Solved

How do I access a session variable (created by a java servlet) with perl or CGI?

Posted on 2001-09-12
21
319 Views
Last Modified: 2013-12-25
I have a website with many user utilities all of which are Java servlet based.  My sign on authentication is servlet based.  

However I still have a Perl/CGI based webmail system which I have to re-login into even if already logged in by my main login system.  The login facility of the Email system is simply a random number with a time and IP stored in a file in that users directory whereas the the java login is a true session variable as in ASP.

My problem is simple, I need to integrate the CGI mail system by getting it to just read the session variable for that particular user.... for the life of me I can't find out how!

Once I re-write the Email system in Java I won't have this problem but I need this interim solution.
0
Comment
Question by:chulland
  • 11
  • 10
21 Comments
 
LVL 8

Expert Comment

by:bebonham
ID: 6477953
check the cookie
asp style sessions is just a cookie

there is no real "session" as http is stateless
0
 

Author Comment

by:chulland
ID: 6478139
What cookie !!! I didn't realise creating a session variable made a cookie.  

In a Java servlet all I do to make a new session variable is the following :-

// Check for an active session, else make a new one
session = req.getSession(true);
// Set session variable user.id to username.
session.putValue("user.id",username);

This does not store any information on the client machine.  If it is a cookie then please show me how to do this in PERL.
0
 
LVL 8

Expert Comment

by:bebonham
ID: 6478192
how can it not store info (at least for the length of the session) on the client machine?

it has to...the data has to be somewhere...there has to be at least a session key on the client, otherwise the server cannot tell them apart.

I oversimplified when I said it's JUST a cookie, it is MAINLY a cookie...

It is a cookie + cookie control...in other words, ... they only last as long as you are on the site...they often incorporate ip address tracking, etc.

your biggest issue is this... you have to make your "session" last outside of jsp...which is going to be a problem....because the default behavior is to end the session (and erase the cookie) when you leave the jsp page.

since I don't know jsp, I can't tell you how to do that.

but, I can tell you that you can write the same info to a cookie explicitly and set no expiry, and then it will last until the browser is closed, and then you can pick up the login from the cookie using perl.


to manipulate cookies in perl, you

use CGI::Cookie;

%allCookies=fetch CGI::Cookie;

then you have a hash, %allCookies, with all the cookies in it, their names are the keys.

hope that clears it up a little.

keep in mind what you have available to you through http...

you have a post and get method, you have cookies and a few enviroment variables like ip address, referer and such.  Let you solution be based on these inevitables.

Bob
0
 

Author Comment

by:chulland
ID: 6478419
Thanks for your reply.

Ok I just read through an article on Sun's site about session variables on server side servlets.

"The session tracking provided by the servlet API is implemented by session cookies. These cookies are different than the normal cookies (which remain there even if you close the browser window) because they are there in the browser's memory and are not stored on the computer. As you close the instance of the browser the cookie dies."

So the cookie information is memory resident in the browser not stored.  Do you think this method you gave will still recover the information I require?

I'm going have a play myself and see, I have never seen any other questions regarding accessing Java servlet sessions through CGI so this thread may be usefull to others.  

PS I don't use JSP ... its all HTML/FLASH calling servlets direct.

Thanks
0
 

Author Comment

by:chulland
ID: 6478457
After playing with the following code :-

#!/usr/bin/perl

%cookies = &getCookies;

foreach $name (keys %cookies) {
     print "\n$name = $cookies{$name}";
}

sub getCookies {
     local(@rawCookies) = split (/; /,$ENV{'HTTP_COOKIE'});
     local(%cookies);

     foreach(@rawCookies){
     ($key, $val) = split (/=/,$_);
     $cookies{$key} = $val;
     }
     return %cookies;
}
---------------------------------------
This return all cookies current in the browser.  I went and logged in on my server through a servlet then called this perl script ... it returned the following:-

JServSessionIdwdacbco2 = bztzhkkd67

OK so I have a cookie !!! But how was I to know its name would be JServSessionIdwdacbco2 ?  My servlet does not need to set a name to activate a session because the Javaserver obviously only looks for this named cookie on the browser.

With this cookie name I should now ne able to pull back the user id associated with it.

Comments please?



0
 

Author Comment

by:chulland
ID: 6478484
OK stumped again.

How do I return the variable user.id which is associated with this session id?

JServSessionIdwdacbco2 = bztzhkkd67

0
 
LVL 8

Expert Comment

by:bebonham
ID: 6479374
yes, now you got it, that is not the data, but a key to the data resting on the server, and controlled by your jsp program.

so, you either need to find out where the session data is kept (and also make sure it doesn't get erased when the user leaves the jsp pages)

or if security is an issue, and you can't read the session data from the server for some reason, you can use some sort of one way encryption to encrypt the user name and password, and then test the encryped value with your perl script.

since this is just a temporary cookie, strong encryption isn't really necessary, so you could even use your own encryption routine...

anyway, you are on the right track now, see if you can find where the session data gets stored...or if there are ways you can maybe write it to a file in plain text for perl to read...you could write the session key and the uname and pw.

Bob
0
 

Author Comment

by:chulland
ID: 6479746
You keep mentioning JSP's and exiting my JSP pages.
I don't use JSP, only server side servlets.  My main pages are in Flash / HTML, my flash calls the servlets just as it would do a CGI script.

I can go browse the internet elsewhere and come back to my site and I will still be classed as logged on.  The session ends when the browser is closed.

I still do not know how to get the variable user.id which is associated with this session id with Perl.

JServSessionIdwdacbco2 = bztzhkkd67
0
 
LVL 8

Expert Comment

by:bebonham
ID: 6479784
because it is kept somewhere on the server in a file for that purpose... you either have to find it or explictly pass it through another cookie, or write it to yet another file that perl can then read.
0
 

Author Comment

by:chulland
ID: 6480021
So let me get this right,

You are telling me that I've found the cookie that is resident on my browser, however, it only contains the session ID NOT all of its associated data.  This is just what I said in the beginning, its the Webserver that is holding the variables associated with this session ID.  

All I need to do is find out the variable called user.id which is associated with that session ID ....

The question remains HOW in CGI/Perl.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 8

Expert Comment

by:bebonham
ID: 6480067
no,

your problem is that you do not understand how to handle the session in java...and I don't think you are understanding what a session really is.

there is no question about how to do it in perl...

I already told you how get the session key from the cookie using perl...that is all you should need..
from there, you have many options as to how to get the session data using the session key, which I have already described to you...


if you need help with java sessions, try asking in the java ta.


of course, you should know as much that none of the variables you make in java are available to your perl program...

they have to be from COOKIE or from FILE THAT IS IT!!
0
 

Author Comment

by:chulland
ID: 6480141
WHAT !

I FULLY understand session handling in Java.  My whole site works on session handling in Java,  All my session variables are maintained that way.

All I am saying is that I am NOT a CGI/Programming expert and do not fully understand how to cross between the two.
That is why I am asking the question in the CGI programming section.

In a java servlet all I have to do to generate a session is:-

HttpSession session = req.getSession(false);
session = req.getSession(true);  // Get new session
session.putValue("user.id",username); // Set user.id

All I have to do to check if a users session is valid in a java servlet is:-

session = req.getSession(false);
if (session==null)
{
   // No session ... kick them off.
}
else
{
   // They have a session.
   session.getValue("user.id") // And here's their ID
}

As you see its simple in Java and I DO fully understand and use them.  All I need is help to the same as above but in a CGI file rather than a Java servlet.  We have already established that the Java server stores a memory resident cookie with the session ID on the browser, I just need help with the CGI part of retrieving data attached to it.
0
 
LVL 8

Expert Comment

by:bebonham
ID: 6480164
no you don't fully understand them if you don't know how they work!!

that is the problem...

if you fully understood them, then you would know where the session data is kept on the disk...

if you don't know where that data is, then you have to make it avaiable manually...


in other words, you open a file output stream and print the variables usename, password, and the value of the cookie to the file.

Then, your perlscript reads the cookie, opens the same file, and checks to see if there is a valid login...


if you do not know how to write to a file in java, then you are stuck, and need to ask in java

0
 

Author Comment

by:chulland
ID: 6480176
WHAT !

I FULLY understand session handling in Java.  My whole site works on session handling in Java,  All my session variables are maintained that way.

All I am saying is that I am NOT a CGI/Programming expert and do not fully understand how to cross between the two.
That is why I am asking the question in the CGI programming section.

In a java servlet all I have to do to generate a session is:-

HttpSession session = req.getSession(false);
session = req.getSession(true);  // Get new session
session.putValue("user.id",username); // Set user.id

All I have to do to check if a users session is valid in a java servlet is:-

session = req.getSession(false);
if (session==null)
{
   // No session ... kick them off.
}
else
{
   // They have a session.
   session.getValue("user.id") // And here's their ID
}

As you see its simple in Java and I DO fully understand and use them.  All I need is help to the same as above but in a CGI file rather than a Java servlet.  We have already established that the Java server stores a memory resident cookie with the session ID on the browser, I just need help with the CGI part of retrieving data attached to it.
0
 

Author Comment

by:chulland
ID: 6480208
Bloody thing entered the last one twice... anyway.

In java I have no need to write session variables to file, the java server handles all connections, sessions and session variables.  It is only now I've come into the realms of CGI that it looks like I have to store the information on my webspace just so the CGI script can check against it.  

So is that the only way?
0
 
LVL 8

Expert Comment

by:bebonham
ID: 6480246
well, no, you can put the whole thing in a cookie like I mentioned earlier...

use some sort of encryption (a basic idea would be to convert each charcter into its character code ...very basic)

then write the values of username and password to a cookie as well, (FROM Java servelet)

then you can easily read and decrypt them in perl

if you can't do that, then yes, you are stuck having to write to files, which is the easiest, safest method.



but other than that...there is no other way..because that is the only way every one uses.

Good Luck,

Bob
0
 

Author Comment

by:chulland
ID: 6480314
I think I have found an easy and secure solution.

If I store the present session ID in the SQL database with his other information when logging in then I can do a search for a matching ID in the cookie the CGI program gets.

my $dsn = 'DBI:mysql:mydomain:localhost';
my $db_username = 'username';
my $db_password = 'password';
my $dbh = DBI->connect($dsn, $db_username, $db_password);
my $statement = "SELECT id FROM login_table WHERE session = \'$session\'";
my $sth = $dbh->prepare($statement);
$sth->execute;
my $stored_id = $sth->fetchrow_array();
$sth->finish();
$dbh->disconnect();

This should return the user.id for that session, if not there is no session active.

Make sense?
 
0
 
LVL 8

Accepted Solution

by:
bebonham earned 300 total points
ID: 6480350
sure,
that will work just fine


just like I said...

you either use cookie or file.

a db is just a glorified file.

Bob

ps, if you need any other help, just say so.
0
 

Author Comment

by:chulland
ID: 6481179
Alas !!! After much hard graft I now have my CGI based webmail running on the same authentication as my Java servlet code.

I did in the end store the session ID in my SQL database and pulled the browser one back in the CGI webmail.  All I had to do is then do a SQL query for that ID in the database and if it was there then return the user.id back to the webmail.

Thanks for your time Bob, even though we were getting a little heated at one point :)  If you want the code to look at then just say so.

Cheers
0
 
LVL 8

Expert Comment

by:bebonham
ID: 6481263
thanks,

I am glad you got your answer...

I was simply frustrated, because I knew you wanted more,...but there really isn't more to sessions :)

glad you have it working, that's no small feat...

Regards,

Bob
0
 
LVL 8

Expert Comment

by:bebonham
ID: 6481264
hey, this q put me up over 100k pts!

thanks man!

:)))))))))))))))))))))))))))))))))))))))))))!!!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

In this tutorial I will focus on how to use WhizBase as a tool for sending ICQ messages to ICQ. Here I will use a new technology in WhizBase, published in WhizBase 5.1 version. In this tutorial I will use 3 files, pager.wbsp for the processing, e…
It is becoming increasingly popular to have a front-page slider on a web site. Nearly every TV website,  magazine or online news has one on their site, and even some e-commerce sites have one. Today you can use sliders with Joomla, WordPress or …
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…
The viewer will learn how to count occurrences of each item in an array.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now