• Post Reply Bookmark Topic Watch Topic
  • New Topic

Session not working on IE with high security  RSS feed

 
sandy Lapoule
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have got an application running based on struts.
It's using session to store different things.

It works fine on IE when the security level is intermediate. But when it's higher (like do not accept cookies), it does not create or store the session.

Do you have a solution or a workaround.

Should I pass a sessionId in all my URLs for instance ?

sandy
 
Ben Wood
Ranch Hand
Posts: 342
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sandy,

This one probably belongs in the Servlet forum, but here goes. Yes, if the browser will not accept cookies you will have to fall back to URL rewriting, passing a jsessionid with each URL. Take a look at encodeURL() in HttpResponse
 
Jessica Sant
Sheriff
Posts: 4313
Android IntelliJ IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As Ben pointed out, this is a better fit in the Servlets forum. So I'm moving it. Please continue the conversation there.

Thanks!
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can tweak the cookie settings in MSIE to always allow session cookies.

See:
http://www.coderanch.com/t/288508/JSP/java/Session-IE
 
dema rogatkin
Ranch Hand
Posts: 294
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
URL overwriting session support supposes to work with any security settings. Check if struts and your servlet container are friendly for this feature, because it's a pain to add session id in every URL manually.
 
sandy Lapoule
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thanks for your replies.

Changing IE feature can't work for me : then users of th website think it's buggy because they don't go to the FAQ to identify there technical problem...

> Check if struts and your servlet container are friendly for this feature
How do you check and change it ?
in conf files ?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
By default, MSIE recognizes session cookies.
If your customer's are altering the settings to tighen up security, you may be able to sway them to explicitly allow session cookies.

Otherwise, you'll need to go with url rewriting.
Originally posted by sandy Lapoule:

> Check if struts and your servlet container are friendly for this feature
How do you check and change it ?
in conf files ?


No, it will involve more than just a configuration change.
Every hyperlink and form action will have to be urlEncoded to include the session id.

see:
http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/http/HttpServletResponse.html#encodeURL(java.lang.String)

If Struts has tags for building URLs (it's been a while since I've worked with a Struts app) and all of your hyperlinks use them, it may be possible to turn on the feature. Check with the Struts documentation.
You will also have to check all of the form action attributes.
[ November 23, 2005: Message edited by: Ben Souther ]
 
sandy Lapoule
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
and that encodeURL(java.lang.String), where should I call it ?
In my struts action ( at the beginning or end of the action) or on the client side ?

For the client side, I am using velocity so I am not even sure to be able to call anything to rewrite the url...


I just disabled cookie on the context : directly on my first page it's not working since I can't already give it any sessionid in parameter since I don't have any yet. Should I redirect it at the beginning in my CustomRequestProcessor ?

I don't really understand how all that is working ..
[ November 23, 2005: Message edited by: sandy Lapoule ]
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would dig into the struts documentation and see if there is a mechanism for handling this. Things like this, after all, are why we turn to frameworks in the first place.

If Struts doesn't handle this for you or if your hyperlinks and form action attributes weren't built with whatever Struts offers, then you will need to go through all of your pages and wrap the links with this call.

By the way, we have a Struts forum on this site.
 
sandy Lapoule
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
couls anyone provide me with some sample. I can't find any ...

thanks
 
sandy Lapoule
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ok, for the hyperlink, I found the solution for velocity : I just added the response in the request so that velocity can use it.

> Every hyperlink and form action will have to be urlEncoded to include the session id.
Concerning the form action : what needs to be done exactly ?
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!