Announcement Announcement Module
Collapse
No announcement yet.
Losing session value when login page is in another domain Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Losing session value when login page is in another domain

    Hi

    I am using spring 3 and hibernate (without annotations) which works fine when I do not use the login authentication.
    For more privileges you have to Login first. Login is in another domain.
    After successfully login, the program redirects the page to the original page on spring web application.
    The problem is after successfully login, The page looses the session value that it had before going to the other domain.

    Thanks.

    Mk

  • #2
    The session data is associated to the JSESSIONID cookie which, for security reasons, will not be shared across domains. If you want to learn more about why search for web browser same-origin policy. To support something like this, you will need to use some sort of Single Sign On protocol like OpenID, CAS, SAML, etc.

    Comment


    • #3
      No I do not want the session value in another domain.
      Losing session value on the original page, I want to get session value that program had it before.
      Last edited by mkohan; Mar 1st, 2012, 04:43 PM.

      Comment


      • #4
        Please describe your scenario with concrete example and include the URLs.

        Comment


        • #5
          The URL runs on http://112.13.8.00/Spring/list.htm?Id=25
          I am using PerHandle interceptor for every requests to check if the person login in or not:
          public boolean preHandle(HttpServletRequest request,
          HttpServletResponse response, Object handler) throws Exception {
          if(request.getParameter("Id") ==null)
          { Id=(String) session.getAttribute ("Id");}
          else { Id=request.getParameter("Id");}

          System.err.println("Id="+Id);

          //checking login ticket
          if (ticket !=null && !ticket.equals("") )
          { // for checking loging ticket}

          }



          and I have MultiActionController

          public ModelAndView list(HttpServletRequest request,
          HttpServletResponse response) throws Exception {
          ModelMap modelMap = new ModelMap();
          HttpSession session = request.getSession (true);
          if(request.getParameter("Id") ==null)
          { Id=(String) session.getAttribute ("Id");}
          else { Id=request.getParameter("Id");}

          .....
          }
          The program works without problem except when using login.
          For Login there is link on each web page that sends page to another domain http://23.10.56.00/login?service=myservice
          on that page the user enter user name and password after successfully login that domain sends back(redirect) to the original page but without Id parameter value (I need to get Id value from session) and with a ticket
          http://112.13.8.00/Spring/list.htm?ticket=hu43eYTRE
          so the new requests call preHandle:

          if(request.getParameter("Id") ==null)
          { Id=(String) session.getAttribute ("Id");}

          but session.getAttribute ("Id") does not find Id.
          The session should have Id value from precedent requests.

          Thanks
          Mk

          Comment


          • #6
            First I would be very cautious implementing your own protocol as security is a complicated thing. I highly recommend you using a standard. In fact, what you are describing sounds vaguely like CAS (you might check it out).

            I still don't think I understand exactly what you are trying to accomplish. Below is what I think i got...

            1) User logs into domainA
            2) After login, domainA redirects to domainB with a ticket
            3) domainB does not see id as a request parameter (since it was not passed to it) so it tires to get the id from its session? How did id get in the domainB's session? What are you doing with the ticket?

            Comment


            • #7
              that's correct.

              For authenticate the ticket value use XML-RPC call which I do not have problem with.
              My problem is why domainB does not find Id value from its precedent requests Session?

              Comment


              • #8
                You didn't answer my questions. The two different domains do not share sessions, so I do not know why you would expect domainB to have anything in session. What are you doing with the ticket?

                Comment


                • #9
                  I don't want to get session value from different domain I want to get session value from DomainB which had id value when the first request take place. Here are the order of actions:

                  1)web starts with DomainB
                  save session on the preHandle : session.setAttribute ("Id",request.getParameter("Id") ) ;
                  on web page there is a link which goes to the login page(domainA)
                  2) User logs into domainA
                  3) After login, domainA redirects to domainB with a ticket
                  4) domainB does not see id as a request parameter (since it was not passed to it) so it tires to get the id from its session.
                  and gets error that did not find Id.

                  As i mentioned i do not have problem with ticket, I use many classes which uses XML-RPC to check ticket value.

                  Comment


                  • #10
                    Are you switching between http and https? A cookie marked as secure will not be submitted over http. So if domainB creates a JSESSIONID cookie over https and domainA redirects to domainB over http, the cookie will not be seen.

                    Have you validated that the JSESSIONID cookie is still present in the browser and matches the original session? What are the values and paths for the JSESSIONID cookie for domainB? You might try using FireFox with the tamper data plugin to capture your request/responses. If this does not help you can post your request/responses to the forum with the code tag (to make it easier to read).

                    Comment

                    Working...
                    X