You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Deepa Khetan <de...@gmail.com> on 2006/01/16 07:47:07 UTC

[OT] Cookies enabled on browsers

Hi!
My application requires, "per-session cookie" to be enabled on client
browser. How can i determine in my java code if it is enabled or not!
Deepa

Re: [OT] Cookies enabled on browsers

Posted by Deepa Khetan <de...@gmail.com>.

oh!!! i was mixing both of them!! Thanks Leon!! I will need to explicitly
set the MaxAge of the Cookie to 0, if i want it to expire on Logout!!



On 1/16/06, Leon Rosenberg <ro...@googlemail.com> wrote:
>
> On 1/16/06, Deepa Khetan <de...@gmail.com> wrote:
> > yes, i also dont understand the same. when i keep my browser privacy
> level
> > to "medium-High" i get a true for request.isRequestedSessionIdFromCookie()
> ,
> > and if it is "High" or "All Cookies Blocked" , i get it as false!
> > Also, i have non-persistent cookies, which ideally should expire when my
> > session expires.
>
> don't mix up browser and servlet container sessions. Non-persistent
> cookies expires when you close your browser.
> Regards
> Leon
>
> but they dont! If i logout for a user, i am doing
> > session.invalidate(). With the same browser, if i again login and print
> the
> > values of the Cookie, bfore i m setting them, i get the previous values!
> So,
> > how am i suposed to make sure that the Cookie Expires??
> >
> >
> >
> > On 1/16/06, Christian Bollmeyer <ja...@christianbollmeyer.de> wrote:
> > >
> > > Craig McClanahan schrieb:
> > > > On 1/15/06, Deepa Khetan <de...@gmail.com> wrote:
> > > >> Hi!
> > > >> My application requires, "per-session cookie" to be enabled on
> client
> > > >> browser. How can i determine in my java code if it is enabled or
> not!
> > > >> Deepa
> > > >
> > > > There is only one test that is useful for this ... set a cookie on
> one
> > > > response, and see if that cookie comes back in on the subsequent
> > > request.
> > > > There is absolutely no way to know, from a current request, whether
> or
> > > not
> > > > cookies are enabled for *your* webapp.
> > >
> > > > Craig McClanahan
> > >
> > > Hm. So I understand request.isRequestedSessionIdFromCookie() is
> > > presumed to be useless, then? Why exactly?
> > >
> > > -- Chris.
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > > For additional commands, e-mail: user-help@struts.apache.org
> > >
> > >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Re: [OT] Cookies enabled on browsers

Posted by Leon Rosenberg <ro...@googlemail.com>.

On 1/16/06, Deepa Khetan <de...@gmail.com> wrote:
> yes, i also dont understand the same. when i keep my browser privacy level
> to "medium-High" i get a true for request.isRequestedSessionIdFromCookie() ,
> and if it is "High" or "All Cookies Blocked" , i get it as false!
> Also, i have non-persistent cookies, which ideally should expire when my
> session expires.

don't mix up browser and servlet container sessions. Non-persistent
cookies expires when you close your browser.
Regards
Leon

but they dont! If i logout for a user, i am doing
> session.invalidate(). With the same browser, if i again login and print the
> values of the Cookie, bfore i m setting them, i get the previous values! So,
> how am i suposed to make sure that the Cookie Expires??
>
>
>
> On 1/16/06, Christian Bollmeyer <ja...@christianbollmeyer.de> wrote:
> >
> > Craig McClanahan schrieb:
> > > On 1/15/06, Deepa Khetan <de...@gmail.com> wrote:
> > >> Hi!
> > >> My application requires, "per-session cookie" to be enabled on client
> > >> browser. How can i determine in my java code if it is enabled or not!
> > >> Deepa
> > >
> > > There is only one test that is useful for this ... set a cookie on one
> > > response, and see if that cookie comes back in on the subsequent
> > request.
> > > There is absolutely no way to know, from a current request, whether or
> > not
> > > cookies are enabled for *your* webapp.
> >
> > > Craig McClanahan
> >
> > Hm. So I understand request.isRequestedSessionIdFromCookie() is
> > presumed to be useless, then? Why exactly?
> >
> > -- Chris.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: [OT] Cookies enabled on browsers

Posted by Deepa Khetan <de...@gmail.com>.

yes, i also dont understand the same. when i keep my browser privacy level
to "medium-High" i get a true for request.isRequestedSessionIdFromCookie() ,
and if it is "High" or "All Cookies Blocked" , i get it as false!
Also, i have non-persistent cookies, which ideally should expire when my
session expires. but they dont! If i logout for a user, i am doing
session.invalidate(). With the same browser, if i again login and print the
values of the Cookie, bfore i m setting them, i get the previous values! So,
how am i suposed to make sure that the Cookie Expires??

On 1/16/06, Christian Bollmeyer <ja...@christianbollmeyer.de> wrote:
>
> Craig McClanahan schrieb:
> > On 1/15/06, Deepa Khetan <de...@gmail.com> wrote:
> >> Hi!
> >> My application requires, "per-session cookie" to be enabled on client
> >> browser. How can i determine in my java code if it is enabled or not!
> >> Deepa
> >
> > There is only one test that is useful for this ... set a cookie on one
> > response, and see if that cookie comes back in on the subsequent
> request.
> > There is absolutely no way to know, from a current request, whether or
> not
> > cookies are enabled for *your* webapp.
>
> > Craig McClanahan
>
> Hm. So I understand request.isRequestedSessionIdFromCookie() is
> presumed to be useless, then? Why exactly?
>
> -- Chris.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Re: [OT] Cookies enabled on browsers

Posted by Deepa Khetan <de...@gmail.com>.

okie!! That sounds fine.. But for my requirements. I need the user to login
and on login i set his userid in session and also create a cookie for soem
random number storage. I do this in my first Action Class which is also
checking for Valid user. This works fine till now. but if Cookies are
disabled on browser, my random number check fails, in subsequent Action
Classes, and i need to logout the user. I need the userid from session, but
in this case, the userid i get is also null! In fact, if i print the
jsessionid, it is also different, although i have request.getSession(false)
in my subsequent Action Classes. Why wud this be happening??

On 1/17/06, Craig McClanahan <cr...@apache.org> wrote:
>
> On 1/16/06, Christian Bollmeyer <ja...@christianbollmeyer.de> wrote:
> >
> > Craig McClanahan schrieb:
> > > On 1/15/06, Deepa Khetan <de...@gmail.com> wrote:
> > >> Hi!
> > >> My application requires, "per-session cookie" to be enabled on client
> > >> browser. How can i determine in my java code if it is enabled or not!
> > >> Deepa
> > >
> > > There is only one test that is useful for this ... set a cookie on one
> > > response, and see if that cookie comes back in on the subsequent
> > request.
> > > There is absolutely no way to know, from a current request, whether or
> > not
> > > cookies are enabled for *your* webapp.
> >
> > > Craig McClanahan
> >
> > Hm. So I understand request.isRequestedSessionIdFromCookie() is
> > presumed to be useless, then?
>
>
> Not true ... it tells you about the state of *this* request ... did the
> client send in a cookie containing the requested session id.  Indeed, the
> container uses this knowledge (on the second and subsequent request of a
> session, to know that it can skip the URL rewriting part.
>
> Why exactly?
>
>
> Consider the very first request that comes in to an application, before
> there is a session created yet.  There will not be a session id cookie
> even
> if the client has cookies enabled, because there has never *been* a
> session
> yet.  On the request that creates the session, then, the container will
> send
> the session id both ways (as a cookie and with rewriting), and then sees
> which way it comes back in.
>
> For application cookies, you are in the same position -- there is no way
> to
> know ahead of time whether the client has cookies enabled (or if the user
> has "warn me on cookie setting" turned on, and might choose to not allow
> *this* particular cookie).  The only recourse is to set the cookie on one
> response and see if it comes back on a later request.
>
> -- Chris.
>
>
> Craig
>
>

Re: [OT] Cookies enabled on browsers

Posted by Craig McClanahan <cr...@apache.org>.

On 1/16/06, Christian Bollmeyer <ja...@christianbollmeyer.de> wrote:
>
> Craig McClanahan schrieb:
> > On 1/15/06, Deepa Khetan <de...@gmail.com> wrote:
> >> Hi!
> >> My application requires, "per-session cookie" to be enabled on client
> >> browser. How can i determine in my java code if it is enabled or not!
> >> Deepa
> >
> > There is only one test that is useful for this ... set a cookie on one
> > response, and see if that cookie comes back in on the subsequent
> request.
> > There is absolutely no way to know, from a current request, whether or
> not
> > cookies are enabled for *your* webapp.
>
> > Craig McClanahan
>
> Hm. So I understand request.isRequestedSessionIdFromCookie() is
> presumed to be useless, then?

Not true ... it tells you about the state of *this* request ... did the
client send in a cookie containing the requested session id.  Indeed, the
container uses this knowledge (on the second and subsequent request of a
session, to know that it can skip the URL rewriting part.

Why exactly?

Consider the very first request that comes in to an application, before
there is a session created yet.  There will not be a session id cookie even
if the client has cookies enabled, because there has never *been* a session
yet.  On the request that creates the session, then, the container will send
the session id both ways (as a cookie and with rewriting), and then sees
which way it comes back in.

For application cookies, you are in the same position -- there is no way to
know ahead of time whether the client has cookies enabled (or if the user
has "warn me on cookie setting" turned on, and might choose to not allow
*this* particular cookie).  The only recourse is to set the cookie on one
response and see if it comes back on a later request.

-- Chris.

Craig

Re: [OT] Cookies enabled on browsers

Posted by Christian Bollmeyer <ja...@christianbollmeyer.de>.

Craig McClanahan schrieb:
> On 1/15/06, Deepa Khetan <de...@gmail.com> wrote:
>> Hi!
>> My application requires, "per-session cookie" to be enabled on client
>> browser. How can i determine in my java code if it is enabled or not!
>> Deepa
> 
> There is only one test that is useful for this ... set a cookie on one
> response, and see if that cookie comes back in on the subsequent request.
> There is absolutely no way to know, from a current request, whether or not
> cookies are enabled for *your* webapp.

> Craig McClanahan

Hm. So I understand request.isRequestedSessionIdFromCookie() is
presumed to be useless, then? Why exactly?

-- Chris.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: [OT] Cookies enabled on browsers

Posted by Craig McClanahan <cr...@apache.org>.

On 1/15/06, Deepa Khetan <de...@gmail.com> wrote:
>
> Hi!
> My application requires, "per-session cookie" to be enabled on client
> browser. How can i determine in my java code if it is enabled or not!
> Deepa
>
>

There is only one test that is useful for this ... set a cookie on one
response, and see if that cookie comes back in on the subsequent request.
There is absolutely no way to know, from a current request, whether or not
cookies are enabled for *your* webapp.

FYI, this is why a servlet container, when a session is first initiated,
will send the session id out both as a cookie *and* as a path parameter (if
the webapp calls response.encodeURL() as it should).  The container has no
way to know whether client cookies are enabled, so it sends the session id
both ways, and then sees which one comes back on the subsequent request.  If
the session id comes back in a cookie, the container can assume that cookies
are enabled, and it will stop encoding the responses with a path parameter.

Craig McClanahan