Java - Methods To Set A Session Token By Url?
Mar 18, 2011
I'm writing up a security document and it would be great if programmers in other languages than PHP could chime in on (perhaps the default) way sessions are passed by URL in their language's default session handler.
eg. PHPSESSION=token in PHP
Oh, and if yes does it also use cookies?
View 2 Replies
Similar Messages:
Jun 15, 2010
I've two application ASP.NET (once is Mojo Portal). I can navigate from one to other using an URL token id.
To this way, by token, I create a new session and save the relative auth cookie.
But, sometimes, the asp web application don't keep the session and put me down. When this happen I can't login until the session cookies is not deleted.
Both the two application are behind an reverse proxy.
View 3 Replies
Feb 9, 2010
In our application, we have a need for a user to "impersonate" a different user. Think of it as a hierarchy -- Bob is above Frank in a hierarchy. Bob is logged in, and he needs to do things in the system for a short time as Frank. So, we have given Bob a list of users that report to him, and an impersonate link. He clicks on this link, and, behind the scenes, I log Bob out, and log in as Frank. I also set a session variable that tells me that really Bob is they guy who is the user. Also, Bob (acting as Frank now) has a nice little link at the top of every page that says "Stop Impersonation."
In addition, when Bob is impersonating Frank, Bob is restricted from doing some things, like changing Frank's password.
This was working great, until we encountered a situation where, if the session (I think -- getting confused here) gets destroyed (such as when I copy up new code and dlls to the live site), then when Bob clicks on "Stop Impersonation" he gets redirected to the default page, and is still logged in as Frank, but without the Impersonation session variable. So, now Bob really is logged in as Frank, and can change Frank's password (among other things).
How is it that a session variable (Impersonation) gets destroyed, but I guess the session is still hanging around, because it doesn't make the user log in again?
This is a somewhat serious bug for how our system works (bug in our code, I'm sure, not in .Net). We are using ASP.Net c#, aspnet membership services, .net 3.5, forms auth...not sure what else you need to know.
EDIT: Updated information. Looks like when "something" happens, for instance, when I recompile some dlls and copy them to the webserver, the session gets dumped. Or, rather, the variables in the session get dumped. The session id stays the same. I do get to check for Session.IsNewSession and it returns true, even though the id is the same as it was before.
Just like Utaal mentioned, Membership Services is separate from Session, so it's forms auth token is still hanging around in the browser, but my session variable telling me that that isn't really the user who is controlling the browser isn't there anymore.
EDIT: Sky, here is what I'm doing to authenticate a user. I can't figure out where I would insert a ticket into this flow:
if (Membership.ValidateUser(txtUserName.Text, txtPassword.Text))
FormsAuthentication.SetAuthCookie(txtUserName.Text, false);
View 2 Replies
Dec 13, 2010
I want to fetch a web page from a ASP.NET site that is only accessible from within a session. I'm using Apache HttpClient. I first open the main page of the site, then I search for the link to the "goal" page, and then I fire up a GET request for the "goal" page. The problem is that when I get the response for the second GET request, I always get the same (first) page. If I open the site with Firefox or Google Chrome I get the "goal" page.
From the first response from the server I get the following headers:
HTTP/1.1 200 OK
Date: Sun, 12 Dec 2010 19:03:56 GMT
Server: Microsoft-IIS/6.0
Platform: Mobitel Pla.NET
Node: 4
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: ASP.NET_SessionId=0vpgd055cifko3mnw4nkuimz; path=/
Cache-Control: no-cache, must-revalidate
Content-Type: text/html; charset=utf-8
Content-Length: 7032
I inspected the traffic with WireShark and all headers look OK. I send the correct cookie back to the server on the second GET request.
I'm using Apache HttpClient. I have only one instance of DefaultHttpClient and I reuse that for the second request. I have BROWSER_COMPATIBILITY Cookie Policy.
View 2 Replies
Feb 7, 2011
What would be good/scalable user session alternative in following scenario:
users don't have to have cookies enabled URL query string restriction of 255 characters is imposed lot of GET requests (no hidden form fields)application runs on serveral servers (web farm) some users connect over proxy (same IP) users connect over HTTPS 50 000 concurrent users
View 5 Replies
Jul 23, 2010
best and secured way to pass the asp.net session token from page to page.
1. cookies (not secured)
2. url (not secured)
3. hidden fields ?
using hidded fields is right way to pass ? how to pass using hidded fileds? how to disble the session token in cookies and also in url (session state conguration)?
View 1 Replies
Apr 13, 2010
In C#, How do you pass the Session[] and Request[] objects to a method?I would like to use a method to parse out Session and Request paramaters for a .aspx page to reduce the size of my Page_Load method. I am passing quite a few variables, and need to support both POSTand GET methods. For most calls, not all variables are present, so I have to test every variable multiple ways, and the code gets long...This is what I am trying to do, but I can't seem to properly identify the Session and Request paramaters (this code will not compile, because the arrays are indexed by number)
static string getParam(
System.Web.SessionState.HttpSessionState[] Session,
System.Web.HttpRequest[] Request,
string id)
[code]...
View 2 Replies
Jun 29, 2010
I'm using ASP.NET page methods to check for the updates. I'm using inproc sessions and windows authentication in IIS 6. When page is loaded, a session is started. But sometimes when the page method is called it starts a new session(created with current request return true also). Why that might happen ?
View 2 Replies
Sep 15, 2010
I write a simple static method in my web page. How can i access session["id"] into method? I dont have access.For example:
public static void myFunc()
{
Session["id"]= 100;
}
View 2 Replies
Jul 5, 2010
I'm looking for a way to access a Java API from both a Java console application and an ASP.Net application.In short my Java API exposes a series of methods for dealing with invoices. All of these methods are essentially commands e.g.
GenerateAllInvocies
GenerateInvoiceNumber
PrintAllInvoices
PrintInvoiceNumber
All methods will interact with the database. I had believed Web Services was going to be my means for interop. But I have since been made aware of Java Stored Procedures in Oracle.
View 1 Replies
Jul 1, 2010
I got asked to write a java application for my company. I'm a seasoned .Net developer so this is all new ground to me.My task is to produce an invoicing application that has several high level tasks such as:Build single invoiceBuild all invoicesMy company want to be able to call these tasks from a java console application - passing in relevant commands and parameters to invoke the tasks. They also want to be able to invoke the same code from an ASP.NET application.
View 2 Replies
Aug 16, 2010
I have an extension method as follows:
public static class PageExtensions
{
public static int GetUserId(this Page targetPage)
{
var user = Membership.GetUser(targetPage.User.Identity.Name);
return (int)user.ProviderUserKey;
}
}
Now in a page I need to use this method in a static WebMethod, so I have added another 'extension method' to PageExtensions:
public static int GetUserId()
{
return (int)Membership.GetUser(HttpContext.Current.User.Identity.Name).ProviderUserKey;
}
and I call it as follows in my WebMethod: PageExtensions.GetUserId()
View 1 Replies
Jul 23, 2010
public class CacheHelper { /// <summary> /// Removes object with the specified key. /// </summary> /// <param name="key">The key.</param> [code]....
I have this methods for caching..I need to change this methods to use in aDictionary<string,object>
How do I need to change this code Because I am new to asp.net I am still learning..
View 12 Replies
Sep 16, 2010
I am beginner in web applications development. I started one little project and host it on source forge "https://homoco.svn.sourceforge.net/svnroot/homoco". And I started implementing authentication in this application to learn how it works. From my experience people never use out of the box things so I want to implement this stuff alone (like in real world projects). So some questions:
1) Is there any reason to use membership out of the box? To use database table schema, stored procedures etc. that tool generate for developer. I think that this lower control over code and I decided to implement it my self. I don't know if I am right.
2) Is my approach in this demo project good or bad (if someone have time I like to do just a little code review)? I created database based on business rules. Not using database schema that membership provider require. Extend "MembershipProvider" class to satisfy my needs. Implement queries to database myself.
3) Now, this question is a little wired but I have to ask it. If we make custom Membership Provider and do sql queries alone, implement all MembershipProvider class methods ourselves, and in application use Membership.blabla() why is this approach different from not extending MembershipProvider class and putting all this methods in some unique class and call its methods then? I hope that someone understand what I ask here.
I am sorry for three questions, but I really trying to find the best way to implement this feature in my demo project like it is a real world application.
View 3 Replies
Mar 23, 2010
when i read msdn.
i saw 2 things token and formsauthentication ticket..
can anybody tell me the Difference between token and FormsAuthenticationTicket ?
View 15 Replies
Dec 11, 2010
here is an article here:http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToGetATokenForAUser.htmlIt's not clear why I would need it ? Is it for ASP.NET or also Winform ?
View 1 Replies
Sep 15, 2010
I'm working on a solution to part of my companys site that is done in 2 different languages. My part of the project is in ASP.NET, and the login portal is in a different language. We pass authentication credentials by storing login information in the database on the portal page and then sending a corresponding token to the URL in the page written in .NET. Almost all the tutorials and articles I've read about security for ASP.NET, and most languages, the message has generally been "just use the built in stuff and don't mess with it".
I have code that takes the token, goes into the database and gets the user details.. what do I do then to integrate that into the built-in security stuff for ASP.NET? I'd like to ultimately use Action Filters for authorization on my controllers.
View 1 Replies
Jul 28, 2010
We have a SSO authentication service that other externally facing web pages and services use to authenticate users. A user tries to reach a service, if no cookie is found containing an authentication token, they are redirected (HTTP 302) to the SingleSignOn authentication service. The auth service does it's work, and redirects the user (HTTP 302) to the original URL with their encrypted authentication token in the URL. Great. How can I invoke this from a WCF POX service? No SOAP here, just HTTP GET/POST with XML responses.
What I'm currently doing is, in each service method implementation method, checking the headers for the cookie. If the cookie exists, verify the auth token and process the request. If the cookie doesn't exist or the auth token has expired, then respond with:
[Code]....
That works, but isn't integrated with any of the WCF features, and requires me to manually code for a whole bunch of scenarios. Is there a way I could implement this using these classes:
[Code]....
or use some other means that checks each request to the service? I've been reading pages like: How to: Create a Custom Token, but I don't see how it applies to my needs. I'm looking into this because I have some time before my project kicks off, and I'd like to implement this project correctly and learn about WCF as much as I can.
View 2 Replies
Oct 30, 2010
I have an asp.net site. Its a mixture of web forms and MVC2.
I have this on 2 different servers which I get to via different urls.
On one server authentication works fine via all browsers (IE 8, FF 3.6, Chrome)
On the other IE 8 fails, it doesn't send back the cookie on the request to the page after authenticating.
Using Fiddler I have seen that both sites attempt to set the cookie, in the response from the login page.
Response Header I see from both servers
Set-Cookie: DemandLaunch=CCA4...E79C2D1; path=/; HttpOnly
Both sites are in the internet zone of IE.
I'm at a loose for what to check now.
I also have a page that sets a cookie via c# code and that cookie fails in IE as well.
The IE issue is not on a single computer either. I see this failure on 4 different computers Internet Explorer.
My urls which I should have included were:
beta.[site].com - works
beta_[company].[site].com - fails
View 1 Replies
Mar 2, 2010
How to create Uniue Token with properties like expiration time,
Any standars method provided by Microsoft,
View 2 Replies
Feb 21, 2011
I'm trying to get a ASP.NET application to use windows authentication. I have disabled anonymous auth and enabled windows auth in IIS7. On my dev box (my workstation, localhost) I can use fiddler and see proper token is passed in through the header and I'm not prompted. Everything is working fine and I'm authenticated as my domain user.
However, on a remote server on our domain, with identical settings, I continually get prompted. We need it to automatically send the domain authentication for windows auth.
Does anything in IE need to be configured for this to happen for a remote machine on the same domain?
View 2 Replies
Dec 17, 2010
Multi-Token Statements
The @( ) syntax enables a code block to have multiple tokens. For example, we could re-write the above code to concatenate a string and the number together within a @( code ) block
View 5 Replies
Sep 22, 2010
I have developed a web service and installed in a server suucess fully, its working fine there.
I tried to work in another server, But I had some error there in the new server.
I trying to access a network folder, Its accessible for the user which I have mentioned in the web config, But I'm having error.
in the web config
<identity impersonate="true" userName="UserName" password="password"/>
View 21 Replies
Feb 17, 2010
We have developed a system to allow users to access another one of our web applications by placing a token in the db and then when they redirect passing this token in the browser to the new apop and using that as an authenication method. However I am thinking that it might be better to simply place this token in the browser cookie as then the user doesnt have to physically click a link they can simply do straight to it because the token wont be in the query string anymore....
Will it add much of an overhead doing it via cookies are there any disadvantages?
View 4 Replies
Jul 2, 2010
I don't know if the following is possible or not but in brief, here is what I'm trying to achieve:
1. When a user requests to view a document, they click on a link (could be other) which contains an encrypted query string containing data required to retrieve the relevant document. i.e.[URL]
2. I want to ensure that if after x minutes the user goes back to their history and select the link again or re-type the same url as above that it will not request the document and redirect them to a page letting them know that the requested document "link" is no longer valid.
I don't want to rely on cookies or sessions, so thought that maybe there would be a way to add a datetime token at the end of the existing url but this needs to be done at run-time as the url is already predefined when the link is created, so I'm not sure how can I do this?
ideally, I'd like something like this [URL] where the token would contain the date & time when the link was clicked.
Once re-requested, I would decrypt the token and validate it again the server time and if it was over the x minutes defined, it would redirect me to the "link is no longer valid" page.
View 2 Replies