Good day. I'm developing a Java web app with Servlets\JSP using Tomcat 7.0. During request from client I put and object into the session and use forward. After the forward processing the same request the object can be retreived if the secure parameter is false otherwise it is not stored in session.
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
I've figured out that "...cookies can be created with the 'secure' flag, which ensures that the browser will never transmit the specified cookie over non-SSL...". I've configured Tomcat to use SSL, but that haven't helped. Changing the tracking mode to SSL haven't helped as well. How do session-config and HttpSession object correlate in this case? What could be the problem?
Related
I've been working on a Web based Application on Spring MVC architecture. With the Java EE applications, I'm very much familiar that HttpSession can be timed out in either of these three ways
Invoking invalidate method(generally while logging out).
Setting session time out in web.xml.
Web server itself destroyes sessions objects when heap memory exceeds.
But in my Spring application, HttpSession gets timed out after I make my application idle for several hours eventhough none of the above reasons were causes. I really have no idea what is causing this.
The default session timeout in tomcat is defined in
<TOMCAT_HOME>/conf/web.xml
All configuration parameters of this file can be overridden in web.xml of the webapp.
If you need an infinite session timeout use -1 :
<session-config>
<session-timeout>-1</session-timeout>
</session-config>
Ive just set custom cookie values for my application with Spring.
On my web.xml I added this:
<session-config>
<cookie-config>
<domain>.127.0.0.1</domain> I want to run my app in localhost:8949/administrator
<path>/administrator</path>
<secure>false</secure>
<http-only>true</http-only>
</cookie-config>
</session-config>
So, the login form appears and I log in, creates the session but returns me to the login page.
I see 2 requests with differente jsessionid
one at j_spring_security_check and other at administrator/ and the request for the file login;jsessionid=ASDF...
My question, is this problem due a misconfiguration on my cookie? Could be that the specified path is not the correct? in that case, how can I specify the domain with a port? or the path is incorrect?
Any idea?
I am using Spring MVC 3.1 and developing a web application.
I am storing loged in user name and password in session.since session is stored in cookie, once cookie is disabled I am not able to log in.
is there is any solution in SPRING MVC to store session other then cookie.
Thanks
You want to use URL rewriting to persist the JSESSIONID in the URL's across requests. You can configure the ServletContext to use the URL tracking mode (instead of COOKIE) as described here.
With Servlet 3.0 you do this:
<session-config>
<cookie-config>
<tracking-mode>URL</tracking-mode>
</cookie-config>
</session-config>
I noticed that in my application (Java EE 6, Spring MVC 3.2.4, Spring Security 3.1.4) JSTL's <c:url> tags start adding the sessionid value to each URL when cookies get disabled. Spring Security works normally. I did not have to do any configuration to achieve this.
I'm looking to disable jsessionid from being used in the https headers.
Is there a way to turn this off or disable this being set as a cookie in tomcat 7?
I either want the jsessionid to arrive embedded into a GET method url name value pairs or to be part of a POST request name value pairs.
I know all the advantages and disadvantages of using cookie based sessioning and url rewriting but I have specific needs for specific impl of restful web services.
I need tomcat 7 to accept jsessionid without using the http header: jsessionid.
Thanks.
UPDATE:
so I looked around some more and found this which is implemented using the web.xml conf.
However the following doesn't seem to work with Tomcat 7.
<session-config>
<tracking-mode>URL</tracking-mode>
</session-config>
is it a case of TC7 not fully implementing the servlet 3.0 spec?
The web.xml setting works for me with Tomcat 7.0.20.
Log and check the effective (and maybe the default) session tracking modes:
logger.info("default STM: {}" , servletContext.getDefaultSessionTrackingModes());
logger.info("effective STM: {}" , servletContext.getEffectiveSessionTrackingModes());
Maybe your app override somewhere in the code the session tracking modes. An example:
final Set<SessionTrackingMode> trackingModes =
Collections.singleton(SessionTrackingMode.COOKIE);
servletContext.setSessionTrackingModes(trackingModes);
Check ServletContext.setSessionTrackingModes() calls in your code.
It's also possible to set default session tracking modes in the Tomcat's context settings but I found that web.xml settings override them.
i'm developping a web app (jsf 2.0 + facelets + richfaces 3.3.3 + oracle 10g + tomcat 6.0.26)
in my app, there's is 1 path that is not secured, and the others are secured (web.xml):
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin_Resource</web-resource-name>
<description/>
<url-pattern>/faces/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>A</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description>Role admin</description>
<role-name>A</role-name>
</security-role>
So, this path is not secured: /faces/client/*.
when i move from https tp http, i use this function:
FacesContext.getCurrentInstance().getExternalContext().redirect("http://url/faces/client/page.xhtml");
When i deploy my app, and use this url: http(s)://url/MyContext/faces/..., all worked fine.
But when i moved my app to the ROOT context, so i use this url : http(s)://url/faces/, my https session is lost when i move from https to http, then back to https. My login page shows up, so i need to re-type my login and password.
Why is my session lost ? Is there something wrong ?
Add: when i deploy my app, here's what i do (external server):
put my war file into webapp folder
start my server (that will decompress my war into folders,...), then stop it
i delete my war file
i replace the content of ROOT folder with the content of the decompressed war file
and restart my server again
but all works fine when i put my war into webapp folder, then start the server (that's all).
So, i think it's a context problem.
Do you have any ideas ?
This an old question but it's worth answering because I just ran into it and the answer ended up being really simple. First, it makes complete sense that the session should be regenerated on the same session cookie name when going back and forth between HTTP and HTTPS. By default in Tomcat the session cookie name is JSESSIONID.
In Tomcat you can very simply change the name of the session cookie. I had two webapps, one HTTP and another HTTPS, for admin tools. Anytime the HTTP webapp opened I lost my session in the HTTPS webapp. All I had to do was add the sessionCookieName to the context of my HTTPS webapp:
<context sessionCookieName="ANOTHERCOOKIENAME" ...
This won't help if you're switching between HTTP and HTTPS in the same webapp, but you shouldn't do that anyway.