Migration Solutions for ColdFusion Applications to ASP.NET
      
New Atlanta Product Forums Profile | Search | Login | RSS
New Topic Reply   Previous Page  Page: 1   Next Page

Thread: secure cookie
Created on: 07/17/09 06:01 AM Replies: 14
JanosGN


Joined: 07/17/09
Posts: 7
secure cookie
07/17/09 6:01 AM

Hi,

I am using ServletExec 4.1.
I would like to flag the session cookie as secure.
What is the proper way of doing it?

The ServletExec Administration setting 'Servlets/session tracking, Cookie Secure: true' has no effect on the JSESSIONID session cookie for the Web Application listed in 'Web Applications/manage': 'Configure Web Application for Virtual Server: default'

Thanks,

J
Link | Top | Bottom
mattm


Joined: 10/10/07
Posts: 266
RE: secure cookie
07/17/09 10:53 AM

Well... SE 4.1 is no longer supported:
http://www.newatlanta.com/c/support/servletexec/self_help/faq/detail?faqId=222

However... please apply the most currently available SE 4.1.1 update to your SE 4.1 installation:

ftp://ftp.newatlanta.com/public/servletexec/4_1_1/hotfixes/

and then try again.

There were some bugs related to session tracking that were fixed way back then. It is possible you are running into one of those already-fixed bugs.

The hotfix ZIP File contains a ReleaseNotes.txt file that gives simple installation steps.


I hope that helps.

Matt McGinty
Software Engineer
NAC
Matt McGinty, New Atlanta Technical Support
Link | Top | Bottom
JanosGN


Joined: 07/17/09
Posts: 7
RE: secure cookie
07/17/09 11:58 AM

The versions exactly are 4.1.1p23 and 4.1.1.29, Solaris 8/10, respectively, sorry for not writing it earlier. (The URL quoted does not refer to more recent patches).

Would it be that an extra parameter is to be set somewhere for Web Application listed in 'Web Applications/manage': 'Configure Web Application for Virtual Server: default?

Othervise, this setting makes secure the session cookie sesessionid for path=/, it is working.
('Servlets/session tracking, Cookie Secure: true').

Can be that same effect should be achieved maybe with a hidden web.xml option?
Link | Top | Bottom
mattm


Joined: 10/10/07
Posts: 266
RE: secure cookie
07/17/09 2:12 PM

Janos,

I see that you have also sent this issue to support@servletexec.com.
Only there you provided a critical detail:

----
it makes secure only the sesessionid with path=/
----

I think I now understand what is going on...
You have set the cookie secure setting for the "Legacy" context.
That will have no bearing on the context of your specific webapplication(s).

If you wish to control this for a given webapp, then you must turn on the "ServletExec Extensions" setting for your given webapp.
After you do that, click on the "web.xml" link for your webapp (which opens the admin UI for your specific webapp in a new browser window).
On the admin UI for your app you'll see a "session tracking" page.

Normally that page only lets you change the session timeout setting. But when "ServletExec Extensions" is enabled for that app you will see many more settings that can be configured... one of which is the "cookie secure" setting.

Configure that and you'll be doing it for your own app (not for the Legacy context).
Matt McGinty, New Atlanta Technical Support
Link | Top | Bottom
JanosGN


Joined: 07/17/09
Posts: 7
RE: secure cookie
07/20/09 11:08 AM

Hi Matt, and thank you for the detailed answers.

Unfortunately, when clicking on the web.xml, I get a 404 (not found) error.
http://dev-3:8777/ib/admin
Any idea? (No error is logged.)

Alternatively, what .properties and web.xml settings are equivalent to the admin UI of this specific webapp? Any 4.1.1 example?
(BTW, in the meantime I installed v5.0 on a windows box to see how the settings are displayed and what web.xml is generated. Adding these extra lines to the old 4.11 web.xml did not result in any change.)

Thanks a lot.
Link | Top | Bottom
mattm


Joined: 10/10/07
Posts: 266
RE: secure cookie
07/20/09 11:41 AM

Please use a plain text editor to view the contents of your StartServletExec.bat file.
Look at the very end of that file and tell me the number that comes after -port.

Matt
Matt McGinty, New Atlanta Technical Support
Link | Top | Bottom
JanosGN


Joined: 07/17/09
Posts: 7
RE: secure cookie
07/29/09 8:00 AM

Hi Matt,

No, the reason of the 404 (not found) error was a missing line from obj.conf (SunONE!):
NameTrans fn="assign-name" from="/ib/*" name="XXX"

Now it is resolved: http://dev-3:8777/ib/admin comes up, Application/session tracking is there, but 'Cookie Secure' setting is still not there (it is shown only for legacy Servlets).

Only these are shown, when 'ServletExec Extensions' is Enabled:

Session Tracking:
URL Rewriting:
Protocol Switch Rewriting:
Cookies:
Persistence:
Maximum Residents:
Maximum Sessions:
Swap Directory:
Swap Interval:
Invalidation Interval:
Session Timeout:

(If 'ServletExec Extensions' is Disabled, only one option is shown:
Session Timeout:)

Why is the option 'Cookie Secure' still not there?
(Alternatively, is it possible to edit web.xml etc. directly?)

Thanks a lot of your help and support,

Janos
Link | Top | Bottom
mattm


Joined: 10/10/07
Posts: 266
RE: secure cookie
07/29/09 10:48 AM

Excellent sleuthing!

I do recall (from years ago) that older versions of SE (must also include 4.1.x) did not offer the ability to set the following session cookie settings on a per-webapp basis:

Cookie Name   
Cookie Comment   
Cookie Domain   
Cookie Maximum Age   
Cookie Path    
Cookie Secure

But I also know that I added those in a later version of SE.
The trouble is I can't recall precisely which version and my searching in various patch, hotfix, and final release ReleaseNotes.txt turned up no mention of these being added.

As I recall no customers reported needing those settings... I simply noticed they were missing and added them at some point.

I just tested with SE 6.0 and I can confirm that it does support these additional settings.

I'm fairly certain that SE 5.0.0.13 does also.

I recommend that you apply the latest SE 4.2 hotfix (both native and JAR components) to your SE 4.1.x installations.
This will get them as updated as possible without having to reinstall anything or purchase new licenses (a good idea to do that regardless).

Hotfixes are cumulative.
It is possible that support for those additional session settings was back-ported to an SE 4.2 hotfix along the way.

You can get it from here:

ftp://ftp.newatlanta.com/public/servletexec/4_2/hotfixes/

specifically:
ftp://ftp.newatlanta.com/public/servletexec/4_2/hotfixes/ServletExec_AS_42_Windows_Hotfix_May_2006.zip

The ReleaseNotes.txt inside the ZIP file gives simple installation steps to follow.

I don't believe that editing web.xml directly would work since a version of SE that does not present those settings as choices on the webapp admin page would also see such entries in web.xml as being invalid and then choke on them... likely refusing to deploy the app due to web.xml errors.

Matt
Matt McGinty, New Atlanta Technical Support
Link | Top | Bottom
JanosGN


Joined: 07/17/09
Posts: 7
RE: secure cookie
07/30/09 8:41 AM

Matt, thanks for the essentials!

I applied the 4.2 hotfix (Windows only) for my 4.1 Windows instance. It is working, "New Atlanta ServletExec 4.2.0.26" is displayed. However, sometimes it prompts this exception, and the whole settings/deployed webapps can disappear after it:
java.lang.AbstractMethodError: org.apache.crimson.tree.XmlDocument.getXmlStandalone()Z

Should the crimson.jar/jaxp.jar/other jar libraries be updated as well (they are not in this fixpack)?

As for the missing Cookie* section, it is still not there, indifferent to the state of the "Cookies:" flag.

Now I am checking the Unix version with Solaris 8 OS..

Thanks,
Janos
Link | Top | Bottom
mattm


Joined: 10/10/07
Posts: 266
RE: secure cookie
07/30/09 10:26 AM

Oh I forgot about the XML changes made between SE 4.1 and SE 4.2.
Sorry about that.
The SE 4.2 installer installs different XML parsing JARs than does the SE 4.1 installer.

ServletExec 4.2 does not use crimson.jar and does not rely on any crimson-specific calls. So you might try simply renaming the crimson.jar that's in SE's main lib folder to something else such as crimson.jar_SE4.1.x_only, then cycling SE.

If that does not get you past that issue then I would *not* recommend further effort to manually turn your SE 4.1.x into SE 4.2.

In that case the best way to get past that XML parser issue would be to uninstall SE 4.1 and install SE 4.2.

However, as you've found SE 4.2 (even the latest update) does not give you the fine-grained session cookie settings that you want.

So for that I'd recommend that you either try SE 5.x AS, or use SE 6.x AS (SE 6 definitely gives you the per-webapp session settings that you are seeking).

Matt
Matt McGinty, New Atlanta Technical Support
Link | Top | Bottom
JanosGN


Joined: 07/17/09
Posts: 7
RE: secure cookie
07/30/09 11:05 AM

Renaming crimson.jar made SE stable, no more exceptions.

However, enabling the "Cookies:" option still leave the Cookie* section empty.

Questions:
1: If I try the Solaris version, will it behave the same?
2: If web.xml is changed, secure cookie option can be achieved with 4.2?
3: Is it possible to get a new fixpack with this fix merged from SE5?
4: If fixpack is not avaliable, which Java class is responsible for it? (A patch might be made by myself with JAD).

Thanks for your help and support,
Janos
Link | Top | Bottom
mattm


Joined: 10/10/07
Posts: 266
RE: secure cookie
07/30/09 11:18 AM

1. Yes. The OS does not matter.
2. No
3. Unfortunately no.
4. If by "JAD" you are describing some sort of Java Decompiler I must tell you that that would be completely illegal.

If you really need that feature, then I recommend you purchase a license for ServletExec 6.0 AS.

:-)

Matt
Matt McGinty, New Atlanta Technical Support
Link | Top | Bottom
JanosGN


Joined: 07/17/09
Posts: 7
RE: secure cookie
07/31/09 3:38 AM

Hi Matt,

Please try to provide a workaround or a fixpack for the Secure Cookie issue, since it should not require SE6 to work. SE4.1.x should be enough for this option.

User Guide clearly and explicitly says/shows (ServletExec_41_User_Guide.pdf):
"
3.4.4.2 ServletExec Extensions
Enabling ServletExec Extensions provides several additional session tracking options.
See Figure 18 for a complete listing.
"

Figure 18 on page 27 shows the 'Cookie Secure:' option in the screenshot.

I am looking forward to your positive answer.

Best regards,
Janos
Link | Top | Bottom
mattm


Joined: 10/10/07
Posts: 266
RE: secure cookie
07/31/09 9:12 AM

Janos,

There is no workaround or fixpack that I can give you. While you have indeed found a bug in ServletExec 4.x, please understand that we do have an EOL policy:

http://www.newatlanta.com/c/support/servletexec/self_help/faq/detail?faqId=222

You are correct that it should not require SE6 to work... as I believe that issue was fixed in SE 5.

:-)

Matt
Matt McGinty, New Atlanta Technical Support
Link | Top | Bottom
drozd


Joined: 01/19/15
Posts: 2
Antivirus keys, bases, soft
02/08/15 1:06 PM

<u>http://turbobit.net/download/folder/1084161</u>; - Kluchi, bazy, soft k antivirusu Kasperskogo (Keys, bases, soft for Kaspersky antivirus)
Link | Top | Bottom

New Post
Please login to post a response.


company media information terms of use privacy policy contact us
This page was dynamically built on the BlueDragon CFML Engine