Re: Session Tracking based on the Client's IP
Hi , request.getRemoteAddr() will give u the IP Put time with session and compare when there is new request jabs - Original Message - From: Power-Netz (Schwarz) [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, November 21, 2002 3:33 PM Subject: AW: Session Tracking based on the Client's IP would have to punch in the code for verification, that would definetly defeat any script but is less convenient for the user. I would prefer to dynamically identify any individual user who uses my service more than say 10-15 times in a minute and ban him for an hour or so. Set a cookie and ask for it :-) -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Session Tracking based on the Client's IP
But, How can I change the SessionID, for using the Client IP as the Index? The getSession() method retrieves the Session for the client, based on the SessionID (that normally is based in Cookies or re-writed URLs) What I need is a way to force the SessionID to different value, for example, the Client IP. Probably the best way, is simply define a Hashtable as a Context Atributte, in order to store client status information indexed by the Client IP, and don't use the Session Tracking API. -JM - Original Message - From: vivek baliga [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, November 21, 2002 9:01 AM Subject: Re: Session Tracking based on the Client's IP Hi , request.getRemoteAddr() will give u the IP Put time with session and compare when there is new request jabs - Original Message - From: Power-Netz (Schwarz) [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, November 21, 2002 3:33 PM Subject: AW: Session Tracking based on the Client's IP would have to punch in the code for verification, that would definetly defeat any script but is less convenient for the user. I would prefer to dynamically identify any individual user who uses my service more than say 10-15 times in a minute and ban him for an hour or so. Set a cookie and ask for it :-) -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Session Tracking based on the Client's IP
What difference does it make what the sessionid is? the session will still expire, so if you need to keep track of data by ip address instead of sessions, store it in a database. You can always store the ipaddress in the session and retrieve it just as you sould retrieve the session id. The use of jsessionid is part of the spec and isn't likely to change. Session id's are also made to be unique so that multiple people can use different sessions from through the same proxy. Charlie -Original Message- From: Jose Miguel Guzman Cassanello [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 21, 2002 7:32 AM To: Tomcat Users List Subject: Re: Session Tracking based on the Client's IP But, How can I change the SessionID, for using the Client IP as the Index? The getSession() method retrieves the Session for the client, based on the SessionID (that normally is based in Cookies or re-writed URLs) What I need is a way to force the SessionID to different value, for example, the Client IP. Probably the best way, is simply define a Hashtable as a Context Atributte, in order to store client status information indexed by the Client IP, and don't use the Session Tracking API. -JM - Original Message - From: vivek baliga [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, November 21, 2002 9:01 AM Subject: Re: Session Tracking based on the Client's IP Hi , request.getRemoteAddr() will give u the IP Put time with session and compare when there is new request jabs - Original Message - From: Power-Netz (Schwarz) [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, November 21, 2002 3:33 PM Subject: AW: Session Tracking based on the Client's IP would have to punch in the code for verification, that would definetly defeat any script but is less convenient for the user. I would prefer to dynamically identify any individual user who uses my service more than say 10-15 times in a minute and ban him for an hour or so. Set a cookie and ask for it :-) -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Session Tracking based on the Client's IP
Jose,
Unfortunately, this approach would be somewhat unreliable, depending
on the sites accessing Tomcat. Most corporate networks are protected
by a firewall and many of the do Dynamic Network Address Translation.
Dynamic NAT is used to hide the real IP address of clients connected
from the internal corporate network.
So, all traffic passing out of the firewall to your site will appear
to come from the same IP address.
If your needs are to support know customers that don't have dynamic
NAT, then a session management scheme based on IP address should
be possible.
I know that's probably not helpful, but maybe it will save you the
time of working on a scheme that won't suit your requirements.
Best regards,
Norb
Jose Miguel Guzman wrote:
Hi Guys
I need to track sessions based on the Client's IP, instead of using Cookies
or URL re-writing.. (My clients don't support Cookies, and I cannot re-write
the URL). I know this sounds useless, but believe me... this is what I
need ;-)
I found that in the Catalina internal API there is a Manager class
(org.apache.catalina.Manager) that provides some methods to manipulate the
Sessions base:
Manager.findSession(java.lang.String id)
Manager.add(Session session)
etc..
The problem is that I couldn't find a way get a reference for the Manager,
from the servlet...
I was trying to do something like:
Context context = request.getContext(); == No such method
available
Manager manager = context.getManager();
String id = request.getRemoteAddr().toString();
Session sesion = manager.findSession(id);
if (sesion == null) {
sesion = manager.createSession();
sesion.setId(id);
}
but the getContext() method is not available from the
javax.servlet.http.HttpServletRequest interface.. (It's only accesible from
the internal org.apache.catalina.connector.RequestBase class).
Is there a way to access some Manager class implementation (ManagerBase,
StatandardManager) within the servlet?
Do someone have some idea for facing this problem?
Basically, I require to use the client IP address, as the only ID in the
Session base.
I would appreciate any help, from more experienced users...
Thanks, very much...
Jose Miguel Guzman
Santiago, Chile.
PS: Sorry for my English..
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Session Tracking based on the Client's IP
Is there any way of keeping track of people that contact a site? I have had problems with people writing automated scripts to abuse a JSP based service. What they basically do is to write a script that fakes a http request sequence, pretending it is a browser like IExporer or Netscape. I realise that IP identification is not possible, I can not see a way to uniquely identify a user reliably. So banning users by IP could end up shutting alot of innocent users out. Forcing users to create a user account would not be an option. The only other option would be to follow Yahoo's example and generate a JPEG with an alphanumeric code the user would have to punch in the code for verification, that would definetly defeat any script but is less convenient for the user. I would prefer to dynamically identify any individual user who uses my service more than say 10-15 times in a minute and ban him for an hour or so. Mvh KR -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Session Tracking based on the Client's IP
Thanks Norbert
In my environment, all client are well-know stations in a well-know network.
There isn't any NAT or FW, and the clients are not going to spoof their IPs
addresses.
Basically, I need to have a Session Status Table in memory, with some very
basic status info for each client, indexed by the client IP address.
This info should be shared among all the servlets in the application
(context).
Is there some way to customize the Session Tracking API, for using other
indexes (as the Client IP) instead JSESSIONs?
Thanks
Jose Miguel Guzman
- Original Message -
From: Norbert Kuhnert [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Wednesday, November 20, 2002 1:51 PM
Subject: Re: Session Tracking based on the Client's IP
Jose,
Unfortunately, this approach would be somewhat unreliable, depending
on the sites accessing Tomcat. Most corporate networks are protected
by a firewall and many of the do Dynamic Network Address Translation.
Dynamic NAT is used to hide the real IP address of clients connected
from the internal corporate network.
So, all traffic passing out of the firewall to your site will appear
to come from the same IP address.
If your needs are to support know customers that don't have dynamic
NAT, then a session management scheme based on IP address should
be possible.
I know that's probably not helpful, but maybe it will save you the
time of working on a scheme that won't suit your requirements.
Best regards,
Norb
Jose Miguel Guzman wrote:
Hi Guys
I need to track sessions based on the Client's IP, instead of using
Cookies
or URL re-writing.. (My clients don't support Cookies, and I cannot
re-write
the URL). I know this sounds useless, but believe me... this is what I
need ;-)
I found that in the Catalina internal API there is a Manager class
(org.apache.catalina.Manager) that provides some methods to manipulate
the
Sessions base:
Manager.findSession(java.lang.String id)
Manager.add(Session session)
etc..
The problem is that I couldn't find a way get a reference for the
Manager,
from the servlet...
I was trying to do something like:
Context context = request.getContext(); == No such method
available
Manager manager = context.getManager();
String id = request.getRemoteAddr().toString();
Session sesion = manager.findSession(id);
if (sesion == null) {
sesion = manager.createSession();
sesion.setId(id);
}
but the getContext() method is not available from the
javax.servlet.http.HttpServletRequest interface.. (It's only accesible
from
the internal org.apache.catalina.connector.RequestBase class).
Is there a way to access some Manager class implementation (ManagerBase,
StatandardManager) within the servlet?
Do someone have some idea for facing this problem?
Basically, I require to use the client IP address, as the only ID in the
Session base.
I would appreciate any help, from more experienced users...
Thanks, very much...
Jose Miguel Guzman
Santiago, Chile.
PS: Sorry for my English..
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
