B4J Question CCTV example - session changed

LucaMs

Expert
Licensed User
Longtime User
I have made some changes to the example CCTV SERVER.

I added an access control (simple and insecure, but it's just a test).

Will only be asked for a password.

I do not understand at what point the session changes.

I get this log:
B4X:
***  SigninHelper_HANDLE
req.FullRequestURI = http://localhost:51042/SigninHelper
req.GetSession.Id = 1irfz1n7mbzjmyx3mcko2zew1
SigningHelper: {"success":true}

***  Filter
req.FullRequestURI = http://localhost:51042/login/viewer/viewer.html
req.GetSession.Id = qfu3rk4qwwvwwi36ca5uqp7k
Registrato =

Registrato = registered (!)

viewer.html is the original Index.html, which gets the images.

the filter:
B4X:
srvr.AddFilter("/login/viewer/*", "ViewerFilter", False)


Should I post the project or it is enough?
 
Last edited:

LucaMs

Expert
Licensed User
Longtime User
Session ids are stored as cookies in the client browser. The session data is stored in the server memory.

When a client navigates to a different host the session cookie is invalidated.


I logged session.id because in the filter class "registrato" results empty but it is set in the SigninHelper class:

SigninHelper class
B4X:
    req.GetSession.SetAttribute("registered", success)

ViewerFilter class
B4X:
Log("Registrato = " & req.GetSession.GetAttribute2("registered", ""))

Session data changed somewhere.
 

Attachments

  • CCTV Access.zip
    5.6 KB · Views: 316
Upvote 0

Erel

B4X founder
Staff member
Licensed User
Longtime User
Logs output when tested here:
Program started.
2014-08-01 11:23:35.837:INFO::main: Logging initialized @708ms
2014-08-01 11:23:35.932:INFO:eek:ejs.Server:main: jetty-9.1.z-SNAPSHOT
2014-08-01 11:23:35.951:WARN:eek:ejh.MimeTypes:main: java.util.MissingResourceException: Can't find bundle for base name org/eclipse/jetty/http/encoding, locale en_US
2014-08-01 11:23:35.972:INFO:eek:ejsh.ContextHandler:main: Started o.e.j.s.ServletContextHandler@5ecddf8f{/,file:/C:/Users/H/Downloads/tbookDemo/CCTVServer/Objects/www/,AVAILABLE}
2014-08-01 11:23:35.976:INFO:eek:ejs.AbstractNCSARequestLog:main: Opened C:\Users\H\Downloads\tbookDemo\CCTVServer\Objects\logs\b4j-2014_08_01.request.log
2014-08-01 11:23:35.998:INFO:eek:ejs.ServerConnector:main: Started ServerConnector@270421f5{HTTP/1.1}{0.0.0.0:51042}
2014-08-01 11:23:35.998:INFO:eek:ejs.Server:main: Started @897ms
Emulated network latency: 100ms
*** SigninHelper_HANDLE
req.FullRequestURI = http://127.0.0.1:51042/SigninHelper
req.GetSession.Id = zpb0xrao2twi1v2nbdy8o0qe0
SigningHelper: {"success":true}
*** Filter
req.FullRequestURI = http://127.0.0.1:51042/login/viewer/viewer.html
req.GetSession.Id = zpb0xrao2twi1v2nbdy8o0qe0
Registrato = true

Which browser are you using? It is possible that the browser security settings break the cookies handling when it runs locally.
 
Upvote 0

LucaMs

Expert
Licensed User
Longtime User
Firefox.

I have always my cookies disabled!

I have not thought of them, as I read one your post about the transition between pages without cookies and thanks to the sessions.

(I read too much and too fast, as always, of course!)


Thanks, Erel, I'll try again
 
Upvote 0

LucaMs

Expert
Licensed User
Longtime User
Sorry, Erel, I would like to understand better.

The post that I had read ([Server] Login System & Filters Tutorial):
In this code we check whether the user session includes an attribute named 'registered' with the value of True. If not then the response is redirected to the login page.

This attribute is set when the user registers to the forum or signs in. Remember that user sessions are stored in the server memory. This means that they are safe to use (a cookie will not work here).


Have I misinterpreted these two sentences (most likely) or I will have to necessarily require the enabling of cookies ?

Perhaps the meaning is that the cookies would not be sufficient, but in any case they are needed.
 
Upvote 0

billzhan

Active Member
Licensed User
Longtime User
This may help you to understand cookie and session:

Cookie is stored in your browser. See http://www.w3schools.com/js/js_cookies.asp

Session is stored in server memory,it's some kind of hash map which you can access by session id.
When connect to B4J web/filter/websocket handler, a session will be created on the server.Session id(web handler: req.GetSession.Id / websocket handler:ws.Session.Id) is used to identify who is connecting.
Get session data : req.GetSession.GetAttribute(key)/ws.Session.GetAttribute(key)
Put session data : req.GetSession.SetAttribute(key,value)/ws.Session.SetAttribute(key,value)

Session id is written to your browser cookie (cookie name is JSESSIONID). Your may have several tabs/pages connect to B4J server in one browser, they will share the same value of JSESSIONID.
When connects to server, browser read the JSESSIONID value and send it to server.By JSESSIONID value,server threads access session id and data (if you have put any to the session before).
If multiple tabs/pages connect to server with the same JSESSIONID(session id), they will share the same session data.

So if you have cookie disabled, every time you connect to a handler, a new session is created. You surely will not get the same session id and data(as in the signin page)

Cookie is stored in browser, user can read/change it.Session is safer.
 
Upvote 0
Top