session-cookies

We are creating a web site with ASP.Net Framework 4.5. I know the way to generate a new sessionId using SessionManager for the current httpContext. I also believe that the sessionId field is readonly and cannot be modified. However, is it possible to create a new session having a sessionId of my choice? For example, if I want the current session Id to have a value "ASDFGHIJKLQWERTY", is it possible to create one? The client insists that it can be done. However, I strongly believe that this is not possible. I'm unable to find any reference justifying that it can or cannot be done. If there are

We're running grails 2.0 + jetty 7.6.6 and need to set JSESSIONID cookie to be httpOnly. All of the answers on stackoverflow seem to refer to either Servlet 3.0 (which requires jetty 8) or to tomcat. Can anyone provide me with a clear way of setting the JSESSIONID cookie be httpOnly for jetty 7.x? I have tried adding jetty-web.xml file with the following contents, but it still didn't work (i.e. the JSESSIONID wasn't marked as httpOnly): <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd"> <Configure class

My web application's authentication mechanism currently is quite simple. When a user logs in, the website sends back a session cookie which is stored (using localStorage ) on the user's browser. However, this cookie can too easily be stolen and used to replay the session from another machine. I notice that other sites, like Gmail for example, have much stronger mechanisms in place to ensure that just copying a cookie won't allow you access to that session. What are these mechanisms and are there ways for small companies or single developers to use them as well? We ran into a similar issue. How

I've been trying to get my sessions running across my subdomains, which I'm pretty sure I got working on Monday but after adding some code Tuesday its not working Wednesday! I've used the code ini_set("session.cookie_domain", $domain); where $domain = .example.com . My site's main page is currently located on test.example.com and I access the login page through test.example.com/login . When i enter this address, the url in the address bar is automatically changed to http://www.test.example.com/login , and this is where the problem lies. The session is created for www.test.example.com but most

I've built a cluster on Glassfish administred via SSH, where there are 2 instances. I deployed an application that shows the "Session id". This application has in the web.config: <distributable/> And in the sun-web.xml: <session-config> <cookie-properties> <property name="cookieDomain" value="compute.amazonaws.com"/> </cookie-properties> </session-config> I enabled "Availability" in Edit Application. But when I access the 2 web app versions I see different session ids. Can anyone help me? EDIT: As some users noticed, in EC2 is not supported multicast. A solution comes with Glassfish v3.1.2,

I have a example.com/login.php file on root domain with this code header('Access-Control-Allow-Origin: *'); session_set_cookie_params(0, '/', '.example.com'); session_name('lusession'); session_start(); $_SESSION['name'] = $_GET['name']; $_SESSION['useremail'] = $_GET['useremail']; $_SESSION['password'] = $_GET['password']; This file is provided with credentials and it then creates login session. It is called from main domain and subdomains by AJAX. The problem is it doesnot creat session when called through AJAX, but when opened directly in browser as querystring it creates cross domain