APEX security: several in a browser session cookies

Similar Questions

• How do I configure HTTPOnly and SECURE FLAG for session cookies

  Hi all

  To solve some problems of vulnerability (found in ethical hacking, penetration testing) I need to implement session cookies (CFID, CFTOKEN, JSESSIONID) with 'HTTPOnly' (so don't not to access any other HTTP APIs rather than Javascript). Also, I need to set up a 'secure flag' for these session cookies.

  I found the solutions below.

  To implement the HTTPOnly for session cookies.

  1] in application.cfc, we can do this using the code below. "Or we can do it in the side admin CF under the server settings ' memory Variables

  This.sessioncookie.HttpOnly = true;

  To set up the course indicator for session cookies.

  [2] in application.cfc, we can do this using the code below. "Or we can do it in the side admin CF under the server settings ' memory Variables

  This.sessioncookie.Secure = 'true '.

  Here's my question, how we can do the same thing in Application.cfm? (I use ColdFusion version 10). I know we can do using the code below, incase of HTTPOnly (for example).

  < cfapplication setclientcookies = "false" sessionmanagement = "true" name = "test" >

  < cfif NOT IsDefined ("cookie.cfid") or NOT IsDefined("cookie.cftoken") or cookie.cftoken IS NOT a meeting. CFToken >

  < name cfheader = "Set-Cookie" value = "CFID is #session. CFID #; path = /; HTTPOnly">

  < name cfheader = "Set-Cookie" value = "CFTOKEN is #session. CFTOKEN #; path = /; HTTPOnly">

  < / cfif >

  But in the code above "setclientcookies' has been set to"false ". In my application (it is an existing application) that has already been set to 'true '. If I change this to 'false' as mentioned in the above code then ColdFusion will not automatically send the CFID and CFTOKEN cookies to the client browser, and we need to manually code CFID and CFTOKEN on the URL for each page that uses the Session. Right?. And it's headaches. Right?. Or any other way to do it.

  Your timely help is well appreciated.

  Thanks in advance.

  As I said earlier, the file I modified was {CF_INSTALLATION}\cfusion\runtime\conf\web.xml. This translates on Windows as C:\ColdFusion11\cfusion\runtime\conf\web.xml.

  Apparently, there could be another difference between your system and mine. I have just one instance. If you have 2 or more instances, it could be that the file you have to change is \WEB-INF\web.xml in the particular instance directory. This is the servlet configuration settings which you can test safely (after backing up your files, of course).

• During the closure after a browsing session I find several windows behind the window of the main browser I have not opened and they must be closed individually. What is the cause and how can I stop it?

  During the closure after a browsing session I find several windows behind the window of the main browser I have not opened and they must be closed individually. What is the cause and how can I stop it? Edit

  These windows display ads? They could be 'pop-under' designed to show when you are finished with your main window. Orbitz has these, for example. Irritating. I'm not sure of the best solution, i.e., advertising blocker blocker vs.

  If they are not ads, can you think anyway that they are related to the sites you visit?

  In addition, to close a tab (or window, if there is only one tab), you can press Ctrl + w. could speed up the process of their release until you find a real solution.

• APEX 4.1 Login page kills the existing session cookie

  So far the session cookie enabled us to figure out if the user has already had a session and redirect them to the page they wanted using this session (thanks to a method on the page of connection). Just try APEX 4.1 and it seems that this quick hack will not work, because:
  a. the session cookie has been replaced by the time that the login page is loading
  b. the login page gives no clue as to the destination of the user actually wanted (used to be able to verify OWA_UTIL. GET_CGI_ENV('QUERY_STRING') to see what looked like the URL, but now the URL is simply the login page)
  
  The problem that I am trying to solve is a job of logging system where users get a lot of e-mail notifications. With the standard behavior of the APEX, they will have to identify each time they click on a link in an e-mail. Because it is a rather unusual behavior for another web application, I used, anyone has any ideas about how to get the APEX to stop killing sessions by substituting the cookie whenever it sees a URL he dislikes? Have tried to use the session 0, but still it beats my cookie.

  Hey Capt egg,

  Nice to see that you studied and found a solution. However, I think that things can be a bit improved. It seems that you already used a custom authentication scheme, it is good, because it allowed to use application session hooks join. However, I think that this does not exactly what you expect.

  During the installation of the session, at the beginning of the Summit "request for treatment, he runs about this code:"

  1 write the session id of the query (parameter to URL or POST) in a global variable
  2 load of metadata application authentication (cookie name, Sentry function, function of invalid session, etc.)

  3. If a global session exists, run "Builtin Cookie Sentry":
  3.1 query the table of the session by the value of the cookie.
  3.2 If the session of the query id matches the overall session id, session information matching.
  3.3. in the case, the session information is incomplete, reset the session variable.

  4. If this is not the login page, run application-specific Sentinel:
  4.1 run the result of the Sentinel session function if a function is defined
  4.2 If the Sentinel returned true function, run the validation function if it is set

  5. "create / reuse Session."
  5.1. If the session variable points to a valid session record, the user to read and other variables of the session save
  5.2 in the case, create a new session not authenticated

  6. write a new cookie in HTTP session if a new session was created

  7. If the sentinels (4) returned false, run 'Invalid Session Manipulation':
  7.1 save deep link in the current page
  7.2 run invalid session function if a function is defined
  7.3 redirect to url "Invalid Session" of authentication

  This is only an overview and implementation details may change. However, I think that it can show major problems with the help of the function of invalid session for Assembly of the session:

  -In (4.1), the engine creates a record of the session and the session id
  -In (6), the engine creates a session cookie
  -Invalid session feature modifies the session global variable id back to the old session, but there is still a newly created session
  -The function of session invalid re-inits the htp buffer and thus cancels (6) high. The connection of the session would create a new session for each request, otherwise.

  My suggestion is that you use a sentinel of session instead. Here is an example:

  function session_joining_sentry return boolean is
    l_cookie_session_id number;
    l_user              APEX_WORKSPACE_SESSIONS.USER_NAME%TYPE;
    l_result            boolean;
    procedure dbg(p_str in varchar2)
    is
    begin
      apex_application.debug('session_joining_sentry: '||p_str);
    end dbg;
  begin
    if APEX_CUSTOM_AUTH.GET_SESSION_ID is not null then
      dbg('apex could already determine session by URL session id and cookie value');
      l_result := true;
    else
      dbg('apex could not determine session by URL session id and cookie value');
      l_cookie_session_id := APEX_CUSTOM_AUTH.GET_SESSION_ID_FROM_COOKIE;
  
      if l_cookie_session_id is not null then
        dbg('apex found session via cookie. we try to re-use this as our current session id');
        begin
          select user_name
            into l_user
            from APEX_WORKSPACE_SESSIONS
           where apex_session_id = l_cookie_session_id;
          l_result := true;
        exception when NO_DATA_FOUND then
          dbg('session could not be found in session table - sentry fails');
          l_result := false;
        end;
  
        if l_result then
          dbg('re-using session for user '||l_user);
          APEX_CUSTOM_AUTH.DEFINE_USER_SESSION (
            p_user       => l_user,
            p_session_id => l_cookie_session_id);
        end if;
      else
        dbg('apex could not find the session cookie. sentry fails');
        l_result := false;
      end if;
    end if;
  
    return l_result;
  end session_joining_sentry;
  

  Also, it should be noted that the session join is precarious. If you plan to implement this, please make sure that you understand the dangers of the cross-site request forgery:

  http://en.Wikipedia.org/wiki/cross-site_request_forgery

  Kind regards
  Christian

  Published by: Christian Neumueller on March 2, 2012 04:24

• Apex 5 - several tabs of the browser

  Apex developers try to take over the behavior of the browser integrated with 5 Apex? With 5 Apex, I love how the manufacturer will have start/run applications to test in a new tab and switch to the new tab (the best possible) when you register/execute changes to a page. However, I noticed that Ctrl-click (on Chrome/Mac OSX) does the way he always did in previous versions.

  When I develop I usually 4-5 tablets of open browser (using Ctrl-click to get the installer and go), in order to optimize my time jump part of the manufacturer to another (object browser, commands SQL components shared, page generator templates, etc.). Apex would conscientiously label tab browser with a reasonable invites so I couldn't I wanted to with one click. With the release of 5 Apex by using Ctrl-click to open multiple tabs is no longer works for me. It still works for Apex 4.2.5 which I use regularly.

  I'm not whining on through right click and select open in a new tab (good, maybe a little). I'm really just curious to know why this has been done with 5 Apex? What is the reasoning, technical or other? Specifically, why Apex developers start interfering with the normal functioning of the browser?

  Earl

  Hi Earl,

  Earl Lewis wrote:

  Apex developers try to take over the behavior of the browser integrated with 5 Apex?

  N °

  Much of the effort went into making the menu items behave like native links (anchor elements) while right click, shift/ctrl click/Enter works as expected to open the link in a new window/tab. This also applies to the treeView and iconList widgets when used for navigation. These types of composite controls need to support some features of browser such as management development so that they are a single tab to the behavior of the keyboard correct stop, but when the menu item (or element node or the icon list tree) are an anchor element is used so that the normal browser functionality still works links. If we don't have the right click would even work. However, because of all the other features of these widgets event management is complex, and it is possible that there are bugs.

  I use a mixture of Firefox and Chrome but especially Firefox; at the same time on Windows. I remember hearing something one of the combinations work not on Chrome but I just tried it on Chrome on Windows and no problems with Ctrl click.

  Can you try Firefox on OSx and also try Shift-click and using the keyboard shift + enter and Ctrl + entry (assuming that those working on OSx as they do in Windows) on Chrome and Firefox and let me know.

  Thank you

  -John

• How to remove the session cookie when you click Logout

  I noticed that when I click on logout at the top of the page URL, the session cookie (name ORA_WWV_APP_xxx, where xxx = application ID) is not removed from the browser.  No idea how to fix?

  Thank you

  Rob

  Hari - I use Apex 4.2.2.00.11, and he leaves behind two cookies:

  LOGIN_USERNAME_COOKIE = user name

  ORA_WWV_APP_nnn = the session cookie

  Ricker, your idea works.  As I examined him, however, I noticed that the login page creates a new cookie ORA_WWV_APP_nnn, so I had not seen the cookie being deleted as part of the behavior of default disconnection from the Apex.  Looks like none of this is really necessary; apex_authentication.logout sets the content of that cookie-1, which is as good as remove it.

  Thank you all!

  Rob

• Just installed Firefox 9.0.1. When you open a new browser session, two tabs will open. One is my home page, and the other is a home page of Firefox. I want to just my home page to open. How do I get there? Thank you.

  Just installed Firefox 9.0.1. When you open a new browser session, two tabs will open. One is my home page, and the other is a home page of Firefox. I want to just my home page to open. How do I get there? Thank you.

  See the following for a few suggestions:

  • https://support.Mozilla.org/KB/Firefox+has+just+updated+tab+shows+each+time+you+start+Firefox
  • https://support.mozilla.org/kb/How+to+set+the+home+page - Firefox supports several home pages separated by ' |' symbol
  • http://KB.mozillazine.org/Preferences_not_saved

• Collection of information/comments browser session?

  I need to build basic functions for your comments and users bug report. I intend to use the built-in feature, but unfortunately it is not possible that the application runs on an APEX environment only execution. Instead I'll just implement a basic form of feedback that sends comments by e-mail. The problem is, I don't want to lose the information APEX collects automatically, such as the browser information and session state, which are visible in the tool development team.

  APEX provides a function/API for me to collect information from the browser session / so I can include it in the email?

  Thank you

  Andrew V wrote:

  I need to build basic functions for your comments and users bug report. I intend to use the built-in feature, but unfortunately it is not possible that the application runs on an APEX environment only execution. Instead I'll just implement a basic form of feedback that sends comments by e-mail.

  The problem is, I don't want to lose the information APEX collects automatically, such as the browser information and session state, which are visible in the tool development team.

  APEX provides a function/API for me to collect information from the browser session / so I can include it in the email?

  Use owa_util.get_cgi_env () to get the values of variable to CGI environment for some of this information. Part of the rest (for example page width/height) should be determined in the browser using JavaScript and presented in the comments page.

  The session state values seem to be captured internally by the apex_util.submit_feedback procedure such that it does not describe an equivalent setting.

  Always include all the details of your environment so that we can provide specific information about the versions of web server, database and APEX you are using.

• Error #2041: File that a single browsing session can be performed at the time

  Hello
  I posted this question before, but so far he went unanswered. I would appreciate any help on this:
  
  My application allows user to do two loads of single or multiple files. There are buttons for each type. Whether you tap on an instance of the FileReference or FileReference class is created.
  
  It works fine only would be - this one type of successive additions: only of files only single or multiple files. BUT every time that I go from one type to another (I start downloading single files and then press the button to download several ones) I get the following error:
  
  Error #2041: The file that a single browsing session can be performed at the time.
  
  How close or delete file browsing sessions? The complete event doesn't do much of anything on this topic.
  
  Thank you very much.

  Hi Temudzin,

  Thanks for your suggestion and thanks for looking into this... It works the way you suggested. However after some troubleshooting I discovered that you can do the single and multiple downloads without having to charge the flash.

  First of all, once you start download again (or several), you must create a new instance of the class appropriate download (FileReference or FileReferenceList respectively). You will need to make sure that when the downloaded files are complete do you this null instance. This command removes the browsing sessions open.

  With the class instance done upload null the next time that you want to download something, you're basically starting from scratch - and that's why you create a new instance of with any new attempt to download download.

  This is necessary only if you're allowing users to either single or multiple downloads at the same time. If you stick to a single type of downloads (single file or multiple files at any time) you can simply declare the instance of class once and do not need to make null at the end of the download process.

  OK, take care and thank you.

  m.

• How delete my favorites from the Firefox browser on a public computer, after you have synchronized my account to see during a browsing session?

  Here's what I'm trying to achieve:

  1. I use Firefox on another computer and synchronize my account to retrieve my favorites. (This works).
  2. After completing my browsing session, I sign my account of Firefox and my favorites are removed from the Firefox browser. (It does not).

  I tried the following options:

  (a) open the menu > Options > synchronization > uncheck the box "Bookmark" > OK. This doesn't erase my favorites from the browser, even if I close and open it again. They all appear.

  (b) open the menu > Options > synchronization > under Firefox account click on "Logout" > OK. This erases my favorites either, only necessecitates me connecting to synchronize again.

  I understand there was an option to 'untie this device', which can erase all data, including bookmarks, but I can't find it anywhere. I also read an article suggesting bookmarks etc. of the compensation is possible by removing your Firefox profile from a device, but I fear that this will remove the global options such as I will not be able to access it on my computer at home.

  Surely, there must be a means of siging in, then the Firefox account on different computers, as you can with the email without leaving all your bookmarks etc open for other users to see later? I am transfer to Firefox Chrome precisely because it doesn't have the ability to do (creepily) and to clear my favorites from the browser of a friends, I had to uninstall Chrome on his computer!

  Any help would be greatly appreciated.

  (A) that in the future, even when logged in, your bookmarks will be re - synchronizes the means of action.

  (B) action means that no synchronization of your account will occur in the future unless you disconnect.

  I hope this has helped you!
  Good navigation!

• Can tabs be disabled so that they do not appear on subsequent browsing sessions?

  When I went from IE9, Firefox, I opened and switch between a number of browser windows. These now appear as tabs at the top of the browser window whenever I open a new browser session.

  Y at - there an option to remove individual tabs so re-, they do not appear on subsequent browser sessions?

  I currently posted 3 tabs for my yellow, two for the preview of the Google account and one using Google, plus one to ask a Firefox issue. I can remove the tabs is displayed but they reappear if I close and reopen the browser Firefox.

  Any information would be appreciated.

  Make sure that the tabs are not defined as many home pages.

  • https://support.Mozilla.org/KB/how+to+set+the+home+page

  It is also possible that there is a problem with the sessionstore.js and sessionstore.bak files in the Firefox profile folder.

  Delete the sessionstore.js file [2] and files possible sessionstore-# .js [3] with a number and sessionstore.bak in the Firefox profile folder.

  • Help > troubleshooting information > profile directory: opens showing the file
  • http://KB.mozillazine.org/Profile_folder_-_Firefox

  Delete sessionstore.js will cause App Tabs and tab groups and opened and closed the tabs (back) to get lost, so you will need to create them again (take note or bookmarks).

  See also:

  • [1] http://kb.mozillazine.org/Session_Restore
  • [2] http://kb.mozillazine.org/sessionstore.js
  • [3] http://kb.mozillazine.org/Multiple_profile_files_created

• as an employer, I want to see browsing sessions private, made by a member of my staff. How can I do this?

  a member of staff has been using private browsing, this is not allowed in my company. How can I view these browsing sessions, or not at all.

  Private browsing history is not saved on the PC. That's the whole point.

  Your corporate (or proxy server, if you use one) firewall can generate and store logs of all employees browsing sessions. In some cases, the firewall only stores the General information and you need to set up a capture server log to store the details. You might need log analysis software extract that asks the employee (for example, using the employee of the IP address of the PC) based on detailed data.

  Before displaying the data, I suggest you check with your HR or the service manual and/or legal to avoid violating the terms of the privacy in your employment contract employees.

• Cannot be deactivated Simplepass for browser sessions

  Just recently purchased a HP Envy with Win7 and I try to disable the application Simplepass of arise so that in my browser sessions. I want to use Simplepass for Windows logins, but do not want to appear every time the browser sessions when I'm on a page that supports supported a login/password. I use RoboForm everywhere and I do not have the desire or need to use Simplepass for this function

  I disabled all of the checkboxes in the configuration of the Simplepass (unchecked the "sign in to my sites ', 'automatically remember all my sites 'Start to the top of my LaunchSite' but Simplepass always appears whenever I go to a site that allows to connect.)

  Installed in my system is SimplePass version 8.00.57 and I use Internet Explorer 11.0.9600.16521.

  Without uninstalling Simplepass altoghter, how can I disable Simplepass from popping up in my browser sessions?

  I found a solution.

  Log in with an administrator-level account.   In file Explorer, navigate to C:\Program Hewlett-Packard\SimplePass

  Find the "OPBHOBrokerDsktop" file and rename it to "xOPBHOBrokerDsktop".

  Restart your computer.

  On my laptop, I can now connect using my footprint digital, but once connected when I go to a website requires me to enter a user name and password, Simplepass dialog box above does NOT appear, and the newspaper in a normally produces.

  I hope this helps.

• Hot mail will not close because of browser and cookies must close how to do this

  Hot mail out not complete due to browser and cookies must close

  Try the Hotmail help center.

  http://explore.live.com/Hotmail-help-center

• cannot disconnect hotmail. We cannot sign as browser blocks cookies

  I can't log out at all, tried allowing all cookies and session cookies.  Even found refernce to re set Explorer internet without Add ons, does all this and still when I connect to hotmail cannot disconnect.

  It's really frustrating and microsoft do not seem to solve, all references are to the problems siging in.  or ask me to re create cookies that I made.

  Desperate for help, have deleted temporary cookies etc, still no joy

  Click the Hotmail link I gave you and post your question there.
  This link: http://windowslivehelp.com/forums.aspx?productid=1 for the benefits of others looking for answers, please mark as answer suggestion if it solves your problem.