Hi I have 2 wars on same machine. Let's say warA and warB.
When user is in /warA I have the sessionId of the same user in /warB. And i want to kill this session.
My aim is if user in /warA , i want to quarentee that the user session in /warB is killed.
Some can say write a servlet that kills /warB 's session and call it from /warA.
The reason i can't do this is, there is an agent(Oracle Access Manager) infront of /warB that do authentication part and don't let me call warB's servlet directly.
So is there any other way to do my job?
Edit:
I found this. Does OAM Agent breaks this request? Is it a simple request or a request between contexts?
servletContext.getContext("/warB").getRequestDispatcher("/logout");
If the two war files are deployed to the same WLS server, I believe this is the default behavior. WebLogic stored session id in the cookie named jsessionid, if you do not configure a different cookie name in the weblogic.xml. Thus if a user login war2, the jsessionid cookie from war1 will be overwritten and the session with war1 will not be maintained.
Related
I was doing some analysis on a grails application and i noticed two cookies being sent by browser to server everytime. If i understand correctly one session id should be enough to implement sessions in a web application but i am wondering why are two session ids being used instead of one. The cookie looks as follows:
JSESSIONID=4206209230A211D7D45DF1124B2E08C1; session-id=37663030303130312D353235342D313339652D383235372D363464386133343030303032
I apprecaite any help! Thanks!
The JSESSIONID is generated from the servlet-container like jetty or tomcat or the builtin if you run a grails app standalone.
The session-id is generated from the used http-server like apache, etc.
I assume, you run the grails application behind an apache/http-server proxy?
If you access the servlet-container directly, only the JSESSIONID cookie is send.
Running our JRuby/Rails application locally on rails/rack, the session id is reset/renewed in
session/abstract_store.rb using the DestroyableSession destroy method.
Each new request coming in, using the same browser, will generate a new session id.
When the application is deployed to Tomcat and a request is completed.
If the same browser window is used and a subsequent transaction is submitted, the session
id remains the same between transactions and no new session id is created.
How does running on Tomcat cause the difference in session handling?
Tomcat is a servlet container designed to solve these problems for you. In particular it sets the JSESSIONID cookie to track the current session from the user.
When a session is invalidated in a web app, if i make to that app a new request with the invalidated jsessionid in cookie, what will be the new session's id? As i inspect, a new session is generated but the session id remains same. I couldn't give a explanation to this. Is there such a convention to keep jsessionid in cookie and give that value to newly created session or am i doing something wrong? :)
The Scenario.
I have 2 webapps on same weblogic. The WLCookie name for these apps are same.
When user enters in appA i am making a asynchronous call to appB's logout servlet where the appB's session is invalidated.
when user clicks a link in appA which refers to appB, i am creating a new session in appB and when i check for the sessionid in cookie it still remains same which is first created in appA.
As i know, two webapps on same weblogic does not share their session's if not configured but although i invalidated appB's session from outside why newly created session has still the same session id?
Thanks.
Do not confuse jsessionid with sessions. jsessionid is unique per container instance, where as session is per app. So, the session data won't propagate from AppA to AppB, just because the share the same jsessionid.
I'm using spring security core in my grails application. My app has lots of ajax calls which call controllers. Controllers in turn, depend on some session variables to fulfil the request. I'm currently able to correctly display the ajax login form on session timeout. However, it creates a new session with only the newly created user object. All other objects stored in session are lost.
Is there a way to reload session variables after a user logs back in after session time out?
the purpose of the session scope is that it's wiped when the session ends. if you need to share data between sessions, you should rethink your architecture and persist the data in a database (server side), or a cookie (client side)
(moved from comments into an answer)
How to maintain session in my grails application. Here is my requirement.
I have to generate session id (in server side) based on the user-name (which comes from client side while log-in).
After log-in, the server should pass the session id to client and sets timer to validate the session.
For every request, the client should pass the session id to server, so that the server is able to check whether the session is alive or not based on the timer.
If the session is valid, the server should process the request and has to increment the timer.
If the session in invalid, the request should not be processed by server.
Please let me know if you any idea/tutorial/suggestions.
Thanks in advance...
This looks exactly how the http session behaves, so you have that functionality out of the box. Just use the session variable to access session attributes. (see here). And this question tells you about how to configure the timeout.