from the web browser, which is not using ajax. And your Android app is not working. Then it's likely that your browser is NOT using the rest api and your app is. Rest is by default and by implication stateless so it makes sense it's not working from Android. In short: when working properly rest shouldn't be using session ids.
The most common solution is to maintain the state in the client side and transfer it over to the server with each request. You can read more about this here.
On the Grails side, you can just ensure you've got an appropriate rest implementation, as described here.
Related
My team is rewriting an existing web application that has a react.js front-end and springboot backend. In addition, The original (legacy) app is written in java (tomcat 8 & struts) and that will continue to be used for some parts of the site until a later date when we will complete the rewrite. All 3 endpoints are on the same domain in the following format: react.js (mysite.mydomain.com), spring (mysiteapp.mydomain.com), and legacy (mysite.mydomain.com/old). All 3 apps are hosted on the same server, but the application urls all route through our F5, so nothing is pointing to localhost. We did this to use the same SSL certificate across the three apps. The new and legacy apps use the same database. We are trying to make cross app calls between the new and old app. When we make the cross app calls, we want the user session to be maintained between them without them having to log in twice. We have not been able to get this to work. In our latest attempt to authenticate the user to both apps simultaneously, we are using ajax to sign the user into legacy with the same credentials. We are getting the following error back from the legacy tomcat application: HTTP Status 403 Invalid CSRF token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'. The server understood the request but refuses to authorize it. We are stumped at this point and out of ideas. Code can be provided on request, but we are looking for the best approach to how to implement this and not as much locked on this path described above.
I have created a REST API for an android application. There are certain req.session variables that I set at certain points and use them in the policies for further steps. Everything works fine when I access the API from a REST client like POSTMAN.
However, when it is accessed from a native android app, the req.session values that I set in one step are lost in the next step.
Any idea why this might be happening and what might be the workaround ?
Session does not work with request sent from untrusted client (in this case the Android device).
You should consider using the OAuth strategy to accomplish your target. It's a bit complicated.
Or just simply generate an accessToken for each successful login then return it to the client. For further requests, the client must attach this accessToken (usually to the header) of the requests.
This is a good SO question for the same issue: How to implement a secure REST API with node.js
I have a Spring 3 MVC app and part of the app requires a redirect to a 3rd party payment site and that payment site redirects back to my app after it's done. The problem is that Spring seems to create a new session instead of using the old one and erases all the data previously stored in the session. This creates massive problems for my app and I'm wondering if there is a way to preserve the session after external redirect?
Also, cookie are enabled on my browser and I indeed verified that the jsessionid value in the cookie changes after the redirect, indicating a new session overwriting the old one.
Can you provide the following info:
After coming back from the 3rd party site, does your app use a different domain/sub domain from what it uses before redirecting to the 3rd party site?
Is there a possibility that your session timeout value is so low that the session expires by the time the user returns to your app?
Does your app use frames having onunload events that invalidate the session?
I have a web application running on JBoss server based on JSF framework.
I need to redirect my request to an entirely new web application running on some other server and on some other machine geographically located.
My doubt is if I redirect the request from my web page to another web application web page will it expose the session parameter at the other end.
I have some very critical information stored in the session and I cannot afford to expose the details to another web application..
Along with the redirect request I would be sending some parameters to the remote web application which will use these parameters for certain mathematical computation.
Can anyone guide me on this?
Is it possible for the other web application to see what is present in the session
No. That would have been a huge security hole throughout the current world wide web. Think about it once again, are you able to see what for example google.com and stackoverflow.com have in its session? No? Then the other web application definitely also can't. All which the web application can see from outside is the sole incoming HTTP request in its entirety.
This problem/question has at least nothing to do with JSF.
If you invalidate the session before the redirect then it doesn't matter if the external web application sees your session cookie. They couldn't turn around and emulate requests on your session anyway because the session is no longer valid.
request.getSession().invalidate();
I don't think this will be an issue though because I doubt that the request header to another web application would include the same session cookie.
I have had problems getting PHP session variables (e.g. $_SESSION['username']) to work within PHP server side code launched via an ajax call from a Phonegap app.
On researching this problem I have found conflicting advice as to whether or not session variables and cookies can be used.
Does anyone have a definitive answer?
If session variables and cookies can be used are there any issues I should be aware of in using them that may have contributed to them not working?
I know that cookies can be enabled for Phonegap apps on an iPhone but as far as I am aware not for Android.
You would be better off passing the data you would normally store in the session variables to your PhoneGap app via JSON and having the app store it that way.
Think of it like using an external API. The app would authenticate and get back a token. It would store that token and use that to validate further requests to the server were authenticated.