session-cookies

On server we have a set of JSON APIs. There's a login method that authenticates the user and creates user session. Subsequent calls to other methods on the API assume that the user is authenticated. On client side we have PhoneGap and jQuery mobile. We use ajax calls to communicate with server. On Android session management is OK, but on iOS after login it seems like the session cookie is not sent back on next call (or is not accepted at all) and the calls fail on server as if the user is not authenticated. When tested from Safari on the same device everything works fine. Same behaviour is on

Because of some security reasons I deceided to disable session tracking by jsessionid in URL. Before I changed my web.xml to the one below, I had on the first time I visited the page a jsessionid in the url, after clicking the first link, it never appeared again. My web.xml looks like <session-config> <session-timeout>10</session-timeout> <cookie-config> <secure>true</secure> </cookie-config> <tracking-mode>COOKIE</tracking-mode> </session-config> Now I have the jsessionid in the URL, if I click another link on the page it never disappears. It changes on every click. If I try to invoke a JSF

I have a site with mixed HTTP / HTTPS. When the user logs in, she gets two cookies: a regular cookie with her (signed) username, login expire time, and an "insecure" flag a secure cookie with her (signed) username, login expire time, and a "secure" flag note that if you don't have the secure/insecure flag within the signed content, an attacker can intercept the regular cookie and then send it as the secure one (my first implementation made this mistake) I use the regular cookie on HTTP pages (just for showing her name while she browses the marketing portion of the site). Then I use the secure

Is it possible to use mixed cookieless sessions with cookie sessions? I've an application that captured user details and then redirect for payment to an ssl page. I was wondering if this is possible? http://www.mydomain.com/confirm.aspx redirects to https://www.mydomain.com/(S(za1tw2l2k02jer4fiskzlovd))/payment.aspx Note: the session Id in the latter url. So in essence, we use the standard cookie session for the majority of the application but when we transfer to an ssl page we pass the SessionId to the https url to pick up the session. I've tried this locally but it starts a new session. Am I

I have a page (View), which sends AJAX queries in some intervals. User can work with this page very long time. But session expired in about 40-60 minutes. So AJAX-requests don't return usefull information. My Web.config <system.web> <sessionState timeout="259200" cookieName="SunTest.SessionId" regenerateExpiredSessionId="true" sqlCommandTimeout="200" stateNetworkTimeout="200"> </sessionState> <roleManager enabled="true" defaultProvider="SqlProvider" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="259200" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true"