Visit the Below Website to access unlimited exam questions for all IT vendors and Get Oracle Certifications for FREE
http://www.free-online-exams.com
http://www.free-online-exams.com
Problem: when running in a cluster with multiple processes/nodes, session is lost because the mod_oc4j cannot route to the "correct" OC4J node/process
Wanting to set the "secure" and "httponly" flags for the session cookie, a servlet filter like the following has been created:
public final void doFilter(final ServletRequest servletRequest,
final ServletResponse servletResponse, final FilterChain filterChain)
throws IOException, ServletException {
final HttpServletRequest request = (HttpServletRequest) servletRequest;
final HttpServletResponse response = (HttpServletResponse) servletResponse;
if (!response.containsHeader("SET-COOKIE")) {
final String sessionId = request.getSession().getId();
final String contextPath = request.getContextPath();
String secure = "";
if (request.isSecure()) {
secure = "; Secure";
}
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionId
+ "; Path=" + contextPath + "; HttpOnly" + secure);
}
filterChain.doFilter(servletRequest, response);
}
This works quite well as long as the OC4J instance consists of only one process, but when running in a cluster with multiple processes/nodes, the jvmroute information is not contained in the so-generated cookie, and thus the session is lost because the mod_oc4j cannot route to the "correct" OC4J node/process.
Symptoms:
OC4J generates the session cookie at committing the request -- i.e. at the latest possible moment, and generates it in a way that is independent / beyond all other cookies which are set with setCookie() or setHeader()
The mechanics how the "jvmroute" is used for it -- even the jvmroute information at all is not accessible at the application level (=filter level).
As a conclusion from that, you cannot use a servlet filter to generate the session cookie -- you need to leave the creation of the session cookie to OC4J.
Solution:
Issue is due to bug 5908683 ADD SUPPORT FOR "HTTPONLY" ATTRIBUTE ON SESSION COOKIE
Specify the cookie domain like ".oracle.com; HttpOnly"
In order to add the "secure" flag you can use the set-secure attribute, documented in
Oracle® Containers for J2EE Servlet Developer's Guide
10g (10.1.3.1.0)
Part Number B28959-01
B Web Module Configuration Files
http://download.oracle.com/docs/cd/B32110_01/web.1013/b28959/xmlfiles.htm#CJAGCICC
In order to set the "HttpOnly" flag there is no direct support for it, but to configure the cookie-domain setting like "your.domain.com; HttpOnly" would do the trick, and setting the cookie path in a similar way like "/myapp/; HttpOnly" would work, too.
Surely this is better supported by the WebLogic Server, which has many more settings in order to configure the session cookie, see
Oracle® Fusion Middleware Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server
11g Release 1 (10.3.3)
Part Number E13712-02
B weblogic.xml Deployment Descriptor Elements
session-descriptor
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13712/weblogic_xml.htm#WBAPP587
References:
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13712/weblogic_xml.htm#WBAPP587
http://download.oracle.com/docs/cd/B32110_01/web.1013/b28959/xmlfiles.htm#CJAGCICC
5 comments:
xanax without a perscription xanax 250 dosage - xanax overdose erowid
xanax online is generic xanax as strong - took 3 xanax bars
alprazolam without prescription xanax no prescription review - xanax bars yellow white
generic xanax alprazolam 2mg generic xanax - reverse effects xanax
buy tramadol online tramadol saturday delivery no prescription - tramadol make you high
Post a Comment