Any ideas till when the response variables that are sent through siteminder are present for use? Is it till the user session terminates? Or is it also present in any cache too?
All response attributes are cached on the web agent. There are two conditions:
The cache duration for each attribute is set on the WAM UI response attribute page. A value of 0 means that the attribute should not be cachec at all.
The response attribute cache is only valid until the user session is cached on the agent. If the agent has to remove the user's session cache entry the cached response attributes are also deleted.
Effectively for a user session that has not logged out, the web agent will keep the attributes cached until the two conditions are met.
On logout the web agent that processes the logout URL deletes the user session data from cache and informs the policy server. If you are not processing the logout through all the applications that the user logged onto the cache will remain on the agents that did not received the logout request for that user session. In this case, the attributes will continue to be in the web agent cache until the agent deletes the entry.
Please note that unless the SMSESSION is produced it is impossible for the agent to retrieve any data from the cache.
I hope this helps.
They are present as long as the SMSESSION is still valid. IIRC, the Web Agent will cache response values for a period of time but they will only be retrieved from cache and used if the SMSESSION is valid.
Related
I have a question about Sessions and Cookies on Node regarding where they are stored and how they work.
To begin with, I understand the following to be true:
With a cookie, it is possible to specify how long it will store your data;
A session saves data while the browser is open;
Cookies are on the client side;
Session is on server side;
Then the following questions arise:
How does the browser and/or the server know that the user has already
logged in and does not need to log in again?
If the Session stays inside a cookie what's the difference?
Where are cookies stored? In the web browser?
I use the (Blackberry?) passport (browser?) but it does everything by itself. I want to better understand how it works behind the scenes.
My affirmations can be wrong. You can correct me, but please explain to me.
Regarding what you understand to be true:
Yes, when setting a cookie, you can specify how long it will persist. In the article HTTP Cookies in Node.js, see the section entitled
"Adding Cookie with expiration Time".
Yes, data can be stored in a
session if it is explicitly placed there by application code. Your server software may also use it to store other information. Here
is a nice short YouTube video on node.js sessions.
Cookies are stored in a file on your computer which is managed by your web
browser, so again, correct. Here's a nice article that explains in more detail: Cookies - Information that websites store on your computer.
As to your other questions:
How does the browser and/or the server know that the user has already
logged in and does not need to log in again?
It generally knows this by storing a cookie in your browser whose value is some sort of session ID that acts as an authentication token. When you are successfully authenticated, it will store a cookie and send this cookie's value as an HTTP header or as part of the URL string, etc. each time you make a request to the server. This token is stored on the server with some sort of expiration time, usually something like 15-60 minutes. The expiration timer is reset to zero with each successful request. If session timeout is 30 minutes for example, the token will be invalid after no request is made within 30 minutes. Therefore, if you walk away from your computer for an hour and try to access another page, you will likely be told you need to log in again.
If the Session stays inside a cookie what's the difference?
As I stated in the answer to the previous question, an authentication token is generally stored as a cookie and sent with each request. It's good to use over and over until the session times out.
So, the difference is: A session is stored on the server. A cookie is stored as a file on your computer by your browser. A session cookie is stored on your computer which is used by the server to track individual user sessions.
Where are cookies stored? In the web browser?
Yes, as stated above, cookies are stored in a file on your computer which is managed by your web browser. See the article I linked to above for more detail.
First off, some general facts.
A cookie is stored in the browser and then sent back to the target server with every request to that server.
A cookie can either contain actual state data (such as backgroundColor=blue) or it can just contain a token that only means something to the server.
Whoever sets a cookie decides how long they want it to last before it "expires". If the server sets the cookie (as cookies can also be set from within Javascript in the web page), then the server decides how long they want the cookie to last.
A server session consists of the server creating a unique token and putting that in a cookie that it sets for that browser. In parallel, it also creates a session object that is stored on the server and it creates a means of associating the token with a particular session object such that when a request comes in and it has a particular token in it, the server can find the corresponding session object.
Note, sessions don't have to use cookies. They can also put a session id in the URL itself and that is occasionally used, but isn't very popular for a variety of reasons.
How does browse and / or server know that the user has already logged in and does not need to log in again?
A server can consider a browser to be already logged in if it finds an appropriate cookie in the incoming request and if it finds an associated session object in the server-side session store and if that session object is both logged in and not expired.
If the Session stays inside the cookie why is this difference?
Usually, when using server-side sessions, all that's in the cookie is a unique token - not any of the actual session data.
Where is the cookie stored? In our browser?
Yes, it's stored on your hard drive by the browser and then sent as an http header along with every request to the server that the cookie is associated with.
I have kind of a strange problem. I have build a web application in Lucee. You need to login to use web application. It has happened, at least twice, that a login session has been transferred to an other user. To clarify what happen:
User 1 is logged in the application, the session is active
User 2 goes to the web application and is automatically logged in and sees "welcome to the application user 1".
As mentioned above this has happened at least twice since the application is live, so it sounds like an incident. Security wise this is a big problem because user 1 is an administrator and user 2 has a basic access profile.
My question: does anyone recognize this issue and can someone give my some advice how to troubleshoot this problem.
Thanks
If you are using session variables, this could happen with data being assigned to the incorrect scope in a CFC or with objects being stored incorrectly in the application scope or even a mash-up of both.
Make sure that your CFC functions are using the function local scope:
var x = "" or local.x = ""
otherwise, x will be in the variables scope of the CFC, where it can be manipulated by any function inside the CFC. This leads to data bleeding from one call to another across sessions. Try using varscoper to scan your code for these issues.
Alternately, you could store an object that contains data for a user into the application scope or inside another object which is stored in the application scope. This could allow User A to access data meant for User B when they are logged in at the same time.
You need to do an audit of your code base for issues like this and go through your user session logic to verify where and how data is stored and accessed.
Like one of the comments suggested could be the users were on the same network and/or they used a proxy such as squid which would cache all incoming content. To check to see if it's a possibility take a look at the headers being sent out by your server and see if there are any headers related to caching (Cache-Control, Expires, Last-Modified, ETag).
if you want to prevent caching you could set the first example header in you application.cfc onRequestStart or to at least prevent user content being cached you could do some variation of the second example.
<cfscript>
//EX 1
header name="cache-control" value="no-cache"; //no caching by anything
//EX 2
if(loggedIn){
header name="cache-control" value="private, max-age=<time_in_seconds>"; //allow browser to cache content
}else{
header name="cache-control" value="public, max-age=<time_in_seconds>"; //allow anything to cache content
}
</cfscript>
Scenario:
We are using azure redis session provider. When page first loads, retrieves the data from external API and stores them in redish session.
The same session data is retrieved via different pages and components with in user session. The question is:
Does application gets the session data only once and stores locally http current context? Or everytime it goes to redis store?
What if we are encrypting the data on set and decrypt the data on Get operations?
Thanks.
Application gets the session-data from Redis everytime you ask for it... for the writing part, you'll have to wait until the dictionary key is unlocked. See https://msdn.microsoft.com/en-us/library/aa479041.aspx#aspnetsessionstate_topic3 assuming you are using asp.net for this
A page claims write access to the session state by setting the EnableSessionState attribute on the #Page directive to true. (This is the default setting.) A page, though, can also have read-only permissions on the session state, for example, when the EnableSessionState attribute is set to ReadOnly. In this case, the module will hold a reader lock on the session until the request for that page finishes. As a result, concurrent readings can occur.
If a page request sets a reader lock, other concurrently processed requests in the same session cannot update the session state but are at least allowed to read. This means that when a session read-only request is being served, awaiting read-only requests are given higher priority than requests needing a full access. If a page request sets a writer lock on the session state, all other pages are blocked, regardless of whether they have to read or write. For example, if two frames attempt to write to Session, one of them has to wait until the other finishes.
StackExchange.Redis is just a wrapper (or a abstraction) for the HttpSessionState Module
First, i know that there are to components of handling user access to restricted pages in web appliations.
Authentification is about identifying a user.
Authorization: is about determining what parts of the application an authenticated user has access to
I belive this is made with session id.
But does the client have to send the session id with every request he makes? If not how can he be authentified? Or is a cookie used for this?
Sessions exist on the server. They are sometimes (usually) identified by a cookie.
The session can contain a multitude of information that is relevant to the session. E.g. shopping basket.
Server gets the cookie. Looks up the session. Has it timed out? Is it from the same IP address? From the same browser perhaps? Then use the stored information for the generation of the web page
Session still among pages, but it would be destroyed when you close your browser
Cookies still sometime when the time expires
Really weird authentication problem going on - hope someone can help!
The Domino Web Server Log database shows all the requests a particular user is making for pages in an application I look after. The application is XPages-based and the user is regularly pressing Save on the document she is editing (every few minutes). The save does a full update.
The LTPA token is valid for 30 minutes - I assume however that every time the user performs a full update, the 30 minute token is renewed?
However, when looking at the logs, a save of the document at 09:05 shows the Remote User by name, another save at 09:07 still shows the user by name. The next save at 09:11 shows the remote user by IP address instead, and when you look at the log entry in more detail, the server has replied with 401 UNAUTHORIZED (The client is not authorized to access data). This has of course caused the user's browser to lose the work they had open at the time.
The Cookie on each log entry shows :
LtpaToken=AAECAzUwOUI2RjRCNTA5Qjc2NTNDTj1Bbm5lIExhdm91ZS9PVT1VSy9PPVJVSyvsCs5c4tITD9elgI0BCN5CnZ0O; SessionID=DBDFDKDGTI
The same LTPA Token and session ID for entries where the save document worked, as well as where it failed.
Unsurprisingly, they have then refreshed the session by closing the web page and going back in to it following the error and they get a new LTPA token and session ID.
The LTPA Token validity setting of 30 minutes I refer to is defined by our admins in a Web SSO Configuration document for the server, in the "Server\Internet Sites" view in the NAB. It's the Token Expirations (Minutes) setting. Am I completely misunderstanding this setting - should the timeout be renewed everytime the user does a full submit to the server? Or is something else going on here?
I don't think the token is renewed. It times out no matter if the user is active or not.
You could increase the expiration timeout to a reasonable high value and then add a lower minimum timeout to ensure that sessions doesn't timeout too soon.
Here's an example where expiration is set very high and timeout is set to 2 hours: