WebSphere Commerce HttpSession Manage open page with exist Session - session-state

I've a problem with WebSphere Commerce and HttpSession. If I close browser page and then I re-open it I continue to the last session, until now no problem. When I do the first logon I send my user data to a program to trace my action but if I close and I re-open browser page the trace program "lost" session and the system not send my data to the trace program because I'm already logged.
How I can know when the browser page is open with a exist session?
I tried with a HttpSessionListener implementing the methods sessionCreated and sessionDestroyed but sessionCreated method is call only when I logon.
Any idea? I thinking to use a Listener or a Filter.
Thanks to all!
Thanks #Ranjith V for response.
I mean, I login in WCS then when I land in browser page there is a JS that know if I just logged and then it send my user data (user.123456.en) to a external system. This system trace my actions. When I close the browser I lost session with external system but in WCS my session continue. When I open a random page in WCS, as Home page or After sales, I already logged and JS not understand that must send my user data to external system. I need insert a variable in session if I open page and continue a exist session. The problem is here, how I know that this is a new browser session?
There is a java class that check if I'm logged and continue a session? If there is I extend it and insert my variable here and at last JS know if it must send data.
I hope I'm making myself clear.
Thanks!

I didn't quite get what you are trying to ask and what you mean by trace program. But you can use cookies to identify the session
How I can know when the browser page is open with a existing session?
WCS handles session using cookies. If you look at the request cookies, you know whether the user is authenticated or not. Look at the below article for more details on session handling
https://www.ibm.com/support/knowledgecenter/en/SSZLC2_7.0.0/com.ibm.commerce.admin.doc/concepts/csesmsession_mgmt.htm
I think you would need to use one of the below cookies
WC_SESSION_ESTABLISHED or WC_AUTHENTICATION_ID

Related

How to find if the website is reading cookies using mechanize?

I'm trying to automate the website but the website is reading the cookies and after 5secs its redirect to the main page. (Just I assume, because I disable the cookies then refresh it, the website was not redirecting). I don't know how to set the cookies by using WWW::Mechanize.
Here are answers to the questions you've asked, but I don't think they'll help you a lot. You really need to explain what you're trying to do, show your Perl code, and describe the behaviour that needs to be fixed
Cookies are data that a browser client stores on behalf of a server. They are indexed by URL
Every time a client sends an HTTP message, it checks to see whether it has cookie data for the URL. If so then the data is included in the header of the message sent
How to find if the website is reading cookies
The cookie information that a client sends is always read, but there is no way at all to tell whether the server has taken action according to that information, or just discarded it
the website is reading the cookies and after 5secs its redirect to the main page
I'm unclear how you think cookies might be relevant
Just to be clear:
A website is an accumulation of data files and executables on a server system, and so cannot "read" a cookie
It is the client—your browser—that redirects to the main page. That is most likely to be because the last message from the server included an instruction to load the main page after five seconds

Prevent duplicate login with FOSUserBundle

Our application is using Symfony 2.0 and MongoDB with FOSUserBundle for user management.
Client wants to prevent login with the same username from different device at the same time in their application.
Our idea is to invalidate/delete all other sessions for the same user when the successful login occurs.
The problem is, that we cannot save session in DB, because Mongo Session handler was added later in the version 2.1.
The only solution we come up with is to iterate over the session files saved in file-system and check if the username of the user is saved in that file. If that is true, we just delete the file and login session on other locations are terminated. Of course we have to check that we don't delete the current session also.
Does anyone have a better idea how the problem could be solved?
If not, are there any hidden traps that we should know about?
You could add an IP address column to the user entity that stores the current user's IP upon login. On each page load (via an event listener), you could check the IP stored in the DB against the IP of the person requesting the page. If the IP in the DB doesn't match the current user's IP (someone logged in from another location), log them out.
To take it a step further, via ajax, you could make a call to the server every X seconds that performs the same type of check, and do a redirect to log the user out if the ajax request returns a bad match.

Integrated Exchange login with GWT on Tomcat

I have a GWT app to deploy to Tomcat on a Windows server, with the following requirements:
1- The app should work fully, whether the user is in the Windows domain or not;
2- If the user happens to be in the domain, the app should be able to identify the user in some manner. Presumably, this should be via getThreadLocalRequest().getRemoteUser(), but any other alternative is fine...
3- If the user happens to be in the domain, the app should be able to access the MS Exchange server in that domain, without requiring the user to enter their password.
I've scoured the web high and low for this, but unfortunately, it seems there's no way to get authentication without forcing authentication. There are many examples of exclusions for, say, a login form or other "public" resources, but that won't work for us, since all the resources in a GWT app are packed into the same "page".
Maybe it's my limited understanding that's making me fail in some basic way, but I've tried to look at JCIFS, Jespa, Waffle and SPNEGO, and I just can't seem to get working the way I want to...
Any help would be greatly appreciated.
Cheers,
J.
How about putting a Javascript on your front page and have a Kerberos/SPNEGO protected page. The javascript will attempt to request a protected page, if the user is on the domain you will get the correct result from the page otherwise you will get 401 access denied. In the former case you can redirect your browser to exchange page, or have another AJAX call to retrieve things from exchange server in the later case you either show a log-in form or a generic anonymous page.
What about using JNI to call the Win32Api function LogonUser?
By doing impersonation at the thread level you will have the NTLM token added to the current thread and you would be able to call exchange with no issues

Calling and processing response from Rest service in WP7 app

I am new to WP7 and I am working on a WP7 app that communicates with a Rest service using C#. I have been able to successfully develop the async code using HttpWebRequest to interact with it.
However, I am having difficulty with the login aspect (the service abstracts out all the details of login to Facebook so I do not have to deal with them. All I need to do is to go through the service call for login).
The service does the login by providing me a URI that I can call where I need to include several parameters withing the QueryString (such as app and user login info). Another one of those parameters I need to send is a "Response URI" within my app code for receiving the Login responses back. So, as the service executes the login procedure, it will continually send information back to my "Response URI" to notify me of the status of the Login process.
The possible outcomes of the Login process include:
1- a success message in the Querystring to my "Response URI"
2- more interestingly, the service may need my user to enter additional information in order to log in in which case the service wants to display a web page within my app for the user to enter this info.
Due to #2 above, I believe I need the "Response URI" within my WP7 app to be a WebBrowser control. So login responses from the service can be sent there and I just monitor the Query string of the URI displayed on that WebBrowser until I determine that we have arrived at a "final outcome" of the login process. Meanwhile, my app just lets the service make use of the WebBrowser to interact with my user if needed.
My issue is that I do not know how I can set the "Response path" for the login call to be a WebBrowser. Any help or suggestions would be greatly appreciated.
Thanks in advance.
This response is based on my experience of RPX/JanRain Engage. It might help if we know which login system you are using (it's not facebook itself, or is it?)
If the login system sends you a "need more info" message, then that message will contain a URL to show.
At this point show a page within a WebBrowser and pass in a dummy ResponseUrl (e.g. http://myurl.special/reply)
Then keep monitoring the WebBrowser's OnNavigating event - when the WebBrowser navigates to http://myurl.special/reply then you know you are done
I hope this helps...

How to find if an Oracle APEX session is expired

Short version:
If the function wwv_flow_custom_auth_std.is_session_valid (or apex_custom_auth_std.is_session_valid) returns TRUE, is it possible that the session is expired but still alive? If so, how can you check if a session is expired?
Long version:
I have created a single-sign-on system for our Oracle APEX applications, roughly based on this tutorial:
http://www.oracle.com/technology/oramag/oracle/09-may/o39security.html
The only difference is that my master SSO login is in Perl, rather than another APEX app. It sets an SSO cookie, and the app can check if it's valid with a database procedure.
I have noticed that when I arrive in the morning, the whole system doesn't work. I reload a page from the APEX app, it then sends me to the SSO page because the session was expired, I logon, and get redirected back to my original APEX app page. This usually works except first thing in the morning. It seems the APEX session is expired. In that case it seems to find the session, but then refuse to use it, and sends me back to the login page.
I've tried my best to trace the problem. The "wwv_flow_custom_auth_std.is_session_valid" function returns true, so I'm assuming the session is valid. But nothing works until I remove the APEX session cookie. Then I can log back in easily.
Anybody knows if there is another call that would tell me if the session is expired or not?
Thanks
You can set the Maximum Session length in seconds under the application security attributes page.
Apex states the following:
"The session duration may be superseded by the operation of the job that runs every eight hours which deletes sessions older than 12 hours."
You could use the view apex_040100.APEX_WORKSPACE_SESSIONS to determine if a session is valid based on its existance or creation time. eg: session_created - systdate > 12Hours.
You should also use the "On session timeout direct to this URL" attribute.
This solution would require privileged access but you can query the wwv_flow_sessions$ view in your apex schema for any session that matches your username. If none exists, your session has timed out. This view also gives you a field 'idle_timeout_on' that will tell when your session is scheduled to time out.