Search Results

Search found 183 results on 8 pages for 'sessionid'.

Page 1/8 | 1 2 3 4 5 6 7 8  | Next Page >

  • Delphi 7 SOAP Authentication and SessionID HowTo

    - by Justin Philbrow
    Hello All, I am developing a 3 tier database application. 1.) MS SQL DB 2.) Middle tier SOAP Server (with Delphi 7) connected to the DB 3.) Clients (first win32 gui (with Delphi 7) - later other platfomrs) connected to the SOAP server I chose a SOAP Server to be open to various clients at a later stage (also some of the win32 gui clients will be stationed abroad - so the clients need to be thin) (this as suggested by Dr. Bob). I am new to SOAP and have been looking at different examples and papers about authentication. But cant quite get my head around it. I have made a SOAP server and client with Delphi's SOAP Server Application Wizard and added a SOAP SERVER Data Module, added a database connection and some datasets and providers. Connected the client with dbgrid etc and that part works fine. But I want the client first to login and then be able to access data and I want the server to log each connection and also when the client logs off or is disconnected, so I am guessing I need the sessionID and a timeout. I also want the server to be able to tell the clients who else is "connected" (or whos session is still active) at any given time. I have gathered that I need to make a authentication header, but cant figure out where or who I can get a sessionID. I presume that each time a client connectes to the server the server generates a sessionID? How do I get this? Any help or suggestions/pointer would be appreciated, thanks Justin OK take 2: OK, I have done the following so far (this is used from the example Bank Account SOAP application that comes with Delphi 7): procedure TForm1.btnLoginClick(Sender: TObject); var H: TAuthHeader; Headers: ISOAPHeaders; SoapData: IThorPayServerDB; begin SoapData := HTTPRIOOnForm as IThorPayServerDB; if not(SoapData.login(edtUser.Text,edtPassword.Text)) then begin showmessage('Not correct login'); exit; end; Headers := SoapData as ISoapHeaders; { Get the header from the incoming message } Headers.Get(TAuthHeader, TSoapHeader(H)); try if H < nil then begin FIdKey := H.IdNumber; FTimeStamp := H.TimeStamp; end else ShowMessage('No authentication header received from server'); finally H.Free; end; if FIdKey 0 then showmessage('Authenticated');; end; The SoapData.login returns the correct result, but for some reason I cant get hold of the header. In this case H is nil and the result becomes 'No authentication header received from server'. If I intersept the SOAP xml I can see that the header is there, here is the returned package: 1 1 4208687 2010-05-14T10:03:49.469+03:00 true Anyone any idea? In this case I am not using the SOAPConnetion that I am using for the DB, but a seperate HTTPTRIO component.

    Read the article

  • PHP session cookie sessionid

    - by msaif
    in PHP i used session and cookie not urlrewriting with PHPSESSID. but when i opened cookie then i saw the key value pair.but one of them is path : / what does path mean,can you explain elaborately. if i change the path value to /abc/cdddddddddd/efc then what does that mean?

    Read the article

  • Wrong sessionID being used in callback, but only on one particular computer

    - by user210119
    I am writing a Python/Django web application that uses OAuth (for the TwitterAPI, not that it should matter). I am storing a session ID in my login function, and then after using OAuth to get the user's token, I try to retrieve the sessionID in my callback function. The callback function then always fails(throws an exception) because it can't find the OAuth token in the session. Through the debugger, I am able to determine that the session ID that the server is using is incorrect - it does not match the session ID that was stored in the login function. It's therefore unsurprising that the Oauth tokens were not there. The session that appears in the callback was the same one each time (until I tried deleting it - see "things I've tried below"), and it started out as an old session, with some data in it that is from a different django app running on the same server that I hadn't touched in a couple weeks. Here's the kicker: everything I described is an issue only on our production server, and only when connecting to it from my computer. Let me clarify: this only happens with my particular laptop. I can connect to the app just fine from someone else's computer. Other people cannot connect with their accounts on my computer. Furthmore, I can connect just fine to the app when it is running on my localhost using the built-in django webserver, just not to the production server. My setup: my server and local box are running= Django 1.2.0 and Python 2.6.5. My local box is running Snow Leopard and the Django webserver, the server is running Ubuntu, Apache2, and mod-wsgi. For sessions, I am using Django's default session backend (DB). Things I have tried, all to no avail: logging in with a different account, including new accounts that have never OAuthed to this app before Clearing cookies, using incognito mode, using a different web browser on my same computer. Each time, upon inspecting my cookies, the sessionID matched the sessionID in the login function and was different from the sessionID in the callback. deleting the session in the database that appears in the callback function, (the one that appeared to be old data). The callback function still fails, and the sessionID it appears to be using is now a new one using a different session backend (DB-cache, flat file, etc...) restarting the server, my computer, etc. My first question on StackOverflow, so bear with me if I didn't quite follow local conventions. I am just at a loss as to what to even look for - what are the things that could possibly be causing sessions to not work on my particular computer, and (so far!) only my particular computer?

    Read the article

  • WTSQuerySessionInformation returning empty strings

    - by Benj
    I've written a program which should query the Terminal Services API and print out some state information about the sessions running on a terminal services box. I'm using the WTSQuerySessionInformation function to do this and it's returning some data but most of the data seems to be missing... Does anyone know why? Here's my program: void WTSGetString( HANDLE serverHandle, DWORD sessionid, WTS_INFO_CLASS command, wchar_t* commandStr) { DWORD bytesReturned = 0; LPTSTR pData = NULL; if (WTSQuerySessionInformation(serverHandle, sessionid, command, &pData, &bytesReturned)) { wprintf(L"\tWTSQuerySessionInformationW - session %d - %s returned \"%s\"\n", sessionid, commandStr, pData); } else { wprintf(L"\tWTSQuerySessionInformationW - session %d - %s failed - error=%d - ", sessionid, commandStr, GetLastError()); printLastError(NULL, GetLastError()); } WTSFreeMemory(pData); } void ExtractFromWTS( HANDLE serverHandle, DWORD sessionid ) { WTSGetString(serverHandle, sessionid, WTSInitialProgram, L"WTSInitialProgram"); WTSGetString(serverHandle, sessionid, WTSApplicationName, L"WTSApplicationName"); WTSGetString(serverHandle, sessionid, WTSWorkingDirectory, L"WTSWorkingDirectory"); WTSGetString(serverHandle, sessionid, WTSOEMId, L"WTSOEMId"); WTSGetString(serverHandle, sessionid, WTSSessionId, L"WTSSessionId"); WTSGetString(serverHandle, sessionid, WTSUserName, L"WTSUserName"); WTSGetString(serverHandle, sessionid, WTSWinStationName, L"WTSWinStationName"); WTSGetString(serverHandle, sessionid, WTSDomainName, L"WTSDomainName"); WTSGetString(serverHandle, sessionid, WTSConnectState, L"WTSConnectState"); WTSGetString(serverHandle, sessionid, WTSClientBuildNumber, L"WTSClientBuildNumber"); WTSGetString(serverHandle, sessionid, WTSClientName, L"WTSClientName"); WTSGetString(serverHandle, sessionid, WTSClientDirectory, L"WTSClientDirectory"); WTSGetString(serverHandle, sessionid, WTSClientProductId, L"WTSClientProductId"); WTSGetString(serverHandle, sessionid, WTSClientHardwareId, L"WTSClientHardwareId"); WTSGetString(serverHandle, sessionid, WTSClientAddress, L"WTSClientAddress"); WTSGetString(serverHandle, sessionid, WTSClientDisplay, L"WTSClientDisplay"); WTSGetString(serverHandle, sessionid, WTSClientProtocolType, L"WTSClientProtocolType"); } int _tmain(int argc, _TCHAR* argv[]) { PWTS_SESSION_INFOW ppSessionInfo = 0; DWORD pCount; if(!WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1, &ppSessionInfo, &pCount)) { printLastError(L"WTSEnumerateSessions", GetLastError()); return 1; } wprintf(L"%d WTS sessions found on host\n", pCount); for (unsigned int i=0; i<pCount; i++) { wprintf(L"> session=%d, stationName = %s\n", ppSessionInfo[i].SessionId, ppSessionInfo[i].pWinStationName); ExtractFromWTS(WTS_CURRENT_SERVER_HANDLE, ppSessionInfo[i].SessionId); LPWSTR sessionstr = new wchar_t[200]; wsprintf(sessionstr, L"%d", ppSessionInfo[i].SessionId); } return 0; } And here's the output: C:\Users\Administrator\Desktop>ObtainWTSStartShell.exe empserver1 4 WTS sessions found on host > session=0, stationName = Services WTSQuerySessionInformationW - session 0 - WTSInitialProgram failed - error=87 - The paramete r is incorrect. WTSQuerySessionInformationW - session 0 - WTSApplicationName failed - error=87 - The paramet er is incorrect. WTSQuerySessionInformationW - session 0 - WTSWorkingDirectory returned "" WTSQuerySessionInformationW - session 0 - WTSOEMId returned "" WTSQuerySessionInformationW - session 0 - WTSSessionId returned "" WTSQuerySessionInformationW - session 0 - WTSUserName returned "" WTSQuerySessionInformationW - session 0 - WTSWinStationName returned "Services" WTSQuerySessionInformationW - session 0 - WTSDomainName returned "" WTSQuerySessionInformationW - session 0 - WTSConnectState returned "?" WTSQuerySessionInformationW - session 0 - WTSClientBuildNumber returned "" WTSQuerySessionInformationW - session 0 - WTSClientName returned "" WTSQuerySessionInformationW - session 0 - WTSClientDirectory returned "" WTSQuerySessionInformationW - session 0 - WTSClientProductId returned "" WTSQuerySessionInformationW - session 0 - WTSClientHardwareId returned "" WTSQuerySessionInformationW - session 0 - WTSClientAddress returned "" WTSQuerySessionInformationW - session 0 - WTSClientDisplay returned "" WTSQuerySessionInformationW - session 0 - WTSClientProtocolType returned "" GetShellProcessNameFromUserPolicy - Error: Unable to open policy key - returned [2] GetShellProcessName succeseded - explorer.exe > session=1, stationName = Console WTSQuerySessionInformationW - session 1 - WTSInitialProgram returned "" WTSQuerySessionInformationW - session 1 - WTSApplicationName returned "" WTSQuerySessionInformationW - session 1 - WTSWorkingDirectory returned "" WTSQuerySessionInformationW - session 1 - WTSOEMId returned "" WTSQuerySessionInformationW - session 1 - WTSSessionId returned "?" WTSQuerySessionInformationW - session 1 - WTSUserName returned "" WTSQuerySessionInformationW - session 1 - WTSWinStationName returned "Console" WTSQuerySessionInformationW - session 1 - WTSDomainName returned "" WTSQuerySessionInformationW - session 1 - WTSConnectState returned "?" WTSQuerySessionInformationW - session 1 - WTSClientBuildNumber returned "" WTSQuerySessionInformationW - session 1 - WTSClientName returned "" WTSQuerySessionInformationW - session 1 - WTSClientDirectory returned "" WTSQuerySessionInformationW - session 1 - WTSClientProductId returned "" WTSQuerySessionInformationW - session 1 - WTSClientHardwareId returned "" WTSQuerySessionInformationW - session 1 - WTSClientAddress returned "" WTSQuerySessionInformationW - session 1 - WTSClientDisplay returned "?" WTSQuerySessionInformationW - session 1 - WTSClientProtocolType returned "" GetShellProcessNameFromUserPolicy - Error: Unable to open policy key - returned [2] GetShellProcessName succeseded - explorer.exe > session=3, stationName = RDP-Tcp#0 WTSQuerySessionInformationW - session 3 - WTSInitialProgram returned "" WTSQuerySessionInformationW - session 3 - WTSApplicationName returned "" WTSQuerySessionInformationW - session 3 - WTSWorkingDirectory returned "" WTSQuerySessionInformationW - session 3 - WTSOEMId returned "" WTSQuerySessionInformationW - session 3 - WTSSessionId returned "?" WTSQuerySessionInformationW - session 3 - WTSUserName returned "Administrator" WTSQuerySessionInformationW - session 3 - WTSWinStationName returned "RDP-Tcp#0" WTSQuerySessionInformationW - session 3 - WTSDomainName returned "EMPSERVER1" WTSQuerySessionInformationW - session 3 - WTSConnectState returned "" WTSQuerySessionInformationW - session 3 - WTSClientBuildNumber returned "?" WTSQuerySessionInformationW - session 3 - WTSClientName returned "APWADEV03" WTSQuerySessionInformationW - session 3 - WTSClientDirectory returned "C:\Windows\System32\m stscax.dll" WTSQuerySessionInformationW - session 3 - WTSClientProductId returned "?" WTSQuerySessionInformationW - session 3 - WTSClientHardwareId returned "" WTSQuerySessionInformationW - session 3 - WTSClientAddress returned "?" WTSQuerySessionInformationW - session 3 - WTSClientDisplay returned "?" WTSQuerySessionInformationW - session 3 - WTSClientProtocolType returned "?" GetShellProcessNameFromUserPolicy - Error: Unable to open policy key - returned [2] GetShellProcessName succeseded - explorer.exe > session=65536, stationName = RDP-Tcp WTSQuerySessionInformationW - session 65536 - WTSInitialProgram returned "" WTSQuerySessionInformationW - session 65536 - WTSApplicationName returned "" WTSQuerySessionInformationW - session 65536 - WTSWorkingDirectory returned "" WTSQuerySessionInformationW - session 65536 - WTSOEMId returned "" WTSQuerySessionInformationW - session 65536 - WTSSessionId returned "" WTSQuerySessionInformationW - session 65536 - WTSUserName returned "" WTSQuerySessionInformationW - session 65536 - WTSWinStationName returned "RDP-Tcp" WTSQuerySessionInformationW - session 65536 - WTSDomainName returned "" WTSQuerySessionInformationW - session 65536 - WTSConnectState returned "?" WTSQuerySessionInformationW - session 65536 - WTSClientBuildNumber returned "" WTSQuerySessionInformationW - session 65536 - WTSClientName returned "" WTSQuerySessionInformationW - session 65536 - WTSClientDirectory returned "" WTSQuerySessionInformationW - session 65536 - WTSClientProductId returned "" WTSQuerySessionInformationW - session 65536 - WTSClientHardwareId returned "" WTSQuerySessionInformationW - session 65536 - WTSClientAddress returned "" WTSQuerySessionInformationW - session 65536 - WTSClientDisplay returned "" WTSQuerySessionInformationW - session 65536 - WTSClientProtocolType returned "" GetShellProcessNameFromUserPolicy - Error: Unable to open policy key - returned [2] GetShellProcessName succeseded - explorer.exe As you can see, some of the data looks valid, but not all....

    Read the article

  • "SessionId doesn't exist" error when starting Selenium server

    - by ripper234
    I'm raising a Selnium-server (the jar), and getting this exception without trying to talk to the server. What can be the cause? The errors keep coming in once every 2 seconds. Could this be some leftover from a previous Selenium run? C:\Foo>java -jar ..\..\..\..\lib\Selenium\selenium-server.jar 14:53:30.141 INFO - Java: Sun Microsystems Inc. 14.2-b01 14:53:30.142 INFO - OS: Windows Server 2008 6.1 amd64 14:53:30.149 INFO - v1.0.1 [2696], with Core v@VERSION@ [@REVISION@] 14:53:30.209 INFO - Version Jetty/5.1.x 14:53:30.210 INFO - Started HttpContext[/selenium-server/driver,/selenium-server/driver] 14:53:30.211 INFO - Started HttpContext[/selenium-server,/selenium-server] 14:53:30.211 INFO - Started HttpContext[/,/] 14:53:30.217 INFO - Started SocketListener on 0.0.0.0:4444 14:53:30.218 INFO - Started org.mortbay.jetty.Server@2747ee05 14:53:31.729 INFO - Checking Resource aliases 14:53:31.735 WARN - POST /selenium-server/driver/?seleniumStart=true&localFrameAddress=top&seleniumWindowName= &uniqueId=sel_27224&sessionId=1f2385b8bae24f6fb79816753de7cd69&counterToMakeURsUniqueAndSoStopPageCachingInThe Browser=1255006411692&sequenceNumber=268 HTTP/1.1 java.lang.RuntimeException: sessionId 1f2385b8bae24f6fb79816753de7cd69 doesn't exist; perhaps this session was already stopped? at org.openqa.selenium.server.FrameGroupCommandQueueSet.getQueueSet(FrameGroupCommandQueueSet.java:218 ) at org.openqa.selenium.server.SeleniumDriverResourceHandler.handleBrowserResponse(SeleniumDriverResour ceHandler.java:159) at org.openqa.selenium.server.SeleniumDriverResourceHandler.handle(SeleniumDriverResourceHandler.java: 127) at org.mortbay.http.HttpContext.handle(HttpContext.java:1530) at org.mortbay.http.HttpContext.handle(HttpContext.java:1482) at org.mortbay.http.HttpServer.service(HttpServer.java:909) at org.mortbay.http.HttpConnection.service(HttpConnection.java:820) at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:986) at org.mortbay.http.HttpConnection.handle(HttpConnection.java:837) at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:245) at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:357) at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)

    Read the article

  • ASP.NET resseting SessionID cookie when cookie expiration date is set

    - by Sergej Andrejev
    I have two pages: Default.aspx and WebForm1.aspx. One of these pages stores a session variable which works fine until I add code which ads expiration date to SessionID cookie. What happens is: Open default.aspx Set-Cookie ASP.NET_SessionId=14jhsdfq23jkh13jkh12k1; expires=Fri, 19-Mar-2010 07:31:47 GMT; path=/ Click on link to open WebForm1.aspx No cookies set Click on link to open Default.aspx (Cookie is reset) Set-Cookie ASP.NET_SessionId=; expires=Fri, 19-Mar-2010 07:31:47 GMT; path=/ So the question would be how should I set SessionID cookie expiration date correctly? Default.aspx.cs using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; namespace WebApplication1 { public partial class _Default : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { lnk.Click += new EventHandler(lnk_Click); Session["t"] = Guid.NewGuid(); Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddDays(2); } void lnk_Click(object sender, EventArgs e) { Response.Redirect("WebForm1.aspx"); } } } Default.aspx <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="WebApplication1._Default" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head runat="server"> <title></title> </head> <body> <form id="form1" runat="server"> <div> <asp:LinkButton runat="server" ID="lnk" Text=">>>" /> </div> </form> </body> </html> WebForm1.aspx.cs using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; namespace WebApplication1 { public partial class WebForm1 : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { lnk.Click += new EventHandler(lnk_Click); } void lnk_Click(object sender, EventArgs e) { Response.Redirect("Default.aspx"); } } } WebForm1.aspx <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm1.aspx.cs" Inherits="WebApplication1.WebForm1" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head runat="server"> <title></title> </head> <body> <form id="form1" runat="server"> <div> <asp:LinkButton runat="server" ID="lnk" Text=">>>" /> </div> </form> </body> </html>

    Read the article

  • how to pass session_id() throught out the php pages?

    - by Piyush
    when user clicks on login button(index.php) I am calling chechlogin.php where I am checking loginId an password as- if($count==1) { // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); $_SESSION['UserId'] = $myusername; $_session['SessionId'] = session_id(); header("location:LoggedUser.php"); } in LiggedUser.php <?php session_start(); //starting session if (!isset($_SESSION['SessionId']) || $_SESSION['SessionId'] == '') { header("location:index.php"); } ? Problem: It is always going back to index.php page although I am entering right userid and password.I think session_id() is not working properly or ??

    Read the article

  • HttpWebRequest sessionID c# login

    - by warne
    Im trying to login to a website (www.vodafone.ie) with a console app and c# httpWebRequest. Problem is it works ok about 50% of the time. Im using fiddler to find out the GET and POST requests I need to make. Done that and my app is successfully recreating these as best as I can see. The steps are; 1) GET request with cookie container to login uri. server response sets new cookie called jsessionID 2) do POST request with login credentials and same cookie container containing previous jsessionID. Looking at the fiddler logs for successful POST request login (browser or my app) I see it sets a thing in the response header : "Set-cookie: supercookie=-; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=". What is this supercookie thing? Its not returned to me in the response cookie collection like the jsessionID. On rare occasions, there is along string of numbers with the supercookie instead of just "-". I made sure to clear all cookies before analyzing the request/response headers. If the super cookie thing is not being set in the reponse my login fails. So just wondering what's going on here? cheers!

    Read the article

  • Cookie: ASP.NET SessionId Issue

    - by LB
    I have a load generator that appends a ASP.NET_SessionId to the Cookie when making a Soap test call from Machine A to Machine B. Cookie: ASP.NET_SessionId=gf0ouay24sdneiuicpiggn45; However, when I'm running the soap test hitting my local server it doesn't have an ASP.NET_Session variable in the cookie. Why is this happening? UPDATE: I'm getting this issue now on the server: Forms authentication failed for the request. Reason: The ticket supplied was invalid. I've followed this: http://msmvps.com/blogs/omar/archive/2006/08/20/108307.aspx But to no avail.

    Read the article

  • F5 BIG_IP persistence iRules applied but not affecting selected member

    - by zoli
    I have a virtual server. I have 2 iRules (see below) assigned to it as resources. From the server log it looks like that the rules are running and they select the correct member from the pool after persisting the session (as far as I can tell based on my log messages), but the requests are ultimately directed to somewhere else. Here's how both rules look like: when HTTP_RESPONSE { set sessionId [HTTP::header X-SessionId] if {$sessionId ne ""} { persist add uie $sessionId 3600 log local0.debug "Session persisted: <$sessionId> to <[persist lookup uie $sessionId]>" } } when HTTP_REQUEST { set sessionId [findstr [HTTP::path] "/session/" 9 /] if {$sessionId ne ""} { persist uie $sessionId set persistValue [persist lookup uie $sessionId] log local0.debug "Found persistence key <$sessionId> : <$persistValue>" } } According to the log messages from the rules, the proper balancer members are selected. Note: the two rules can not conflict, they are looking for different things in the path. Those two things never appear in the same path. Notes about the server: * The default load balancing method is RR. * There is no persistence profile assigned to the virtual server. I'm wondering if this should be adequate to enable the persistence, or alternatively, do I have to combine the 2 rules and create a persistence profile with them for the virtual server? Or is there something else that I have missed?

    Read the article

  • How to avoid session sharing provided by IE8 programatically in java/j2ee application ?

    - by Idiot
    Microsoft, in an effort to make Internet Explorer 8 "more stable" and “faster”, have changed the underlying architecture of the browser and introduced a function called "Loosely-Coupled IE" (LCIE) which works on session sharing across TAB and new instances. But session sharing may be fatal when some one is trying to do two different things at a time with the same application, e.g. like someone want to book one forward journey ticket and one return ticket at a time, at that time he will book 2 same tickets what he has not intended to. PROBABLE SOLUTION ON IT While creating new window Instead of creating by clicking on icon or Ctrl+N we should use File - New Session it will not happen. You can make a registry change on the client PC - adding the following. [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] “TabProcGrowth" = dword : 00000000 Will disable "Loosely Couple IE8"; IE8 then works as previous versions of IE. But how i will do it programatically ?

    Read the article

  • Session Cookies and IE 8

    - by Matt Luongo
    I recently built a simple web-app deployed over Tomcat. The app uses pretty standard session based security where a user who has logged in is given a session. Sessions work fine in Firefox and Chrome, but require the use of jsessionid in the URL for IE (tested 7 & 8), set to medium privacy. In IE 8, I tried to override cookie handling, setting "Allow all 3rd party cookies" and "Allow all session cookies"- no dice. However, when I run Tomcat on my local machine, IE accepts the cookie, and sessions work just fine. And now, for the HTTP headers. From Chrome, a logged in user gets a session GET http://devl:8080/testing/ HTTP/1.1 Host: devl:8080 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="NON CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT STA" Set-Cookie: JSESSIONID=9280023BCE2046F32B13C89130CBC397; Path=/testing Content-Type: text/html;charset=UTF-8 Content-Language: en-US Content-Length: 2450 Date: Fri, 26 Mar 2010 14:14:40 GMT GET http://devl:8080/testing/logout HTTP/1.1 Host: devl:8080 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1036 Safari/532.5 Referer: http://devl:8080/testing/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=9280023BCE2046F32B13C89130CBC397 ... From IE 8, with standard medium level security and privacy- GET http://devl:8080/testing/ HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; Tablet PC 2.0) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: devl:8080 Connection: Keep-Alive HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="NON CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT STA" Set-Cookie: JSESSIONID=192999F922D6E9C868314452726764BA; Path=/testing Content-Type: text/html;charset=UTF-8 Content-Language: en-US Content-Length: 2450 Date: Fri, 26 Mar 2010 14:32:34 GMT GET http://devl:8080/testing/logout HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Referer: http://devl:8080/testing/;jsessionid=6371A83EFE39A46997544F9146AA5CEA Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC; Tablet PC 2.0) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: devl:8080 ... I thought it might be P3P, but on adding a compact policy, nothing changes. This is the standard Tomcat session, so I'm really surprised I haven't been able to find other people with the same problem so far. Anyone have any ideas?

    Read the article

  • Perl - WWW::Mechanize Cookie Session Id is being reset with every get(), how to make it stop?

    - by Phill Pafford
    So I'm scraping a site that I have access to via HTTPS, I can login and start the process but each time I hit a new page (URL) the cookie Session Id changes. How do I keep the logged in Cookie Session Id? #!/usr/bin/perl -w use strict; use warnings; use WWW::Mechanize; use HTTP::Cookies; use LWP::Debug qw(+); use HTTP::Request; use LWP::UserAgent; use HTTP::Request::Common; my $un = 'username'; my $pw = 'password'; my $url = 'https://subdomain.url.com/index.do'; my $agent = WWW::Mechanize->new(cookie_jar => {}, autocheck => 0); $agent->{onerror}=\&WWW::Mechanize::_warn; $agent->agent('Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100407 Ubuntu/9.10 (karmic) Firefox/3.6.3'); $agent->get($url); $agent->form_name('form'); $agent->field(username => $un); $agent->field(password => $pw); $agent->click("Log In"); print "After Login Cookie: "; print $agent->cookie_jar->as_string(); print "\n\n"; my $searchURL='https://subdomain.url.com/search.do'; $agent->get($searchURL); print "After Search Cookie: "; print $agent->cookie_jar->as_string(); print "\n"; The output: After Login Cookie: Set-Cookie3: JSESSIONID=367C6D; path="/thepath"; domain=subdomina.url.com; path_spec; secure; discard; version=0 After Search Cookie: Set-Cookie3: JSESSIONID=855402; path="/thepath"; domain=subdomain.com.com; path_spec; secure; discard; version=0 Also I think the site requires a CERT (Well in the browser it does), would this be the correct way to add it? $ENV{HTTPS_CERT_FILE} = 'SUBDOMAIN.URL.COM'; ## Insert this after the use HTTP::Request... Also for the CERT In using the first option in this list, is this correct? X.509 Certificate (PEM) X.509 Certificate with chain (PEM) X.509 Certificate (DER) X.509 Certificate (PKCS#7) X.509 Certificate with chain (PKCS#7)

    Read the article

  • Spring MVC and Jetty: Prevent jsessionid from being used in RedirectView on redirect to external sit

    - by Moritz Both
    In Spring MVC 2.5 with Jetty - probably with any servlet container -, I want to redirect to an external site using RedirectView via the magic "redirect:" prefix for the view name in ModelAndView. Unfortunately, RedirectView uses response.encodeURL(), so my (otherwiese wanted) session id is appended to the URL. It is not only a security risk to carry the session id to the external site, the ";jsessionid=gagnbaba" string may also be interpreted as part of the ContextPath/PathInfo on the other site, resulting in a bad URL. Any "springish" options other than implement my own ExternalRedirectView... and also hack the ViewResolver to interpret a "externalRedirect:" prefix? (Requiring cookies is not an option.) Moritz

    Read the article

  • Removing $_SESSION['layout']['action'] globally from all users!

    - by sologhost
    Ok, I am storing a session variable like so to load up users layouts faster if it's set instead of calling the database. But since the layout can be changed via the Administrator, I'd like to be able to globally remove all sessions where $_SESSION['layout']['action'] is set for all users. $_SESSION['layout']['action'] = array(a ton of indexes and mulit-dimensional arrays); Now, I know it's being stored into my database sessions table, there's a column for session_id, last_update, and data. So, question I have is how to remove that session array key ['action'] from all users. Using $_SESSION = array(); session_destroy(); Does not work. Basically, session_start() is being loaded on every page load, so I just want to remove all ['action'] keys from ['layout']. Is this possible to do? Thanks

    Read the article

  • Why am I getting a new session ID on every page fetch in my Perl WWW::Mechanize script?

    - by Phill Pafford
    So I'm scraping a site that I have access to via HTTPS, I can login and start the process but each time I hit a new page (URL) the cookie Session Id changes. How do I keep the logged in Cookie Session Id? #!/usr/bin/perl -w use strict; use warnings; use WWW::Mechanize; use HTTP::Cookies; use LWP::Debug qw(+); use HTTP::Request; use LWP::UserAgent; use HTTP::Request::Common; my $un = 'username'; my $pw = 'password'; my $url = 'https://subdomain.url.com/index.do'; my $agent = WWW::Mechanize->new(cookie_jar => {}, autocheck => 0); $agent->{onerror}=\&WWW::Mechanize::_warn; $agent->agent('Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100407 Ubuntu/9.10 (karmic) Firefox/3.6.3'); $agent->get($url); $agent->form_name('form'); $agent->field(username => $un); $agent->field(password => $pw); $agent->click("Log In"); print "After Login Cookie: "; print $agent->cookie_jar->as_string(); print "\n\n"; my $searchURL='https://subdomain.url.com/search.do'; $agent->get($searchURL); print "After Search Cookie: "; print $agent->cookie_jar->as_string(); print "\n"; The output: After Login Cookie: Set-Cookie3: JSESSIONID=367C6D; path="/thepath"; domain=subdomina.url.com; path_spec; secure; discard; version=0 After Search Cookie: Set-Cookie3: JSESSIONID=855402; path="/thepath"; domain=subdomain.com.com; path_spec; secure; discard; version=0 Also I think the site requires a CERT (Well in the browser it does), would this be the correct way to add it? $ENV{HTTPS_CERT_FILE} = 'SUBDOMAIN.URL.COM'; ## Insert this after the use HTTP::Request... Also for the CERT In using the first option in this list, is this correct? X.509 Certificate (PEM) X.509 Certificate with chain (PEM) X.509 Certificate (DER) X.509 Certificate (PKCS#7) X.509 Certificate with chain (PKCS#7)

    Read the article

  • Prevent Cross-site request forgery - Never Rely on The SessionID Sent to Your Server in The Cookie H

    - by Yan Cheng CHEOK
    I am reading the tutorial at http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ It states Remember - you must never rely on the sessionID sent to your server in the cookie header ; look only at the sessionID that your GWT app sends explicitly in the payload of messages to your server. Is it use to prevent http://en.wikipedia.org/wiki/Cross-site_request_forgery#Example_and_characteristics With this mythology, is it sufficient enough to prevent to above attack?

    Read the article

  • PHP: session isnt saving before header redirect

    - by Matt
    Hi guys, I have read through the php manual for this problem and it seems quite a common issue but i have yet to find a solution. I am saving sessions in a database. My code is as follows: // session $_SESSION['userID'] = $user->id; header('Location: /subdirectory/index.php'); Then at the top of index.php after the session_start(), i have var_dumped the $_SESSION global and the userID is not in there. As i said ive looked through the PHP manual (http://php.net/manual/en/function.session-write-close.php) and neither session_write_close or session_regenerate_id(true) worked for me. Does anybody know a solution? Edit: I have session_start() at the top of my file. When i var_dump the session global before the header redirect, i see the userID in there, but not in the other file, which is in a subdirectory of this script Thanks, Matt

    Read the article

  • Using PHP session_id() to Make Sure iframe is Generated by Our Server Dynamically

    - by Michael Robinson
    We use iframes to show ads on our site. Iframes are used to allow us to keep the ad generation code and other site modules separate. As we track ad views on our site, and need to be able to keep an accurate count of which pagetype gets what views, I must ensure that users can't simply copy-paste the iframe in which the ad is loaded onto another site. This would cause ad count to become inflated for this page, and the count would not match the view count of the page the iframe "should" be displayed in. Before anyone says so: no I can't simply compare the page view count with the ad view count, or use the page view count * number of ads per page, as # of ads per page will not necessarily be static. I need to come up with a solution that will allow ads to be shown only for iframes that are generated dynamically and are shown on our pages. I am not familiar with PHP sessions, but from what little reading I have had time to do, the following seems to be to be an acceptable solution: Add "s = session_id()" to the src of the ad's iframe. In the code that receives and processes ad requests, only return (and count) and ad if s == session_id(). Please correct me if I'm wrong, but this would ensure: Ads would only be returned to iframes whose src was generated alongside the rest of the page's content, as is the case during normal use. We can return our logo to ad calls with an invalid session_id. So a simple example would be: One of our pages: <?php session_start(); ?> <div id="someElement"> <!-- EVERYONE LOVES ADS --> <iframe src="http//awesomesite.com/ad/can_has_ad.php?s=<?php echo session_id(); ?>></iframe> </div> ad/can_has_ad.php: <?php session_start(); ?> if($_GET['s'] == session_id()){ echo 'can has ad'; } else{ echo '<img src="http://awesomesite.com/images/canhaslogo.jpg"/>'; } And finally, copied code with static 's' parameter: <!-- HAHA LULZ I WILL SCREW WITH YOUR AD VIEW COUNTS LULZ HAHA --> <iframe src="http//awesomesite.com/ad/can_has_ad.php?s=77f2b5fcdab52f52607888746969b0ad></iframe> Which would give them an iframe showing our awesome site's logo, and not screw with our view counts. I made some basic test cases: two files, one that generates the iframe and echos it, and one that the iframe's src is pointed to, that checks the 's' parameter and shows an appropriate message depending on the result. I copied the iframe into a file and hosted it on a different server, and the correct message was displayed (cannot has ad). So, my question is: Would this work or am I being a PHP session noob, with the above test being a total fluke? Thanks for your time! Edit: I'm trying to solve this without touching the SQL server

    Read the article

  • Get UserToken from Logon ID (LUID) (C++)

    - by strDisplayName
    Hey Everybody I'm trying to understand better how windows sessions work, so if I have some weird mistakes in the question, please, let me know :-) . I use LsaEnumerateLogonSessions() to get all the logged on sessions in the system. Now I have LUID that represents a log-on, and if I understand correctly, it represents a user that logged on or a build it user like SYSTEM. Now, if user X starts a process, windows gives that process a token that represents X. So here comes my question: Is there a way (in a windows service) to get the user's token from LUID? I know I can get it from a process HANDLE, but that is not what I want... Thanks a lot!

    Read the article

  • Where to find a unique session ID at design time in .Net WinForms.

    - by Jules
    I've created a custom clipboard because it's not possible to make my whole class map serializable - which is a requirement for the windows clipboard. However, I need to distinguish between users who are using my clipboard through a unique id. Basically, I want to be able identify a person who is sat at one PC with one or more copies of visual studio (or similar) open. How do I do that? ps: This is at design-time. pps: It's not critical that it should work between copies of visual studio. One copy would be fine, or even one design surface.

    Read the article

1 2 3 4 5 6 7 8  | Next Page >