• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
General session questions...
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

General session questions...


  • Subject: General session questions...
  • From: Ramsey Gurley <email@hidden>
  • Date: Tue, 07 Oct 2008 17:12:17 -0400

Hi everyone,

Let me begin by saying, I've read this page:

http://wiki.objectstyle.org/confluence/display/WO/Web+Applications-Development-WO+Session

Although I found it quite informative, I still have several questions regarding the why/how/when about session creation. I store my sessions in cookies, so I would assume that whenever I load a page, WO would check for that cookie and attempt to resume activity with the proper session if one exists. That really does not seem to be the case... at least in development mode.

If I bookmark the URL for the app when it first loads,

http://host:port/cgi-bin/WebObjects/app.woa

I get a new session anytime I load the page using that bookmark. It seems that would leave me exposed to a very low tech DOS attack. I went up to about 330 sessions this way on my G4 laptop. I didn't notice any drastic changes in memory or CPU usage in activity monitor, so those orphaned sessions don't seem to be an alarming problem. But conceivably, someone could just sit there clicking a bookmark over and over and over until my server dragged to a halt with thousands of sessions in memory. If I load from browser history, then the session is not generated. Naturally, if I close the window, reload it with the bookmark and then go into browser history before that bookmark, I then get "backtracked too far" error pages. That doesn't seem very elegant... and it's a potentially huge waste of resources, no? I'm using component actions, but I've experienced similar behavior using direct actions as well. After checking the list archives, I've tried adding the following code to a project

public WOSession createSessionForRequest(WORequest aRequest) {
NSLog.out.appendln("createSessionForRequest: aRequest=" + aRequest);
WOSession aSession = null;
WOContext aContext = new WOContext(aRequest);
NSLog.out.appendln("createSessionForRequest: aContext=" + aContext);
String aSessionID = aRequest.cookieValueForKey("wosid");
NSLog.out.appendln("createSessionForRequest: aSessionID=" + aSessionID);

if((aContext != null) && (aSessionID != null) && (! aSessionID.equals(""))) {
NSLog.out.appendln("Attempting to restore session: " + aSessionID);
aSession = (Session) restoreSessionWithID(aSessionID, aContext);
}


		if(aSession == null) {
			NSLog.out.appendln("Session does not exist");
			//TODO auto-login from cookies
			aSession = (Session) super.createSessionForRequest(aRequest);
//		WeakReference aReference = new WeakReference(aSession);
		} else {
			NSLog.out.appendln("Session restored: " + aSession.sessionID());
		}

		return aSession;
	}

And that does solve the initial problem, but I've noticed I also have numerous zombie sessions that *never* die. I have not tried the project without this bit of code to see if it is the cause of the zombie problem... Perhaps I should be posting a SessionDidRestoreNotification in the code above?

But I'm getting off track there... I'm really left wondering how everyone else addresses this problem, if at all? Are you guys implementing your own WOSessionStore? Is there some really cool instant fix in Project Wonder that I'm overlooking? (^_^)

Furthermore, since I'm storing sessions in cookies... sessions do not seem to fail to generate/automatically expire if the browser does not accept cookies. Loading a page with cookies disabled just gives me a session timeout page. I guess what I'm asking here is: Where would be a good place to check to see if cookies are disabled, warn the user that they need to change that, and terminate the currently useless session?

Finally, I also have questions about how sessions are handled from a security standpoint. How do you go about setting a secure session cookie? Is there an easy hook for that? I mean, there doesn't seem to be any point in having a secure login or secure anything else if the session cookie isn't secure to begin with.

Any and all insight to these questions is greatly appreciated :-)

Thanks everyone!

Ramsey

Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

  • Follow-Ups:
    • Re: General session questions...
      • From: Guido Neitzer <email@hidden>
  • Prev by Date: [OT] Looking for Boston based WebObjects developers
  • Next by Date: Re: General session questions...
  • Previous by thread: [OT] Looking for Boston based WebObjects developers
  • Next by thread: Re: General session questions...
  • Index(es):
    • Date
    • Thread