Does Tomcat absolutely guarantee that sessions and browser windows have 1-to-1 relationship? Or it is possible to have multiple windows sharing one HttpSession, for example when pressing Ctrl-N?
This is not server specific and can also not be controlled from the server side on. This is client (webbrowser) specific and can only be controlled by client side configuration (whenever available). By default, all modern browsers share the same cookies and thus also the session among all instances (all windows and tabs). Only in Chrome, you can open a new "Incognito" window using Ctrl+Shift+N which will create an entirely separate session.
See also:
How do servlets work? Instantiation, sessions, shared variables and multithreading
The session is bound to the JSESSIONID cookie, so it'll be shared across the windows from the same browser. If you want two sessions you can use two browsers side by side, like Firefox and Chrome.
Related
We recently had a windows upgrade 10 to patch version 10.0.18362. Before this we were able to connect to any URLs.
Aftermath is now we are not able to connect to a website which is hosted after a security device (WAF - web application firewall). CI_session (cookie value is now in different format value like - session_id%22%3Bs%3A32%3A%2)
Just wondering does an operating system changes the HTTPs request format after a client sends it to the server.
Will need help on this. Not sure how to put this up and look for answers.
There seem to be two separate paths going on here:
Windows 10 patches
A WAF implemented on your web app (is it F5's ASM, Advanced WAF or NGINX WAF, F5 was tagged).
That version of Windows by itself doesn't have issues related to connecting to URLs. If you have a VPN in the mix, then that does pose some changes that could affect your browsing sessions (split-dns versus full tunnel and such).
If the WAF is our potential culprit (using F5 as example since it was tagged) and there are blocking events by default the WAF will give you a message stating it was blocked along with an error code.
When rolling out a WAF policy in front of an application, the standard process is to run in transparent mode while learning the application. The WAF then understands the default behavior of that application (if going beyond default attack signatures). If the application is changed, it's standard practice to rerun learning and update the WAF policy as needed (usually done during test/stg processes).
Regardless, the WAF would generate warning or blocking events and this would be visible in analytics, logging, and a blocking page would present itself to the user being blocked (unless disabled - bad experience though).
Moving beyond the WAF aspect of this, if the application is indeed behind a BIG-IP, there may be load balancing methods involved using cookie persistence for the session. The F5 BIG-IP will use a cookie insert or rewrite which clients use until the cookie/session expires (expiration based on persistence within the BIG-IP - more on that here: AskF5 K6917).
Depending on what system is responsible for the session, you should A) not see two separate ci_sessions and B) the BIG-IP would be responsible for the session state to the back end node.
Your client COULD be connecting to two back end nodes and receiving two separate sessions independent of each other. If that's possibly the case, then investigating how the F5 BIG-IP is determining persistence is needed.
If another persistence method was used you'll need to find out and resolve with the BIG-IP admin/app owners. Example of persistence methods on BIG-IP v15. Either way, you'll need to find out how the application is deployed behind BIG-IP and if that changed. If the answer cannot be found within F5's DevCentral community or at AskF5, then a ticket should be created. Cookie persistence on BIG-IP isn't difficult to implement but it's all dependent on how the application behaves.
If not, gather some more details and I can update this answer. Hope this helped at least understand the WAF and BIG-IP LB methonds.
If possible i want to use my computer to emulate multiple clients (like TPC-W) on a web server, i tried to use Htmlunit however when i created two WebClient() they had the same login session (when one logged in the other was logged in as well in a stateful bean, it causes the second one to crash because the login form disappears after the logging in).
The reason i'm not using TPC is because i want to benchmark on my own web pages. I'd like to know if it is possible to use TPC to emulate my own pages or a library/trick that can do the job.
It seems the answer to my question was written in the following question.
prevent Shared session with multiple browser windows
The answer is: multiple logins in a single session. Thanks goes to user191966 for the answer.
Are there any benefits to ColdFusion sessions vs J2EE sessions?
The ColdFusion session documentation mentions the benefits of J2EE sessions, but not any advantages of ColdFusion sessions. J2EE sessions have been available since ColdFusion MX (released in 2002), but there are still a lot of people using standard ColdFusion sessions. Are there any disadvantages of J2EE sessions that aren't present with ColdFusion sessions?
J2EE session management provides the following advantages over ColdFusion session management:
J2EE session management uses a session-specific session identifier, jsessionid, which is created afresh at the start of each session.
You can share session variables between ColdFusion pages and JSP pages or Java servlets that you call from the ColdFusion pages.
The Session scope is serializable (convertible into a sequence of bytes that can later be fully restored into the original object). With ColdFusion session management, the Session scope is not serializable. Only serializable scopes can be shared across servers.
Therefore, consider using J2EE session management in any of the following cases:
You want to maximize session security, particularly if you also use client variables
You want to share session variables between ColdFusion pages and JSP pages or servlets in a single application.
You want to be able to manually terminate a session while maintaining the client identification cookie for use by the Client scope.
You want to support clustered sessions; for example, to support session failover among servers.
There are no serious disadvantages to using Java EE session cookies, and there are some advantages to using them, as indicated above in your question.
The one disadvantage to Java EE tokens is that the cookies cannot be easily modified programmatically. CF Tokens can. You can modify CF Tokens to be session only. You can also modify them to be SSL-only and httpOnly.
You can make Java EE tokens SSL-only and httpOnly as well, but it involves JVM arguments.
In CF9, Adobe also improved the randomness of CF Tokens to be more on par with Java EE tokens.
I really don't think it matters which one you use (assuming you're on CF9 or higher). But Java EE Tokens are the closest to working securely out-of-the-box. But if you want to go beyond just setting the cookies to "session-only" and have them be SSL-only and httpOnly, you'll need to dig into the JVM settings. You cannot do that in your App.cfc.
CF native sessions don't use Session cookies, so can last across browser/machine restarts, whereas all Java EE servers by default use session cookies,so your session can only last as long as your browser is open.
I can't find where this behaviour is specified in the Servlet JSR, but in Servlet Spec 3.0 (i.e. not JRun) , you can set an expiry date for your Java EE session cookie in order to mimic the CF native session behaviour.
As nosilleg mentions, this is could be a bonus, but also could be seen as a security problem, depending on the security requirements of the app your're working on.
One of the main disadvantages of J2EE session variables in ColdFusion is that changes such as making them "secure" cookies takes place instance wide.
This means that every site that is running on that instance must run under https, including ColdFusion administrator itself. For servers that host multiple sites that require sessions, this will generally be problematic. Additionally, if you're running the ColdFusion Administrator from the built in web server, there's a bit of a process to get that working under ssl.
If you need the documented advantages of J2EE cookies, and need the cookie to be secure then all sites that requires sessions must be on https.
If you don't need any of the documented advantages of J2EE cookies, and you're running CF9 or later, then you're better off going with ColdFusion cookies.
Note that Railo still has the same issue but with more flexibility since the cfapplication tag has a sessiontype attribute where you can choose between j2ee or cf session cookies on a per site basis.
I had one tiny problem where I completely lost session variables between requests. I was using a cfhttp post with J2EE sessions. Imagine this scenario:
1. call.cfm in wwwRoot/test folder makes a call to an index page also in the same folder.
2. index.cfm sends the request to wwwRoot/test/controller/login.cfm.
3. login.cfm sets some session variables and sends the user to wwwRoot/test/index.cfm
4. index.cfm does not see the session variables created.
All the send requests are done via cflocation with addtoken="yes".
Turn off the J2EE session variables, and viola! It works just like the way it should.
cflocation and session variables
I'm using the Selenium Client (v 1.2.18) to do automated navigation of retail websites for which there exists no external API. My goal is to determine real-time, site-specific product availability using the "Check Availability" button that exists on a lot of these sites.
In case there's any concern, each of these checks will be initiated by a real live consumer who is actually interested in whether or not something's available at that store. There will be no superfluous requests or other internet badness.
I'm using Selenium's Grid framework so that I can run stuff in parallel and I'm keeping each of the controlled browsers open between requests. The issue I'm experiencing is that I need to perform these checks across a number of different domains, and I won't know in advance which one I will have to check next. I didn't think this would be too big an issue, but it turns out that when a Selenium browser instance gets made, it gets linked to a specific domain and I haven't been able to find any way to change what domain that is. This requires restarting a browser each time a request comes in for a domain we're not already linked to.
Oh, and the reason we're using Selenium instead something more light-weight (eg. Mechanize) is because we need something that can handle JavaScript.
Any help on this would be greatly appreciated. Thanks in advance.
I suppose you are restricted from changing domain because of same origin policy. Did you try using browser with elevated security privileges like iehta for internet explorer and chrome for firefox browsers. While using these modes of browsers, use open method in your tests and pass the URL which you want to open. This might solve your problem.
I have a very basic knowledge of the web programming, and I couldn't figure out the answer to this question.
Typically, a cookie is used to identify a session in web applications. However, as far as I know, multiple browser windows share cookies. In that case, how does web applications distinguish between the tabs?
Edit: I guess all the answers are saying the same thing - there is no standard way to handle this. Ok. Thanks for resolving my uncertainty guys.
However, as far as I know, multiple browser windows share cookies. In that case, how does web applications distinguish between the tabs?
It cannot distinguish at all. Hence comes the challenge for web developers - make their application robust to prevent data destruction or unauthorized operations when access is performed from some other "outdated" tab.
They don't. The application does not know that you have two tabs open. If you are tracking sessions then it can know that you have two sessions open.
What are you trying to accomplish?
They don't. You have one cookie per different browser (ff/ie/ google chrome).
You'll have to distinguish the tabs client-side (ie Javascript).