I was tasked with modifying a wicket6/glassfish4 application so that the session id changes as soon as a user logs in. This is to avoid the problem of Session Fixation. I used the replaceSession() method (from the wicket Session class), which does a destroy() and a bind(). replaceSession(). It seems to do the trick as the session id does indeed change. The problem is that now we see a jsessionid in the url everytime we initially log on. The id goes away after you log in and only appears on the initial launch.
My question is, is there a way to ensure that no jessionid appears in the url AND that the session id changes? Any advice would be greatly appreciated.
Use
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
in your web.xml.
Related
Trying to retrofit an old webforms application.
Got my configuration working so that it's prompting for login and successfully redirecting back to the application. The folks that manage the IP can see the response is generated.
However in the callback to my application the User is null. I'm told if it's configured correctly it should be populated.
We have a custom IHttpModule and that is where I can see getting hit with the call to /Saml2/Acs with the User not populated. I think this may be expected as the handler for that is supposed to populate the User, I think? However the following call (the returnUrl configured in sustainsys.Saml2) still has no User and I don't see any sort of error or anything.
Anyone with experience have an idea how to debug this?
The call to /Saml2/Acs should be taken care of by the Sustainsys.Saml2.HttpModule. It will process the response and then call the SessionAuthenticationModule to set a cookie that preservers the User across calls.
To get some more information about what's happening in the library, you can assign an implementation of ILoggerAdapter to Sustainsys.Saml2.Configuration.Options.FromConfiguration.SPOPtions.Logger to get some logging output from the library.
My issue turned out to be that I had another authentication module loaded before SessionAuthenticationModule and Saml2AuthenticationModule in the web config.
The comment in the example was
Add these modules below any existing. The SessionAuthenticatioModule
must be loaded before the Saml2AuthenticationModule
However in my case with I had another authentication module involved that needed to go last.
I have zen-cart's demo site implemented. Customers who are register to my site or have login to my zen-cart site's session time-out is around 1 hour.
Now main question is, I want to decrease my zen-cart customer login session time-out to 10 min. After ideal 10 min customer gets logoff by session time-out.
I have tried one zen-cart's plugin for custom time-out, but it will not get affected. So can any one help me out to solve this issue?
In your sessions.php file Zencart grabs the 'session.gc_maxlifetime' from the php.ini file. If you want to change it you should be able to simply define('SESSION_TIMEOUT_CATALOG',16440);or change the session life var. $SESS_LIFE = 12440;
edit : this worked for me, just change this #ini_set('session.gc_maxlifetime', 10440);
includes/functions/sessions.php
On the customer side, Zen Cart doesn't impose a specific session duration. That's handled by your server's PHP configuration.
Change your php.ini setting for session.gc_maxlifetime to whatever you desire it to be.
I have two jsp page: page1.jsp with a form and page2.jsp which displays a message to tell the user if the record insert happened or not.
If the form is successfully submitted and the user refreshes the page2, another insert happens.
I wouldn't to use a session variable, and setting a request attribute in the page2 doesn't resolve the issue (it seems to not work).
You can give a try to this:
From page1.jsp set a request attribute, when control reaches to
page2.jsp check for that request attribute if it is there redirect the
control to same page2.jsp. In this way when control is redirected to
same or other resource, previous request and response objects are no
more there(i.e. both request and response object will destroy because
HTTP is stateless protocol) And like this after redirection there will
be no data related to previous request and on refreshing the page2.jsp it
will not repeat the previous task.
I am not sure but in one of my application I used the same for the purpose. Let me know if anyone has a better alternative.
I just discovered that when I configure the session plugin of a Catalyst app (Catalyst::Plugin::Session) to expire, it screws with the flash data. More specifically, I'm finding that flash data no longer carries over with a new request.
Does this sound normal? How might I cope with this?
Perfectly normal. The whole point of sessions is to be able to associated data from one request with data in another request. When you let the session for some request expire, you are saying that that request's data shouldn't have anything to do with any future request.
More specifically, the flash data is a part of the session data -- see the _save_flash method in the Catalyst/Plugin/Session.pm file, for instance. Also see the big warning for the delete_session method:
NOTE: This method will also delete your flash data.
How to cope with it? You need to persist data from a request using any scheme other than the Session plugin. Without knowing more about your app, what data you are trying to persist, and how you will associate data from an old session with a new request, I couldn't begin to make a more specific recommendation than that.
When configuring the session for example with a database backend you'll have to add flash_to_stash as an option:
<session>
dbi_dbh DB
dbi_table sessions
dbi_id_field id
dbi_data_field session_data
dbi_expires_field expires
flash_to_stash 1
expires 3600
</session>
My Zend session (I am using Zend_Session_Namespace) do not get destroyed on window close. I thought that was the default behavior and I would really like it to. Any idea?
Check and delete any code like this in your application.ini file
remember_me_seconds = 864000
In login controller use the the following piece of code, then it should work fine.
$remember=$form->getValue("remember")
if ($remember=="yes") {
$seconds=60 * 60 * 24 * 30; (remember for 30 days)
Zend_Session::RememberMe($seconds);
}
else {
Zend_Session::ForgetMe();
}
I don't know if this helps but here goes.
There are two ways to 'destroy' a session.
On the client side - the cookie
On the server side - the session namespace
The session on the browser is not really destroyed when the browser window is closed. What happens is that the browser will delete the cookie. When the browser goes to your site again it doesn't have a cookie anymore and has to get a new session.
If you set the 'life' of a session to be really short, then the session will be deleted on the server really quickly. Even if a browser with a cookie comes along, if there is no matching session on the server then it will end up getting a new session.
You have to find a way to set the cookie parameter that tells the browser to delete it on window close. I'm not sure what portion the rememberMe() function acts on,whether it's the cookie or the session on the server.
If you set this parameter, the browser will delete the cookie on window close and you'll have 'deleted' the session on the browser side.