You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com> on 2007/06/01 18:57:39 UTC
I would like a new session each time I start my application
Hi,
I have an application that works under tomcat.
Each time I run my application I have the same sessionID. Is there a way
to generate a differente sessionID each time I start my application?
Thanks
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: I would like a new session each time I start my application
Posted by "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com>.
Thank you so much!
-----Original Message-----
From: kempo bob [mailto:bsmith@practical-technology.net]
Sent: lunes, 04 de junio de 2007 16:40
To: users@tomcat.apache.org
Subject: RE: I would like a new session each time I start my application
Elisabeth,
1) To see what the context tag looks like, see the server-example.xml file that ships with the Tomcat distribution. You're probably running under a minimal configuration that lets most items default.
2) That being said, I don't think its going to fix your problem to turn off session persistence. Even if you turn persistence off, you're not going to get a new session every time a user goes to index.html. Once a session is created, it remains in effect until it expires as a result of a configured inactivity-timeout or as a result of being deliberately invalidated by servlet code. You could use HttpSession.invalidate() to force it to expire, but I agree with Johnny and David - this really doesn't sound like a good way to accomplish the goal. I'd use one of the methods they described.
Bobby
celia05es wrote:
>
> Hi,
> Thanks for your quick answer.... When I say "each time I run my
> application", I mean each time I start my application.
> Let's say my application is : $TOMCAT_HOME/webapps/my_app/index.html
> Each time I execute: $TOMCAT_HOME/webapps/my_app/index.html, I would
> like a new sessionID to be generated.
> You tell me to disable the session persistence in my app's context....
> I suppose you mean the conf/server.xml, the conf/context.xml file?
> I had a look at the server.xml file .... And I have no Context tag?
> The context.xml file does not have a docBase mentioned in the context tag.
>
> What should I put in the docBase variable?
> docBase="$TOMCAT_HOME/webapps/my_app?
>
> Thanks
> Elisabeth
>
>
> -----Original Message-----
> From: Rashmi Rubdi [mailto:rashmi.sub@gmail.com]
> Sent: sábado, 02 de junio de 2007 15:53
> To: Tomcat Users List
> Subject: Re: I would like a new session each time I start my
> application
>
> On 6/1/07, Bachler, Elisabeth (Elisabeth)
> <eb...@alcatel-lucent.com>
> wrote:
>> Hi,
>> I have an application that works under tomcat.
>> Each time I run my application I have the same sessionID. Is there a
>> way
>
> I guess you mean each time you (re)start Tomcat when you say "Each
> time I run my application..."
>
> You might be seeing the same sessionID because the session persistence.
>
>> to generate a differente sessionID each time I start my application?
>
> Try disabling the session persistence in your app's Context.
>
> <Context docBase="......." >
>
> <Manager className="org.apache.catalina.session.PersistentManager"
> saveOnRestart="false"/>
>
> </Context>
>
>
>> Thanks
>
> I don't know if the above will work in all versions of Tomcat, but it
> should work on Tomcat 5.5.x or higher. Next time please mention the
> version of Tomcat and other relevant details.
>
> -Rashmi
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/I-would-like-a-new-session-each-time-I-start-my-application-tf3853422.html#a10951048
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: I would like a new session each time I start my application
Posted by kempo bob <bs...@practical-technology.net>.
Elisabeth,
1) To see what the context tag looks like, see the server-example.xml file
that ships with the Tomcat distribution. You're probably running under a
minimal configuration that lets most items default.
2) That being said, I don't think its going to fix your problem to turn off
session persistence. Even if you turn persistence off, you're not going to
get a new session every time a user goes to index.html. Once a session is
created, it remains in effect until it expires as a result of a configured
inactivity-timeout or as a result of being deliberately invalidated by
servlet code. You could use HttpSession.invalidate() to force it to expire,
but I agree with Johnny and David - this really doesn't sound like a good
way to accomplish the goal. I'd use one of the methods they described.
Bobby
celia05es wrote:
>
> Hi,
> Thanks for your quick answer.... When I say "each time I run my
> application", I mean each time I start my application.
> Let's say my application is : $TOMCAT_HOME/webapps/my_app/index.html
> Each time I execute: $TOMCAT_HOME/webapps/my_app/index.html, I would like
> a new sessionID to be generated.
> You tell me to disable the session persistence in my app's context.... I
> suppose you mean the conf/server.xml, the conf/context.xml file?
> I had a look at the server.xml file .... And I have no Context tag?
> The context.xml file does not have a docBase mentioned in the context tag.
>
> What should I put in the docBase variable?
> docBase="$TOMCAT_HOME/webapps/my_app?
>
> Thanks
> Elisabeth
>
>
> -----Original Message-----
> From: Rashmi Rubdi [mailto:rashmi.sub@gmail.com]
> Sent: sábado, 02 de junio de 2007 15:53
> To: Tomcat Users List
> Subject: Re: I would like a new session each time I start my application
>
> On 6/1/07, Bachler, Elisabeth (Elisabeth) <eb...@alcatel-lucent.com>
> wrote:
>> Hi,
>> I have an application that works under tomcat.
>> Each time I run my application I have the same sessionID. Is there a
>> way
>
> I guess you mean each time you (re)start Tomcat when you say "Each time I
> run my application..."
>
> You might be seeing the same sessionID because the session persistence.
>
>> to generate a differente sessionID each time I start my application?
>
> Try disabling the session persistence in your app's Context.
>
> <Context docBase="......." >
>
> <Manager className="org.apache.catalina.session.PersistentManager"
> saveOnRestart="false"/>
>
> </Context>
>
>
>> Thanks
>
> I don't know if the above will work in all versions of Tomcat, but it
> should work on Tomcat 5.5.x or higher. Next time please mention the
> version of Tomcat and other relevant details.
>
> -Rashmi
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/I-would-like-a-new-session-each-time-I-start-my-application-tf3853422.html#a10951048
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: I would like a new session each time I start my application
Posted by "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com>.
Hi,
Thanks for your quick answer.... When I say "each time I run my application", I mean each time I start my application.
Let's say my application is : $TOMCAT_HOME/webapps/my_app/index.html
Each time I execute: $TOMCAT_HOME/webapps/my_app/index.html, I would like a new sessionID to be generated.
You tell me to disable the session persistence in my app's context.... I suppose you mean the conf/server.xml, the conf/context.xml file?
I had a look at the server.xml file .... And I have no Context tag?
The context.xml file does not have a docBase mentioned in the context tag.
What should I put in the docBase variable? docBase="$TOMCAT_HOME/webapps/my_app?
Thanks
Elisabeth
-----Original Message-----
From: Rashmi Rubdi [mailto:rashmi.sub@gmail.com]
Sent: sábado, 02 de junio de 2007 15:53
To: Tomcat Users List
Subject: Re: I would like a new session each time I start my application
On 6/1/07, Bachler, Elisabeth (Elisabeth) <eb...@alcatel-lucent.com> wrote:
> Hi,
> I have an application that works under tomcat.
> Each time I run my application I have the same sessionID. Is there a
> way
I guess you mean each time you (re)start Tomcat when you say "Each time I run my application..."
You might be seeing the same sessionID because the session persistence.
> to generate a differente sessionID each time I start my application?
Try disabling the session persistence in your app's Context.
<Context docBase="......." >
<Manager className="org.apache.catalina.session.PersistentManager"
saveOnRestart="false"/>
</Context>
> Thanks
I don't know if the above will work in all versions of Tomcat, but it should work on Tomcat 5.5.x or higher. Next time please mention the version of Tomcat and other relevant details.
-Rashmi
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: I would like a new session each time I start my application
Posted by Rashmi Rubdi <ra...@gmail.com>.
On 6/1/07, Bachler, Elisabeth (Elisabeth) <eb...@alcatel-lucent.com> wrote:
> Hi,
> I have an application that works under tomcat.
> Each time I run my application I have the same sessionID. Is there a way
I guess you mean each time you (re)start Tomcat when you say "Each
time I run my application..."
You might be seeing the same sessionID because the session persistence.
> to generate a differente sessionID each time I start my application?
Try disabling the session persistence in your app's Context.
<Context docBase="......." >
<Manager className="org.apache.catalina.session.PersistentManager"
saveOnRestart="false"/>
</Context>
> Thanks
I don't know if the above will work in all versions of Tomcat, but it
should work on Tomcat 5.5.x or higher. Next time please mention the
version of Tomcat and other relevant details.
-Rashmi
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: I would like a new session each time I start my application
Posted by Tim Lucia <ti...@yahoo.com>.
I do not have any idea *why* you want to do this, but you can use
session.invalidate() to guarantee the next request will have a new session
ID.
http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/http/HttpSession.html#in
validate()
Tim
> -----Original Message-----
> From: Bachler, Elisabeth (Elisabeth) [mailto:ebachler@alcatel-lucent.com]
> Sent: Monday, June 04, 2007 6:32 AM
> To: Tomcat Users List
> Subject: RE: I would like a new session each time I start my application
>
> The thing is that my application access a database. When the user wants
> to modify the db, I lock the access to this particular action (and let
> the user only view the data) using the sessionID.
> Now, if the user is "bad"... He can log on once and get the modify
> action... Then he can open a new screen and modify things again... Which
> is not what I need. Everytime a new screen is open to execute the
> application I need a different sessionID. Do you see what my problem is
> ? I don't know another way of doing it.
>
>
> -----Original Message-----
> From: Johnny Kewl [mailto:john@kewlstuff.co.za]
> Sent: lunes, 04 de junio de 2007 11:07
> To: Tomcat Users List
> Subject: Re: I would like a new session each time I start my application
>
> Liz, please tell us what you actually doing and why you need this?
> I think there is a conceptual problem...
>
> ----- Original Message -----
> From: "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com>
> To: <us...@tomcat.apache.org>
> Sent: Friday, June 01, 2007 6:57 PM
> Subject: I would like a new session each time I start my application
>
>
> Hi,
> I have an application that works under tomcat.
> Each time I run my application I have the same sessionID. Is there a way
> to generate a differente sessionID each time I start my application?
>
> Thanks
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: I would like a new session each time I start my application
Posted by "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com>.
Thank you very much. I will do as you suggest.
Elisabeth
-----Original Message-----
From: David Smith [mailto:dns4@cornell.edu]
Sent: lunes, 04 de junio de 2007 15:58
To: Tomcat Users List
Subject: Re: I would like a new session each time I start my application
I'm suggesting you generate a token when rendering a form and store it
as a attribute of the session and as a hidden field in the form. Every
time you get a form submission, compare the request parameter against
the session stored value and process the request. Retrieve and remove
the attribute as soon as a form submission comes in to both flag your
jsp that there isn't already a token out there and help protect against
a double submit. Some users just can't resist that itchy trigger finger
;-).
--David
Bachler, Elisabeth (Elisabeth) wrote:
>Thanks for your response.... Are you saying that everytime the
>index.html is executed, I should generate a random number and send it
>to the other files. Then compare it with the one I have in the stack ?
>
>
>Elisabeth
>
>
>-----Original Message-----
>From: David Smith [mailto:dns4@cornell.edu]
>Sent: lunes, 04 de junio de 2007 14:10
>To: Tomcat Users List
>Subject: Re: I would like a new session each time I start my
>application
>
>As an alternative, you could incorporate one time tokens. Generate on
>every page request, stored in both session and request parameters and
>compare on every submission. If they go out of sync (ie and old one
>shows up) you know they spawned a new window. In that case the old
>window should be considered abandon. Post a polite error message and
>otherwise ignore the request.
>
>The tokens don't have to be complex -- a simple 16 bit random number
>should be more than sufficient. You could build it as a filter to help
>validate the request before it get's to your action code.
>
>--David
>
>Johnny Kewl wrote:
>
>
>
>>Cant say I do understand...
>>Session ID's are almost untouchables... they used by too many things,
>>authentication, SSO, load balancing, and I'm worried that when the
>>user does something as simple as a right click and opens a new page,
>>the app breaks.
>>
>>I'm not sure what you saying but I would rather go for something like
>>change credits.
>>So, user does something that allows them one change... you store that
>>in session ID, as an attribute, something like,
>>setAttribute(ChangeCredit, 1); Now they can open 20 pages.... but on
>>page 5 they make the change....
>>the attribute is set back to 0;
>>None of the other pages will allow it.... something like that.
>>
>>All I think that is happening is you trying to store state in the
>>browser page, instead of the Session. ie you give them page, they
>>change, you present them with page that is one state further on... ie
>>thank you for change, cant change anymore, but user just has to open
>>new page and they back to the beginning.
>>But if you store the state in the session.... that wont happen.
>>Irony is I think you actually need that Session.
>>
>>Good Luck
>>
>>----- Original Message ----- From: "Bachler, Elisabeth (Elisabeth)"
>><eb...@alcatel-lucent.com>
>>To: "Tomcat Users List" <us...@tomcat.apache.org>
>>Sent: Monday, June 04, 2007 12:32 PM
>>Subject: RE: I would like a new session each time I start my
>>application
>>
>>
>>The thing is that my application access a database. When the user
>>wants to modify the db, I lock the access to this particular action
>>(and let the user only view the data) using the sessionID.
>>Now, if the user is "bad"... He can log on once and get the modify
>>action... Then he can open a new screen and modify things again...
>>Which is not what I need. Everytime a new screen is open to execute
>>the application I need a different sessionID. Do you see what my
>>problem is ? I don't know another way of doing it.
>>
>>
>>-----Original Message-----
>>From: Johnny Kewl [mailto:john@kewlstuff.co.za]
>>Sent: lunes, 04 de junio de 2007 11:07
>>To: Tomcat Users List
>>Subject: Re: I would like a new session each time I start my
>>application
>>
>>Liz, please tell us what you actually doing and why you need this?
>>I think there is a conceptual problem...
>>
>>----- Original Message -----
>>From: "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com>
>>To: <us...@tomcat.apache.org>
>>Sent: Friday, June 01, 2007 6:57 PM
>>Subject: I would like a new session each time I start my application
>>
>>
>>Hi,
>>I have an application that works under tomcat.
>>Each time I run my application I have the same sessionID. Is there a
>>way to generate a differente sessionID each time I start my
>>
>>
>application?
>
>
>>Thanks
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: I would like a new session each time I start my application
Posted by David Smith <dn...@cornell.edu>.
I'm suggesting you generate a token when rendering a form and store it
as a attribute of the session and as a hidden field in the form. Every
time you get a form submission, compare the request parameter against
the session stored value and process the request. Retrieve and remove
the attribute as soon as a form submission comes in to both flag your
jsp that there isn't already a token out there and help protect against
a double submit. Some users just can't resist that itchy trigger
finger ;-).
--David
Bachler, Elisabeth (Elisabeth) wrote:
>Thanks for your response.... Are you saying that everytime the
>index.html is executed, I should generate a random number and send it to
>the other files. Then compare it with the one I have in the stack ?
>
>
>Elisabeth
>
>
>-----Original Message-----
>From: David Smith [mailto:dns4@cornell.edu]
>Sent: lunes, 04 de junio de 2007 14:10
>To: Tomcat Users List
>Subject: Re: I would like a new session each time I start my application
>
>As an alternative, you could incorporate one time tokens. Generate on
>every page request, stored in both session and request parameters and
>compare on every submission. If they go out of sync (ie and old one
>shows up) you know they spawned a new window. In that case the old
>window should be considered abandon. Post a polite error message and
>otherwise ignore the request.
>
>The tokens don't have to be complex -- a simple 16 bit random number
>should be more than sufficient. You could build it as a filter to help
>validate the request before it get's to your action code.
>
>--David
>
>Johnny Kewl wrote:
>
>
>
>>Cant say I do understand...
>>Session ID's are almost untouchables... they used by too many things,
>>authentication, SSO, load balancing, and I'm worried that when the
>>user does something as simple as a right click and opens a new page,
>>the app breaks.
>>
>>I'm not sure what you saying but I would rather go for something like
>>change credits.
>>So, user does something that allows them one change... you store that
>>in session ID, as an attribute, something like,
>>setAttribute(ChangeCredit, 1); Now they can open 20 pages.... but on
>>page 5 they make the change....
>>the attribute is set back to 0;
>>None of the other pages will allow it.... something like that.
>>
>>All I think that is happening is you trying to store state in the
>>browser page, instead of the Session. ie you give them page, they
>>change, you present them with page that is one state further on... ie
>>thank you for change, cant change anymore, but user just has to open
>>new page and they back to the beginning.
>>But if you store the state in the session.... that wont happen.
>>Irony is I think you actually need that Session.
>>
>>Good Luck
>>
>>----- Original Message ----- From: "Bachler, Elisabeth (Elisabeth)"
>><eb...@alcatel-lucent.com>
>>To: "Tomcat Users List" <us...@tomcat.apache.org>
>>Sent: Monday, June 04, 2007 12:32 PM
>>Subject: RE: I would like a new session each time I start my
>>application
>>
>>
>>The thing is that my application access a database. When the user
>>wants to modify the db, I lock the access to this particular action
>>(and let the user only view the data) using the sessionID.
>>Now, if the user is "bad"... He can log on once and get the modify
>>action... Then he can open a new screen and modify things again...
>>Which is not what I need. Everytime a new screen is open to execute
>>the application I need a different sessionID. Do you see what my
>>problem is ? I don't know another way of doing it.
>>
>>
>>-----Original Message-----
>>From: Johnny Kewl [mailto:john@kewlstuff.co.za]
>>Sent: lunes, 04 de junio de 2007 11:07
>>To: Tomcat Users List
>>Subject: Re: I would like a new session each time I start my
>>application
>>
>>Liz, please tell us what you actually doing and why you need this?
>>I think there is a conceptual problem...
>>
>>----- Original Message -----
>>From: "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com>
>>To: <us...@tomcat.apache.org>
>>Sent: Friday, June 01, 2007 6:57 PM
>>Subject: I would like a new session each time I start my application
>>
>>
>>Hi,
>>I have an application that works under tomcat.
>>Each time I run my application I have the same sessionID. Is there a
>>way to generate a differente sessionID each time I start my
>>
>>
>application?
>
>
>>Thanks
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>>e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
>e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: I would like a new session each time I start my application
Posted by "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com>.
Thanks for your response.... Are you saying that everytime the
index.html is executed, I should generate a random number and send it to
the other files. Then compare it with the one I have in the stack ?
Elisabeth
-----Original Message-----
From: David Smith [mailto:dns4@cornell.edu]
Sent: lunes, 04 de junio de 2007 14:10
To: Tomcat Users List
Subject: Re: I would like a new session each time I start my application
As an alternative, you could incorporate one time tokens. Generate on
every page request, stored in both session and request parameters and
compare on every submission. If they go out of sync (ie and old one
shows up) you know they spawned a new window. In that case the old
window should be considered abandon. Post a polite error message and
otherwise ignore the request.
The tokens don't have to be complex -- a simple 16 bit random number
should be more than sufficient. You could build it as a filter to help
validate the request before it get's to your action code.
--David
Johnny Kewl wrote:
> Cant say I do understand...
> Session ID's are almost untouchables... they used by too many things,
> authentication, SSO, load balancing, and I'm worried that when the
> user does something as simple as a right click and opens a new page,
> the app breaks.
>
> I'm not sure what you saying but I would rather go for something like
> change credits.
> So, user does something that allows them one change... you store that
> in session ID, as an attribute, something like,
> setAttribute(ChangeCredit, 1); Now they can open 20 pages.... but on
> page 5 they make the change....
> the attribute is set back to 0;
> None of the other pages will allow it.... something like that.
>
> All I think that is happening is you trying to store state in the
> browser page, instead of the Session. ie you give them page, they
> change, you present them with page that is one state further on... ie
> thank you for change, cant change anymore, but user just has to open
> new page and they back to the beginning.
> But if you store the state in the session.... that wont happen.
> Irony is I think you actually need that Session.
>
> Good Luck
>
> ----- Original Message ----- From: "Bachler, Elisabeth (Elisabeth)"
> <eb...@alcatel-lucent.com>
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Sent: Monday, June 04, 2007 12:32 PM
> Subject: RE: I would like a new session each time I start my
> application
>
>
> The thing is that my application access a database. When the user
> wants to modify the db, I lock the access to this particular action
> (and let the user only view the data) using the sessionID.
> Now, if the user is "bad"... He can log on once and get the modify
> action... Then he can open a new screen and modify things again...
> Which is not what I need. Everytime a new screen is open to execute
> the application I need a different sessionID. Do you see what my
> problem is ? I don't know another way of doing it.
>
>
> -----Original Message-----
> From: Johnny Kewl [mailto:john@kewlstuff.co.za]
> Sent: lunes, 04 de junio de 2007 11:07
> To: Tomcat Users List
> Subject: Re: I would like a new session each time I start my
> application
>
> Liz, please tell us what you actually doing and why you need this?
> I think there is a conceptual problem...
>
> ----- Original Message -----
> From: "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com>
> To: <us...@tomcat.apache.org>
> Sent: Friday, June 01, 2007 6:57 PM
> Subject: I would like a new session each time I start my application
>
>
> Hi,
> I have an application that works under tomcat.
> Each time I run my application I have the same sessionID. Is there a
> way to generate a differente sessionID each time I start my
application?
>
> Thanks
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: I would like a new session each time I start my application
Posted by David Smith <dn...@cornell.edu>.
As an alternative, you could incorporate one time tokens. Generate on
every page request, stored in both session and request parameters and
compare on every submission. If they go out of sync (ie and old one
shows up) you know they spawned a new window. In that case the old
window should be considered abandon. Post a polite error message and
otherwise ignore the request.
The tokens don't have to be complex -- a simple 16 bit random number
should be more than sufficient. You could build it as a filter to help
validate the request before it get's to your action code.
--David
Johnny Kewl wrote:
> Cant say I do understand...
> Session ID's are almost untouchables... they used by too many things,
> authentication, SSO, load balancing, and I'm worried that when the
> user does something as simple as a right click and opens a new page,
> the app breaks.
>
> I'm not sure what you saying but I would rather go for something like
> change credits.
> So, user does something that allows them one change... you store that
> in session ID, as an attribute, something like,
> setAttribute(ChangeCredit, 1);
> Now they can open 20 pages.... but on page 5 they make the change....
> the attribute is set back to 0;
> None of the other pages will allow it.... something like that.
>
> All I think that is happening is you trying to store state in the
> browser page, instead of the Session. ie you give them page, they
> change, you present them with page that is one state further on... ie
> thank you for change, cant change anymore, but user just has to open
> new page and they back to the beginning.
> But if you store the state in the session.... that wont happen.
> Irony is I think you actually need that Session.
>
> Good Luck
>
> ----- Original Message ----- From: "Bachler, Elisabeth (Elisabeth)"
> <eb...@alcatel-lucent.com>
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Sent: Monday, June 04, 2007 12:32 PM
> Subject: RE: I would like a new session each time I start my application
>
>
> The thing is that my application access a database. When the user wants
> to modify the db, I lock the access to this particular action (and let
> the user only view the data) using the sessionID.
> Now, if the user is "bad"... He can log on once and get the modify
> action... Then he can open a new screen and modify things again... Which
> is not what I need. Everytime a new screen is open to execute the
> application I need a different sessionID. Do you see what my problem is
> ? I don't know another way of doing it.
>
>
> -----Original Message-----
> From: Johnny Kewl [mailto:john@kewlstuff.co.za]
> Sent: lunes, 04 de junio de 2007 11:07
> To: Tomcat Users List
> Subject: Re: I would like a new session each time I start my application
>
> Liz, please tell us what you actually doing and why you need this?
> I think there is a conceptual problem...
>
> ----- Original Message -----
> From: "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com>
> To: <us...@tomcat.apache.org>
> Sent: Friday, June 01, 2007 6:57 PM
> Subject: I would like a new session each time I start my application
>
>
> Hi,
> I have an application that works under tomcat.
> Each time I run my application I have the same sessionID. Is there a way
> to generate a differente sessionID each time I start my application?
>
> Thanks
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: I would like a new session each time I start my application
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
Cant say I do understand...
Session ID's are almost untouchables... they used by too many things,
authentication, SSO, load balancing, and I'm worried that when the user does
something as simple as a right click and opens a new page, the app breaks.
I'm not sure what you saying but I would rather go for something like change
credits.
So, user does something that allows them one change... you store that in
session ID, as an attribute, something like, setAttribute(ChangeCredit, 1);
Now they can open 20 pages.... but on page 5 they make the change.... the
attribute is set back to 0;
None of the other pages will allow it.... something like that.
All I think that is happening is you trying to store state in the browser
page, instead of the Session. ie you give them page, they change, you
present them with page that is one state further on... ie thank you for
change, cant change anymore, but user just has to open new page and they
back to the beginning.
But if you store the state in the session.... that wont happen.
Irony is I think you actually need that Session.
Good Luck
----- Original Message -----
From: "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Monday, June 04, 2007 12:32 PM
Subject: RE: I would like a new session each time I start my application
The thing is that my application access a database. When the user wants
to modify the db, I lock the access to this particular action (and let
the user only view the data) using the sessionID.
Now, if the user is "bad"... He can log on once and get the modify
action... Then he can open a new screen and modify things again... Which
is not what I need. Everytime a new screen is open to execute the
application I need a different sessionID. Do you see what my problem is
? I don't know another way of doing it.
-----Original Message-----
From: Johnny Kewl [mailto:john@kewlstuff.co.za]
Sent: lunes, 04 de junio de 2007 11:07
To: Tomcat Users List
Subject: Re: I would like a new session each time I start my application
Liz, please tell us what you actually doing and why you need this?
I think there is a conceptual problem...
----- Original Message -----
From: "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com>
To: <us...@tomcat.apache.org>
Sent: Friday, June 01, 2007 6:57 PM
Subject: I would like a new session each time I start my application
Hi,
I have an application that works under tomcat.
Each time I run my application I have the same sessionID. Is there a way
to generate a differente sessionID each time I start my application?
Thanks
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: I would like a new session each time I start my application
Posted by "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com>.
The thing is that my application access a database. When the user wants
to modify the db, I lock the access to this particular action (and let
the user only view the data) using the sessionID.
Now, if the user is "bad"... He can log on once and get the modify
action... Then he can open a new screen and modify things again... Which
is not what I need. Everytime a new screen is open to execute the
application I need a different sessionID. Do you see what my problem is
? I don't know another way of doing it.
-----Original Message-----
From: Johnny Kewl [mailto:john@kewlstuff.co.za]
Sent: lunes, 04 de junio de 2007 11:07
To: Tomcat Users List
Subject: Re: I would like a new session each time I start my application
Liz, please tell us what you actually doing and why you need this?
I think there is a conceptual problem...
----- Original Message -----
From: "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com>
To: <us...@tomcat.apache.org>
Sent: Friday, June 01, 2007 6:57 PM
Subject: I would like a new session each time I start my application
Hi,
I have an application that works under tomcat.
Each time I run my application I have the same sessionID. Is there a way
to generate a differente sessionID each time I start my application?
Thanks
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: I would like a new session each time I start my application
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
Liz, please tell us what you actually doing and why you need this?
I think there is a conceptual problem...
----- Original Message -----
From: "Bachler, Elisabeth (Elisabeth)" <eb...@alcatel-lucent.com>
To: <us...@tomcat.apache.org>
Sent: Friday, June 01, 2007 6:57 PM
Subject: I would like a new session each time I start my application
Hi,
I have an application that works under tomcat.
Each time I run my application I have the same sessionID. Is there a way
to generate a differente sessionID each time I start my application?
Thanks
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org