I have a web app running on glassfish 3.1.1 with struts2 an spring.After i implemented struts2 ssl plugin i had some problems related to jsessionid cookie. The problem was that if i wag going directly to https the cookie was not generated, and i have to ask for http version of the page and then struts2ssl plugin redirects me to https and everything was ok. The second problem is that i decided that after the user had logged in to regenerate the session id (in order to prevent session fixation) and the new session id was nor written to cookie. With all these i decided to use url appended jsessionid, which solved those 2 problems. As you expected there is another problem here, and this is that if i try to access the app via http://myServer:8080/MyApp , the jsessionId is appended correctly, but if the same app is accessed via a glassfish virtualhost the jsessionid isn`t appended anymore.
I suspect a issue with the vhost configuration....
Any ideea?
Thanks,
Adding
<session-config>
<tracking-mode>
COOKIE
</tracking-mode>
</session-config>
into web.xml should do the trick, according to specification
Related
Jenkins was working fine on Firefox until a couple of weeks back.
http://www.sub.domain.com:8080
Then I think there was a Firefox update and by default it was redirecting to
https://www.sub.domain.com:8080
There was no way I could force it to http.
So I went on Chrome and it worked there until this morning when I got the Chrome 77 update.
Same issue all over again.
Then I loaded it up on IE. It works fine. I am able to use
http://www.sub.domain.com:8080
I checked with the admin if they are redirecting all traffic to https but that's not the case. What's happening here? Any browser change that I am not aware of? Any Jenkins config change that I should be using?
Did you check the HSTS cache in chrome? Go to chrome://net-internals/#hsts
Query the HSTS cache there. If there is a result you can clear it using the delete option on that page.
Another thing to check is if your using the Jenkins HSTS filter plugin "which adds a response header indicating that HTTP Strict Transport Security (HSTS) response headers should be sent." See https://wiki.jenkins.io/display/JENKINS/HSTS+Filter+Plugin
I am having an issue with the Spring Security demo by Vladimir. When I change the binding and assertion consumer service to HTTP-POST by default, I get the following error...
IDPSSOFederate.doSSOFederate: Unable to do sso or federation.
com.sun.identity.saml2.common.SAML2Exception: Cannot resolve element with ID xxxx
...as a result of an XMLSignatureException.
I have noticed that OpenAM is trying to redirect me to http://localhost:8080/SSOPOST/metaAlias/idp however in the IdP metadata it is specified as http://localhost:8080/openam/SSOPOST/metaAlias/idp.
Obviously I am getting a 404 error but I can't work out why it is redirecting me to an SSOPOST url without the application context.
Scrolling up the logs I can see an earlier getRemoteServiceURL NullPointerException but from what I have read this is part of normal OpenAM logs?
My configuration authenticates fine to OpenAM with the default SOAP settings. Why would HTTP-POST be any different?
Just to let everyone know, I contacted ForgeRock and worked through the issue with them. This problem is related to the following issue: https://bugster.forgerock.org/jira/browse/OPENAM-2644
It is actually a bug in OpenAM which was exposed with the latest Java update (version 1.7.0_25). The temporary solution (until OpenAM 10.2 is released) is to revert back to a previous version of Java.
Reverting to Java version 1.7.0_21 fixed the issue for me.
I have tried many ways to use the httponly flag to prevent XSS attack, but all failed.
Common way is to set use HttpOnly=true in context.xml
For test the result: in the java code set two test parameters in the cookie and in front jsp file include javascript to alert thedocument.cookie, the two test parameters set in java code are get and show in the alert.
Java code:
Cookie cookie = new Cookie("httponlytest","testsss");
response.addCookie(cookie);
Cookie cookie1 = new Cookie("testhttponly","successfu");
response.addCookie(cookie1);
javascript in jsp file:
alert("cookie------------"+document.cookie);
Is there anything i did wrong?
If you know how, it would be very helpful.
For others who do not know HttpOnly:
HttpOnly=true is a relative new attribute to make a cookie in the browser inaccessible to JavaScript.
So it is a browser-only security (XSS) technique to prevent accessing JSESSION_ID (hijacking java sessions) and such.
So you could always set the HttpOnly attribute in the Cookie itself. For the Java session ID it is now default I think, at least it should be.
<Context useHttpOnly="true">
This seems to work only for JSESSIONID. I just found this in SO.
Recently I was dealing with http-only=true cookies. During my research i found that Mozilla and Chrome do not allow java applets to use http-only=true cookies. I was getting issue in accessing the JsessionidSSO cookie. During my research on bugs of JAVA i found this bug
While in IE there is no issue in reading the cookies as IE has provided InternetGetCookieEx() API's to access http-only cookies and added the flag INTERNET_COOKIE_HTTPONLY available only IE8 and above versions. So the problem of accessing the http-only cookies still not solved as java proposed the fix in java 7 update 40 while the current version is java 7 update21.
I was using Tomcat 6.0.26 with my project since long time. Now, I need to use EL 2.2 in this project so I moved it to Tomcat 7.0.19 with no other changes (Using Mojarra 2.1.2-b04 with RichFaces 4.0.0). When I start it up, everything is fine until I try any a4j:commandButton or h:commandButton it throw ViewExpiredException even if the application is started for less than a minute (for info, I've forced 30min session timeout in web.xml).
The only thing makes the application works is by changing this setting :
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
It was server and I changed it to client but the server setting is best to keep data server side and don't transfer it to client on each request.
Edit : Looks like the server to client fix the problem of the ViewExpiredException but the user login function on the website doesn't work anymore. It log into the user home, but after any link is clicked, it does the same like the user is not logger (I use a SessionScoped ManagedBean to keep user information).
Anyone have this bug?
Thank you,
Alex.
You will get a ViewExpiredException when the view is not in the session anymore. The described symptoms suggests that the session cookie is not maintained and thus every request has somehow forced the server to create a brand new session.
I can't reproduce your problem locally on a barebones Mojarra 2.1.2 project targeted on Tomcat 7.0.19. The session get maintained perfectly fine. I see the Set-Cookie response header for JSESSIONID on the first request and I see the Cookie request header for JSESSIONID on every subsequent request within the same browser session. That's how it's supposed to work. So the problem is at least not directly related to Mojarra 2.1.2 or Tomcat 7.0.19.
You can use Firebug to see and track the JSESSIONID cookie yourself. That's the first thing I would do. You should check if it's the browser who refuses to send the Cookie request header back (I don't think that this is the case), or that it's the server who sends a new Set-cookie response header everytime (I think that this is the case). If it's indeed the server who re-creates the session everytime even though the browser has sent the Cookie header, then that can only mean that there's an incorrect HttpSession#invalidate() call somewhere in the code base which forces that. Run a debugger to naildown the culprit.
I have an ASP.NET MVC 1.0 app and am setting a cookie to hold data.
It works fine when test in IE with VS2008.
When I deploy to IIS6 site no cookie is created.
Site uses HTTPS.
I am checking Temporary Internet Files folder for the cookie.
Any ideas of things to check?
Malcolm
Make sure that if the cookie you are setting has the Domain property set, the value should correspond to the domain you are hosting your web site under II6.