{"id":4701,"date":"2012-05-24T12:25:54","date_gmt":"2012-05-24T17:25:54","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=4701"},"modified":"2012-05-25T08:35:24","modified_gmt":"2012-05-25T13:35:24","slug":"weblogic-logging-out-a-session","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=4701","title":{"rendered":"WebLogic: Session Management"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tOverview<\/a>\n\t\t
      \n\t\t\t
    1. \n\t\t\t\tSession Configuration<\/a>\n\t\t\t<\/li>\n\t\t\t
    2. \n\t\t\t\tExtendedSessionFormat<\/a>\n\t\t\t<\/li>\n\t\t\t
    3. \n\t\t\t\tSession Timeout<\/a>\n\t\t\t<\/li>\n\t\t\t
    4. \n\t\t\t\tSession Cookies<\/a>\n\t\t\t<\/li>\n\t\t\t
    5. \n\t\t\t\tSession Sharing<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
    6. \n\t\tSession Persistence<\/a>\n\t\t
        \n\t\t\t
      1. \n\t\t\t\tFive Implementations<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
      2. \n\t\tUsing URL Rewriting Instead of Cookies<\/a>\n\t\t
          \n\t\t\t
        1. \n\t\t\t\tCoding Guidelines for URL Rewriting <\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
        2. \n\t\tSession Logout<\/a>\n\t\t
            \n\t\t\t
          1. \n\t\t\t\tLog Out a Single Session<\/a>\n\t\t\t<\/li>\n\t\t\t
          2. \n\t\t\t\tLog Out Multiple Applications such as in SSO<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
          3. \n\t\tReferences<\/a>\n\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n
             <\/div>\n

            Overview<\/h2><\/span>\n

            * Session is a series of related requests that come from the same client
            \n* Session tracks requests from the same client during a certain period of time
            \n* Session can also be persisted<\/p>\n

            Session Configuration<\/h3><\/span>\n

            * Configured in weblogic.xml<\/em>
            \n* Configures:
            \n– How many users you expect to hit the servlet (max-in-memory-sessions<\/em>)
            \n– How long each session lasts, i.e. session timeout (timeout-secs<\/em>)
            \n– How much data you expect to store for each user
            \n– Heap size allocated to the WebLogic Server instance<\/p>\n

            ExtendedSessionFormat<\/h3><\/span>\n
            \r\n-Dweblogic.servlet.useExtendedSessionFormat=true\r\n<\/pre>\n
            * Retains the information that the load-balancing application needs for session stickiness.
            \n* The extended session ID format will be part of the URL if URL rewriting is activated, and the startup flag is set to true. <\/p>\n
            Session Timeout<\/h3><\/span>\n
            * Can be set in both web.xml<\/em> and weblogic.xml<\/em>
            \n* web.xml<\/em><\/p>\n
            \r\n  \r\n    120<\/session-timeout>\r\n  <\/session-config>\r\n<\/pre>\n
            * weblogic.xml<\/em><\/p>\n
            \r\n\r\n2400<\/timeout-secs>\r\n<\/session-descriptor> \r\n<\/pre>\n
            * If both are set, web.xml<\/em> take precedence.<\/p>\n
            Session Cookies<\/h3><\/span>\n
            * By default,
            \n– Cookies are used for session management
            \n– When browser quits, cookies are lost and session ends
            \n* Cookie parameters can be set in weblogic.xml<\/em>, e.g.
            \n– cookie-max-age-secs<\/em><\/p>\n
            Session Sharing<\/h3><\/span>\n
            * Sessions can be shared among multiple web applications
            \n* All web apps need to be packed in the same ear file
            \n* Enable session sharing in weblogic-application.xml<\/em>, e.g.<\/p>\n
            \r\n\r\n\r\n\r\n   ...\r\n \t\r\n     memory<\/persistent-store-type>\r\n     true<\/sharing-enabled>\r\n     ...\r\n <\/session-descriptor>\r\n...\r\n<\/weblogic-application>\r\n<\/pre>\n
            Session Persistence<\/h2><\/span>\n
            Five Implementations<\/h3><\/span>\n
            * Memory (single server, non-replicated)<\/p>\n
            \r\nmemory<\/persistent-store-type>\r\n<\/pre>\n
            * Cookies<\/p>\n
            \r\ncookie<\/persistent-store-type>\r\nWLCOOKIE<\/persistent-store-cookie-name>\r\n<\/pre>\n
            * File system<\/p>\n
            \r\nfile<\/persistent-store-type>\r\n\/opt\/sessions<\/persistent-store-dir>\r\n<\/pre>\n
            * JDBC<\/p>\n
            \r\njdbc<\/persistent-store-type>\r\njdbc\/SessionDS<\/persistent-store-pool>\r\n2048<\/cache-size>\r\nWL_SERVLET_SESSIONS<\/persistent-store-table>\r\njdbc<\/jdbc-column-name-max-inactive-interval>\r\n60<\/jdbc-connection-timeout-secs>\r\n<\/pre>\n
            * In-memory replication (across a cluster)<\/p>\n
            \r\nreplicated<\/persistent-store-type>\r\nor\r\nreplicated_if_clustered<\/persistent-store-type>\r\n<\/pre>\n
            Using URL Rewriting Instead of Cookies<\/h2><\/span>\n
            * By default, automatically enabled when accept cookie is disabled in client side.
            \n* Can be disabled by setting url-rewriting-enabled<\/em> to false
            \n* e.g.<\/p>\n
            \r\n\r\n3600<\/timeout-secs>\r\n60<\/invalidation-interval-secs>\r\nMyCookie<\/cookie-name>\r\n-1<\/cookie-max-age-secs>\r\nfalse<\/url-rewriting-enabled>\r\n<\/session-descriptor>\r\n<\/pre>\n
            Coding Guidelines for URL Rewriting <\/h3><\/span>\n
            * Encode URL before sending to an output stream:<\/p>\n
            \r\n  response.sendRedirect(\r\n    httpResponse.encodeRedirectURL(welcomeURL));\r\n<\/pre>\n
            * You can check if cookie is used:<\/p>\n
            \r\nHttpServletRequest.isRequestedSessionIdFromCookie();\r\n<\/pre>\n
            * You can check if an HttpSession is new:<\/p>\n
            \r\nHttpSession session = request.getSession(true);\r\nif (session.isNew()) {\r\n  response.sendRedirect(\r\n    httpResponse.encodeRedirectURL(welcomeURL));\r\n}\r\n<\/pre>\n
            Session Logout<\/h2><\/span>\n
            Log Out a Single Session<\/h3><\/span>\n
            \r\nsession.invalidate();\r\n<\/pre>\n
            Log Out Multiple Applications such as in SSO<\/h3><\/span>\n
            \r\n\/\/ Removes the authentication data from the users\u2019s session data, \r\n\/\/ which logs out a user but allows the session to remain alive.\r\nweblogic.servlet.security.ServletAuthentication.logout();\r\n\r\n\/\/ Invalidates all the sessions and removes the authentication data for the current user. \r\n\/\/ The cookie is also invalidated.\r\nweblogic.servlet.security.ServletAuthentication.invalidateAll();\r\n\r\n\/\/ Invalidates the current cookie by setting the cookie so that it expires immediately when the response is sent to the browser. \r\n\/\/ This method depends on a successful response reaching the user\u2019s browser. The session remains alive until it times out.\r\nweblogic.servlet.security.ServletAuthentication.killCookie();\r\n<\/pre>\n
            * For example:<\/p>\n
            \r\nString logout = httpRequest.getParameter(UIConstants.logout);\r\nif (logout != null && logout.equalsIgnoreCase(\"true\")){\r\n    ServletAuthentication.logout(httpRequest);\r\n    ServletAuthentication.invalidateAll(httpRequest);\r\n    ServletAuthentication.killCookie(httpRequest);\r\n    doRedirect(httpResponse, loggedOutPage);\r\n    return;\r\n}\r\n<\/pre>\n
            References<\/h2><\/span>\n
            * Using Sessions and Session Persistence<\/a>
            \n*             weblogic.xml Deployment Descriptor Elements<\/a> <\/p>\n","protected":false},"excerpt":{"rendered":"
            Overview * Session is a series of related requests that come from the same client * Session tracks requests from the same client during a certain period of time * Session can also be persisted Session Configuration * Configured in … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[91],"tags":[],"class_list":["post-4701","post","type-post","status-publish","format-standard","hentry","category-weblogic"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-1dP","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/4701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4701"}],"version-history":[{"count":9,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/4701\/revisions"}],"predecessor-version":[{"id":4711,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/4701\/revisions\/4711"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}