I know that I can set the session timeout in web.xml in the <session-config> section. What I need now is to change this setting dynamically during runtime, i.e. call a method that overrides the web.xml setting if needed.
Any ideas? I found nothing so far.
Found it! As described in JBoss Session Timeout one can use HttpSession.setMaxInactiveInterval(int seconds).
Related
I have 2 faces-config.xml file.
I created a new page and added bean into the second file.
However, the first faces-config file automatically keeps adding bean to it as well.
Thus, every time I tried to refresh a page there is a classNotFoundException because there are 2 classes
for that page.
Can anyone tell me the cause and how to fix this?
(I am using ibm rad6)
I'm using Vaadin 7.4.3, tomcat 8. During the wizard to create Vaadin 7 project in eclipse, it has a checkbox called "Generate web.xml deployment descriptor".
The new way is to use annotation instead of specify it in the web.xml. Are there any configurations that I have to use web.xml because there's no annotation for it? Is it a good practice to always generate the web.xml even if you might not use it for Vaadin 7.1 projects and up?
Thanks
Yes, there are for sure some aspects of app that cannot be configured using annotations (i.e. there is no annotation to state that you want to have your session cookies "http-only" ).
I would recommend you to create web.xml file when it is needed. Sooner or later it would probably will be used, but don't worry too much in advance. It is not a dark magic to create web.xml file in existing project :)
I have tried many ways to use the httponly flag to prevent XSS attack, but all failed.
Common way is to set use HttpOnly=true in context.xml
For test the result: in the java code set two test parameters in the cookie and in front jsp file include javascript to alert thedocument.cookie, the two test parameters set in java code are get and show in the alert.
Java code:
Cookie cookie = new Cookie("httponlytest","testsss");
response.addCookie(cookie);
Cookie cookie1 = new Cookie("testhttponly","successfu");
response.addCookie(cookie1);
javascript in jsp file:
alert("cookie------------"+document.cookie);
Is there anything i did wrong?
If you know how, it would be very helpful.
For others who do not know HttpOnly:
HttpOnly=true is a relative new attribute to make a cookie in the browser inaccessible to JavaScript.
So it is a browser-only security (XSS) technique to prevent accessing JSESSION_ID (hijacking java sessions) and such.
So you could always set the HttpOnly attribute in the Cookie itself. For the Java session ID it is now default I think, at least it should be.
<Context useHttpOnly="true">
This seems to work only for JSESSIONID. I just found this in SO.
Recently I was dealing with http-only=true cookies. During my research i found that Mozilla and Chrome do not allow java applets to use http-only=true cookies. I was getting issue in accessing the JsessionidSSO cookie. During my research on bugs of JAVA i found this bug
While in IE there is no issue in reading the cookies as IE has provided InternetGetCookieEx() API's to access http-only cookies and added the flag INTERNET_COOKIE_HTTPONLY available only IE8 and above versions. So the problem of accessing the http-only cookies still not solved as java proposed the fix in java 7 update 40 while the current version is java 7 update21.
I am using Apache MyFaces 2.0. I notice that a cookie oam.Flash.RENDERMAP.TOKEN is getting created for each view, even though I am not using Flash scope and I have set org.apache.myfaces.DISABLE_FLASH_SCOPE=true.
How can I remove the oam.Flash.RENDERMAP.TOKEN cookie?
This is WebSphere specific issue
It's old thread, but it took me a while to find an answer, so I leave this for others... Should be:
org.apache.myfaces.FLASH_SCOPE_DISABLED
not DISABLE_FLASH_SCOPE. So in detail, add:
<context-param>
<param-name>org.apache.myfaces.FLASH_SCOPE_DISABLED</param-name>
<param-value>true</param-value>
</context-param>
to your web.xml.
Works good since 2.0.5.
The issue is fixed with WebSphere Fix Pack V8.0.0.6.
Refer http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PM73173
Despite searching the plugin docs and general searching, I can't find an answer to this one. The closest I've gotten is the end of this page, which seems to describe setting a Tomcat timeout. There is an entire section of the plugin docs titled "Configuration Settings Now in Config.groovy", is there no way to configure timeout for the plugin without involving the container's settings?
The plugin doesn't have settings for session duration - it just uses whatever is configured for the whole app. You can do this by editing web.xml (run grails install-templates if you haven't yet) and edit src/templates/war/web.xml. Add
<session-config>
<session-timeout>30</session-timeout>
</session-config>
before the welcome-file-list element and set the session-timeout value to whatever number of minutes you want it to be.