How to Maintain sessions in SOAP

[Naresh Agarwal <na...@firstrain.com>]

Hi Christoph

You are saying the Microsoft Soap Toolkit beta2 supports Session-Cookies and
URL-Rewriting..

But i have thoroughly checked Microsoft Soap Toolkit 2.0 for the session
maintainenance support and come to the conclusion that it does not provide
any inbuilt support (like HTTP does) for session maintenance.

However it has given a example, inwhich a trivial session maintenance is
achieved via passing user-specific information in the Soap-Headers. This
example uses IHeaderHandler class for manipulating the Soap-Headers. So the
session maintenance is implemented in this example.

Thus as far as i think, one will have to implement the session maintenance
logic in MS-Soap by passing information in Soap-Headers. Unlike to Apache
Soap, it does not provide any kind of support for setting and reading
cookies..

If we use MS-Soap client and Apache-Soap server, and set the cookies in the
server's response then MS-Soap client discard those "HTTP headers, which
contains the cookies".

Please correct me if i'm wrong. If you know of any knid of support MS-Soap
provides for session maintenance, please let me know.

Thanks a lot.

Regards,
Naresh Agarwal


> > Hi Chiranjeevi,
> >
> >
> > Unfortunately you do not describe, which session-mechanism you
> > use - I mean
> > the current one.
> >
> > When talking about sessions - you mean an HTTP session - right?
> >
> > I want to make that clear, because basically you can send
> > SOAP-messages via
> > various transports, such a e-Mail, FTP, Message-Queuing-Systems (like
IBM
> > MQseries etc).
> >
> > Also there are protocols like the proposed BEEP or HTTPR in the
> > experimental
> > state, which also
> > provide a "reliable messaging", meaning that you can distinguish the a
> > message from another duplication of a message and therefore
> > -know- about the
> > state of a message.
> >
> > HTTP Session-Tracking for SOAP - transparent to the messages sent - is
> > typically done like in other HTTP applications
> >
> > - via session-cookies
> > - via URL-rewriting
> >
> > Of cource you can also implement a "token-passing", like Chang Sau
wrote.
> > But implementing
> > a "token", which means passing a session-id or context-id via a
> > parameter is
> > always a
> > possibility.
> >
> > The sexy thing on using a transport or a mechanism like
> > session-cookies/urls
> > is, that it
> > should work for ALL calls, regardsless if they have their
> > "session-token"-parameter or not.
> >
> > AFAIK the following implementations support Session-Cookies AND
> > Url-Rewriting
> >
> > - Apache SOAP 2.2
> > - Apache AXIS
> > - Microsoft SOAP Toolkit beta2
> > - Microsoft.NET
> > - Idoox WASP
> >
> > I am sure others like Graham's GLUE and others will also support
> > that, but I
> > am not sure. Maybe some feedback from the others will clear that up.
> >
> > That means, that if you can make sure, that the client supports either
of
> > both (URL or cookie) then the session-tracking should work. That should
be
> > done via a simple check after a "login"-transaction that creates
> > the session
> > object. Each Web-Service having to hold the context of the session
should
> > perform a check for it.
> >
> > That is quite comparable to JSP-includes that perform a "Is there a
valid
> > session or not" on every page...
> >
> > The session-object itself can be retrieved and managed in the
> > implementation
> > of your service on the server, but I guess you already know that..
> >
> > Did that answer your question so far?
> >
> >
> > mfg / kind regards,
> > Christoph C. Cemper
> >
> > email:    mailto:Christoph@Cemper.com
> >   www:    http://Christoph.Cemper.com
> >
> >
> >
> >
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Chiranjeevi Paruchur [mailto:CParuchur@orga.com]
> > Gesendet: Dienstag, 04. September 2001 14:25
> > An: soap-user@xml.apache.org
> > Betreff: How to Maintain sessions in SOAP
> >
> >
> >
> > Hi!
> >
> > Can anyone throw some light on how to maintain sessions when I am using
> > SOAP.
> >
> > I know how to do it when I have a java client.
> >
> > I would like to know how to do it in such a way that any type of
> > client can
> > have sessions with my SOAP server.
> >
> >
> > Thanks in advance,
> > Chiran
> >
> >
>

AW: How to Maintain sessions in SOAP

["Christoph C . Cemper @ Cemper.com" <ch...@cemper.com>]

Hi Naresh,

I am sorry for the confusion... I heard about SOAP 2.0 SP2 Toolkit
supporting cookies
a few weeks ago and trusted that source.

The .NET Kit shall also support it, and what I found is, that the MSXML also
seems to support it... hmmm still got to research that topic a little bit.

I checked that stuff this morning, and in fact, what I found on

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dn_voices_w
ebservice/html/service02282001.asp

does not make me happy - although it provides comprehenise information about
the authentication situation with MS.

I agree absolutely with you about those Soap-Header Sample, but that's not
the way it
should work.

Cookie-Passing-Mechanism is something specific to the transport
(http-protocol) and I
really don't enjoy MS SOAP not supporting it.

In fact I got - I guess - similar problems like you and search for the
"setMaintainSession (true);" in the MS SOAP toolkit.

How did you solve it so far? Did you use this Soap-Header solution?

mfg / kind regards,
Christoph C. Cemper

email:    mailto:Christoph@Cemper.com
  www:    http://Christoph.Cemper.com








-----Ursprüngliche Nachricht-----
Von: Naresh Agarwal [mailto:nagarwal@firstrain.com]
Gesendet: Mittwoch, 05. September 2001 14:01
An: Christoph@Cemper.com; soap-dev@xml.apache.org
Betreff: How to Maintain sessions in SOAP


Hi Christoph

You are saying the Microsoft Soap Toolkit beta2 supports Session-Cookies and
URL-Rewriting..

But i have thoroughly checked Microsoft Soap Toolkit 2.0 for the session
maintainenance support and come to the conclusion that it does not provide
any inbuilt support (like HTTP does) for session maintenance.

However it has given a example, inwhich a trivial session maintenance is
achieved via passing user-specific information in the Soap-Headers. This
example uses IHeaderHandler class for manipulating the Soap-Headers. So the
session maintenance is implemented in this example.

Thus as far as i think, one will have to implement the session maintenance
logic in MS-Soap by passing information in Soap-Headers. Unlike to Apache
Soap, it does not provide any kind of support for setting and reading
cookies..

If we use MS-Soap client and Apache-Soap server, and set the cookies in the
server's response then MS-Soap client discard those "HTTP headers, which
contains the cookies".

Please correct me if i'm wrong. If you know of any knid of support MS-Soap
provides for session maintenance, please let me know.

Thanks a lot.

Regards,
Naresh Agarwal


> > Hi Chiranjeevi,
> >
> >
> > Unfortunately you do not describe, which session-mechanism you
> > use - I mean
> > the current one.
> >
> > When talking about sessions - you mean an HTTP session - right?
> >
> > I want to make that clear, because basically you can send
> > SOAP-messages via
> > various transports, such a e-Mail, FTP, Message-Queuing-Systems (like
IBM
> > MQseries etc).
> >
> > Also there are protocols like the proposed BEEP or HTTPR in the
> > experimental
> > state, which also
> > provide a "reliable messaging", meaning that you can distinguish the a
> > message from another duplication of a message and therefore
> > -know- about the
> > state of a message.
> >
> > HTTP Session-Tracking for SOAP - transparent to the messages sent - is
> > typically done like in other HTTP applications
> >
> > - via session-cookies
> > - via URL-rewriting
> >
> > Of cource you can also implement a "token-passing", like Chang Sau
wrote.
> > But implementing
> > a "token", which means passing a session-id or context-id via a
> > parameter is
> > always a
> > possibility.
> >
> > The sexy thing on using a transport or a mechanism like
> > session-cookies/urls
> > is, that it
> > should work for ALL calls, regardsless if they have their
> > "session-token"-parameter or not.
> >
> > AFAIK the following implementations support Session-Cookies AND
> > Url-Rewriting
> >
> > - Apache SOAP 2.2
> > - Apache AXIS
> > - Microsoft SOAP Toolkit beta2
> > - Microsoft.NET
> > - Idoox WASP
> >
> > I am sure others like Graham's GLUE and others will also support
> > that, but I
> > am not sure. Maybe some feedback from the others will clear that up.
> >
> > That means, that if you can make sure, that the client supports either
of
> > both (URL or cookie) then the session-tracking should work. That should
be
> > done via a simple check after a "login"-transaction that creates
> > the session
> > object. Each Web-Service having to hold the context of the session
should
> > perform a check for it.
> >
> > That is quite comparable to JSP-includes that perform a "Is there a
valid
> > session or not" on every page...
> >
> > The session-object itself can be retrieved and managed in the
> > implementation
> > of your service on the server, but I guess you already know that..
> >
> > Did that answer your question so far?
> >
> >
> > mfg / kind regards,
> > Christoph C. Cemper
> >
> > email:    mailto:Christoph@Cemper.com
> >   www:    http://Christoph.Cemper.com
> >
> >
> >
> >
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Chiranjeevi Paruchur [mailto:CParuchur@orga.com]
> > Gesendet: Dienstag, 04. September 2001 14:25
> > An: soap-user@xml.apache.org
> > Betreff: How to Maintain sessions in SOAP
> >
> >
> >
> > Hi!
> >
> > Can anyone throw some light on how to maintain sessions when I am using
> > SOAP.
> >
> > I know how to do it when I have a java client.
> >
> > I would like to know how to do it in such a way that any type of
> > client can
> > have sessions with my SOAP server.
> >
> >
> > Thanks in advance,
> > Chiran
> >
> >
>

AW: How to Maintain sessions in SOAP

["Christoph C . Cemper @ Cemper.com" <ch...@cemper.com>]

Hi Naresh,

I am sorry for the confusion... I heard about SOAP 2.0 SP2 Toolkit
supporting cookies
a few weeks ago and trusted that source.

The .NET Kit shall also support it, and what I found is, that the MSXML also
seems to support it... hmmm still got to research that topic a little bit.

I checked that stuff this morning, and in fact, what I found on

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dn_voices_w
ebservice/html/service02282001.asp

does not make me happy - although it provides comprehenise information about
the authentication situation with MS.

I agree absolutely with you about those Soap-Header Sample, but that's not
the way it
should work.

Cookie-Passing-Mechanism is something specific to the transport
(http-protocol) and I
really don't enjoy MS SOAP not supporting it.

In fact I got - I guess - similar problems like you and search for the
"setMaintainSession (true);" in the MS SOAP toolkit.

How did you solve it so far? Did you use this Soap-Header solution?

mfg / kind regards,
Christoph C. Cemper

email:    mailto:Christoph@Cemper.com
  www:    http://Christoph.Cemper.com








-----Ursprüngliche Nachricht-----
Von: Naresh Agarwal [mailto:nagarwal@firstrain.com]
Gesendet: Mittwoch, 05. September 2001 14:01
An: Christoph@Cemper.com; soap-dev@xml.apache.org
Betreff: How to Maintain sessions in SOAP


Hi Christoph

You are saying the Microsoft Soap Toolkit beta2 supports Session-Cookies and
URL-Rewriting..

But i have thoroughly checked Microsoft Soap Toolkit 2.0 for the session
maintainenance support and come to the conclusion that it does not provide
any inbuilt support (like HTTP does) for session maintenance.

However it has given a example, inwhich a trivial session maintenance is
achieved via passing user-specific information in the Soap-Headers. This
example uses IHeaderHandler class for manipulating the Soap-Headers. So the
session maintenance is implemented in this example.

Thus as far as i think, one will have to implement the session maintenance
logic in MS-Soap by passing information in Soap-Headers. Unlike to Apache
Soap, it does not provide any kind of support for setting and reading
cookies..

If we use MS-Soap client and Apache-Soap server, and set the cookies in the
server's response then MS-Soap client discard those "HTTP headers, which
contains the cookies".

Please correct me if i'm wrong. If you know of any knid of support MS-Soap
provides for session maintenance, please let me know.

Thanks a lot.

Regards,
Naresh Agarwal


> > Hi Chiranjeevi,
> >
> >
> > Unfortunately you do not describe, which session-mechanism you
> > use - I mean
> > the current one.
> >
> > When talking about sessions - you mean an HTTP session - right?
> >
> > I want to make that clear, because basically you can send
> > SOAP-messages via
> > various transports, such a e-Mail, FTP, Message-Queuing-Systems (like
IBM
> > MQseries etc).
> >
> > Also there are protocols like the proposed BEEP or HTTPR in the
> > experimental
> > state, which also
> > provide a "reliable messaging", meaning that you can distinguish the a
> > message from another duplication of a message and therefore
> > -know- about the
> > state of a message.
> >
> > HTTP Session-Tracking for SOAP - transparent to the messages sent - is
> > typically done like in other HTTP applications
> >
> > - via session-cookies
> > - via URL-rewriting
> >
> > Of cource you can also implement a "token-passing", like Chang Sau
wrote.
> > But implementing
> > a "token", which means passing a session-id or context-id via a
> > parameter is
> > always a
> > possibility.
> >
> > The sexy thing on using a transport or a mechanism like
> > session-cookies/urls
> > is, that it
> > should work for ALL calls, regardsless if they have their
> > "session-token"-parameter or not.
> >
> > AFAIK the following implementations support Session-Cookies AND
> > Url-Rewriting
> >
> > - Apache SOAP 2.2
> > - Apache AXIS
> > - Microsoft SOAP Toolkit beta2
> > - Microsoft.NET
> > - Idoox WASP
> >
> > I am sure others like Graham's GLUE and others will also support
> > that, but I
> > am not sure. Maybe some feedback from the others will clear that up.
> >
> > That means, that if you can make sure, that the client supports either
of
> > both (URL or cookie) then the session-tracking should work. That should
be
> > done via a simple check after a "login"-transaction that creates
> > the session
> > object. Each Web-Service having to hold the context of the session
should
> > perform a check for it.
> >
> > That is quite comparable to JSP-includes that perform a "Is there a
valid
> > session or not" on every page...
> >
> > The session-object itself can be retrieved and managed in the
> > implementation
> > of your service on the server, but I guess you already know that..
> >
> > Did that answer your question so far?
> >
> >
> > mfg / kind regards,
> > Christoph C. Cemper
> >
> > email:    mailto:Christoph@Cemper.com
> >   www:    http://Christoph.Cemper.com
> >
> >
> >
> >
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Chiranjeevi Paruchur [mailto:CParuchur@orga.com]
> > Gesendet: Dienstag, 04. September 2001 14:25
> > An: soap-user@xml.apache.org
> > Betreff: How to Maintain sessions in SOAP
> >
> >
> >
> > Hi!
> >
> > Can anyone throw some light on how to maintain sessions when I am using
> > SOAP.
> >
> > I know how to do it when I have a java client.
> >
> > I would like to know how to do it in such a way that any type of
> > client can
> > have sessions with my SOAP server.
> >
> >
> > Thanks in advance,
> > Chiran
> >
> >
>

AW: How to Maintain sessions in SOAP

["Christoph C . Cemper @ Cemper.com" <ch...@cemper.com>]

Hi Naresh,

I am sorry for the confusion... I heard about SOAP 2.0 SP2 Toolkit
supporting cookies
a few weeks ago and trusted that source.

The .NET Kit shall also support it, and what I found is, that the MSXML also
seems to support it... hmmm still got to research that topic a little bit.

I checked that stuff this morning, and in fact, what I found on

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dn_voices_w
ebservice/html/service02282001.asp

does not make me happy - although it provides comprehenise information about
the authentication situation with MS.

I agree absolutely with you about those Soap-Header Sample, but that's not
the way it
should work.

Cookie-Passing-Mechanism is something specific to the transport
(http-protocol) and I
really don't enjoy MS SOAP not supporting it.

In fact I got - I guess - similar problems like you and search for the
"setMaintainSession (true);" in the MS SOAP toolkit.

How did you solve it so far? Did you use this Soap-Header solution?

mfg / kind regards,
Christoph C. Cemper

email:    mailto:Christoph@Cemper.com
  www:    http://Christoph.Cemper.com








-----Ursprüngliche Nachricht-----
Von: Naresh Agarwal [mailto:nagarwal@firstrain.com]
Gesendet: Mittwoch, 05. September 2001 14:01
An: Christoph@Cemper.com; soap-dev@xml.apache.org
Betreff: How to Maintain sessions in SOAP


Hi Christoph

You are saying the Microsoft Soap Toolkit beta2 supports Session-Cookies and
URL-Rewriting..

But i have thoroughly checked Microsoft Soap Toolkit 2.0 for the session
maintainenance support and come to the conclusion that it does not provide
any inbuilt support (like HTTP does) for session maintenance.

However it has given a example, inwhich a trivial session maintenance is
achieved via passing user-specific information in the Soap-Headers. This
example uses IHeaderHandler class for manipulating the Soap-Headers. So the
session maintenance is implemented in this example.

Thus as far as i think, one will have to implement the session maintenance
logic in MS-Soap by passing information in Soap-Headers. Unlike to Apache
Soap, it does not provide any kind of support for setting and reading
cookies..

If we use MS-Soap client and Apache-Soap server, and set the cookies in the
server's response then MS-Soap client discard those "HTTP headers, which
contains the cookies".

Please correct me if i'm wrong. If you know of any knid of support MS-Soap
provides for session maintenance, please let me know.

Thanks a lot.

Regards,
Naresh Agarwal


> > Hi Chiranjeevi,
> >
> >
> > Unfortunately you do not describe, which session-mechanism you
> > use - I mean
> > the current one.
> >
> > When talking about sessions - you mean an HTTP session - right?
> >
> > I want to make that clear, because basically you can send
> > SOAP-messages via
> > various transports, such a e-Mail, FTP, Message-Queuing-Systems (like
IBM
> > MQseries etc).
> >
> > Also there are protocols like the proposed BEEP or HTTPR in the
> > experimental
> > state, which also
> > provide a "reliable messaging", meaning that you can distinguish the a
> > message from another duplication of a message and therefore
> > -know- about the
> > state of a message.
> >
> > HTTP Session-Tracking for SOAP - transparent to the messages sent - is
> > typically done like in other HTTP applications
> >
> > - via session-cookies
> > - via URL-rewriting
> >
> > Of cource you can also implement a "token-passing", like Chang Sau
wrote.
> > But implementing
> > a "token", which means passing a session-id or context-id via a
> > parameter is
> > always a
> > possibility.
> >
> > The sexy thing on using a transport or a mechanism like
> > session-cookies/urls
> > is, that it
> > should work for ALL calls, regardsless if they have their
> > "session-token"-parameter or not.
> >
> > AFAIK the following implementations support Session-Cookies AND
> > Url-Rewriting
> >
> > - Apache SOAP 2.2
> > - Apache AXIS
> > - Microsoft SOAP Toolkit beta2
> > - Microsoft.NET
> > - Idoox WASP
> >
> > I am sure others like Graham's GLUE and others will also support
> > that, but I
> > am not sure. Maybe some feedback from the others will clear that up.
> >
> > That means, that if you can make sure, that the client supports either
of
> > both (URL or cookie) then the session-tracking should work. That should
be
> > done via a simple check after a "login"-transaction that creates
> > the session
> > object. Each Web-Service having to hold the context of the session
should
> > perform a check for it.
> >
> > That is quite comparable to JSP-includes that perform a "Is there a
valid
> > session or not" on every page...
> >
> > The session-object itself can be retrieved and managed in the
> > implementation
> > of your service on the server, but I guess you already know that..
> >
> > Did that answer your question so far?
> >
> >
> > mfg / kind regards,
> > Christoph C. Cemper
> >
> > email:    mailto:Christoph@Cemper.com
> >   www:    http://Christoph.Cemper.com
> >
> >
> >
> >
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Chiranjeevi Paruchur [mailto:CParuchur@orga.com]
> > Gesendet: Dienstag, 04. September 2001 14:25
> > An: soap-user@xml.apache.org
> > Betreff: How to Maintain sessions in SOAP
> >
> >
> >
> > Hi!
> >
> > Can anyone throw some light on how to maintain sessions when I am using
> > SOAP.
> >
> > I know how to do it when I have a java client.
> >
> > I would like to know how to do it in such a way that any type of
> > client can
> > have sessions with my SOAP server.
> >
> >
> > Thanks in advance,
> > Chiran
> >
> >
>