*
The moose likes Servlets and the fly likes Sessions and Proxyserver problem Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Sessions and Proxyserver problem" Watch "Sessions and Proxyserver problem" New topic
Author

Sessions and Proxyserver problem

Jeppe Sommer
Ranch Hand

Joined: Jan 07, 2004
Posts: 270
Hi,

I have made a web application which uses session values to store user and other kind of data.

I have experienced twice that a client had a proxyserver on their network. The first time I got the experience that an user sometimes would take over the session values from another user, which was a terrible thing to happen. Imagine when you log into your home banking account and sees the transactions from the account of another person. That must never happen.

Then I made a servlet-filter on my web application that will not allow the the application to use caching:

Furthermore the client�s system administrator disabled caching in the browser settings.

Now another client has a proxyserver too. The web applications loose its session values from time to time.

What is best practice when you have some clients using proxysevers? can you do anything in your code to avoid the session problems or do you have to tell the client not to use caching or anything else?
[ October 27, 2006: Message edited by: Jeppe Fjord ]
D Rog
Ranch Hand

Joined: Feb 07, 2004
Posts: 472

If a proxy server is caching content then you can try:
1. use URL rewriting based session management
2. add random value to every URL accessing servlet


Retire your iPod and start with HD Android music player Kamerton | Minimal J2EE container is here | Light weight full J2EE stack | and build tool | Co-author of "Windows programming in Turbo Pascal"
Jeppe Sommer
Ranch Hand

Joined: Jan 07, 2004
Posts: 270
Thanks for your answer.

Are there any security drawbacks using URL rewriting based session management?

I expect that it is possible to use a filter doing the URL rewriting based session management?
Scott Johnson
Ranch Hand

Joined: Aug 24, 2005
Posts: 518
I've run into this same issue.

I tried the same headers that you mention above and that worked for most users, but there were a few proxy/cache servers that still cached the content.

Our final solution was to append a timestamp parameter (using the output of System.currentTimeMillis()) to every url. You can do it with a servlet filter.

The timestamp parameter is never used by your application but it will cause each url to be different enough that the proxy will believe the page content is different and will not reuse any cached content.
Jeppe Sommer
Ranch Hand

Joined: Jan 07, 2004
Posts: 270
Okay I see.

Maybe you can help me with some of my questions to let me get a better understanding of the issue...

Why didn�t you choose to use the url rewriting session management?

Is it possible to generate a total unique session ID using the following code:

String uid = new java.rmi.server.UID().toString();
return java.net.URLEncoder.encode( uid );

I am asking because I just ran into this issue and want a good solution.
Scott Johnson
Ranch Hand

Joined: Aug 24, 2005
Posts: 518

Why didn�t you choose to use the url rewriting session management?

Is it possible to generate a total unique session ID using the following code:

String uid = new java.rmi.server.UID().toString();
return java.net.URLEncoder.encode( uid );


For my needs that would have been overkill. I simply needed a value that changed over time.

UID() returns a number guaranteed to be unique over time. A timestamp is not guaranteed to be unique. (Many pages could be generated within 1 millisecond and each would have the same timestamp in the urls.)

I haven't tried it, but I'm guessing that generating an id using UID().toString() would be slightly more CPU-intensive.
[ October 30, 2006: Message edited by: Scott Johnson ]
Jeppe Sommer
Ranch Hand

Joined: Jan 07, 2004
Posts: 270
Thanks for you answer.

Okay can you help we as you have already been through this... I have made the filter, but what do I need to ensure that the proxyserver will cached the new URL where I have added the timestamp parameter...

Please take a look at my code below:



I hope you can help me finishing the last code?!

Thanks in advance.
[ October 30, 2006: Message edited by: Jeppe Fjord ]
Scott Johnson
Ranch Hand

Joined: Aug 24, 2005
Posts: 518
The code above grabs the url of the request being processed. What you need to do it rewrite the urls in the response.

To do this you need to get the response before it's written to the client, search for urls and modify them.

Here's an example of how to do that. The example does url encoding. You'd need to modify the code to append your timestamp instead.
Jeppe Sommer
Ranch Hand

Joined: Jan 07, 2004
Posts: 270
Thank you. I have tried to run the eaxmple at:
http://weblogs.java.net/blog/jfalkner/archive/2006/03/blarg_22_a_filt.html

- but unfortunately all images on the website is "crushed out". Something is wrong with the output stream. I have notified the author of the problem.
Scott Johnson
Ranch Hand

Joined: Aug 24, 2005
Posts: 518
all images on the website is "crushed out"


What do you mean exactly?

Are you applying the filter to images served by your site? You shouldn't do that. This filter should apply only to responses containing html -- content with urls.

Or is the problem that the filter is mangling the image urls?
Jeppe Sommer
Ranch Hand

Joined: Jan 07, 2004
Posts: 270

Are you applying the filter to images served by your site? You shouldn't do that. This filter should apply only to responses containing html -- content with urls.

Or is the problem that the filter is mangling the image urls?

Yes the pictures have a low resolution (are blury)...
Another guy from this forum had the same problem with the filter and wrote:


I noticed that when i have a JSP page with jsp:include calls and images, the filter gets called for every include and image! Why is this? How do I stop this and make it called once for the entire page?

See:
http://www.coderanch.com/t/363552/Servlets/java/Why-Filter-called-every-image


My question is then the same. Then how do I apply the filter only to responses containing html?
[ November 01, 2006: Message edited by: Jeppe Fjord ]
sven studde
Ranch Hand

Joined: Sep 26, 2006
Posts: 148
For my needs that would have been overkill. I simply needed a value that changed over time.

UID() returns a number guaranteed to be unique over time. A timestamp is not guaranteed to be unique. (Many pages could be generated within 1 millisecond and each would have the same timestamp in the urls.)

I haven't tried it, but I'm guessing that generating an id using UID().toString() would be slightly more CPU-intensive.

I read your post several times, and it seems to be an argument against using a timestamp, but you chose to use a timestamp. Why?
Jeppe Sommer
Ranch Hand

Joined: Jan 07, 2004
Posts: 270
Hi,

I read your post several times, and it seems to be an argument against using a timestamp, but you chose to use a timestamp. Why?

Actually I will use the unique UID.

But my problem is now to make the URL rewriting filter that does rewrite the url.

I guess its simple to change the timestamp to a unique UID, when the URL rewriting filter works.
[ November 01, 2006: Message edited by: Jeppe Fjord ]
Scott Johnson
Ranch Hand

Joined: Aug 24, 2005
Posts: 518
Another guy from this forum had the same problem with the filter


Yes, and Bear gave him the right answer: change the filter mapping.
Jeppe Sommer
Ranch Hand

Joined: Jan 07, 2004
Posts: 270
Hi,

My mistake. I already did that and the example code works well.


But honestly I am stucked now. I tried to carefully read through the example code, and found out that the code runs through every single line parsing all text and looking for links to encode (Pattern p = Pattern.compile(" href=\"[^\"]*|action=\"[^\"]*") , right?!

I don�t see what do to now.
Scott Johnson
Ranch Hand

Joined: Aug 24, 2005
Posts: 518
You need to modify the EncodeSessionInURLResponseStream.close() method.

The example takes the html from the ByteArrayOutputStream and uses a regex to search for urls.

When urls are found, everything up to the url is appended to an output string. Then the next characters (the url) is extracted, encoded and appended to the output string. Then the loop repeats for the next match.

You'll need to replace the url encoding with code to append the timestamp/uid.

If you intend to use this in a production system, I would also replace the newText String with a StringBuilder object. Appending to a StringBuilder object will be much more efficient than appending to a String.

You could be even more memory efficient if you eliminated the String/StringBuilder completely and wrote the bytes directly to the OutputStream. Unless you are going to set the content length header (which he isn't) there really isn't a need to buffer the output.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Sessions and Proxyserver problem
 
Similar Threads
EJB Stateful Session bean vs HTTP Session
Caching in Hibernate
refreshing the BLOB
As i am drawing sequence diagram for prepare itinerary...
I've got some nice Cache Filter for ye!