Wednesday, June 27, 2012

The right cookie

Your browser makes two types of HTTP requests to Orbeon Forms:

  • Page requests, done to load your form, as an HTML page.
  • Ajax requests, done after the form is loaded, in the background, to dynamically update the form as users interact with it.

Since version 3.8, released in May 2010, Orbeon Forms checks that a valid session is present before processing Ajax requests. This is done as a security measure. Consider this scenario:

  1. Alice is logged into your application. She loads a form in a first tab of her browser and another form in a second tab.
  2. Now in the second tab, she clicks on a link to log out, and forgets to close the first tab before leaving the computer unattended.
  3. An intruder, Mallory, comes in and gets access to the computer. he won’t be able to load a new form without logging back in, but what about the form in the first tab?
    • Pre–3.8, Mallory would have been able to interact with the form, as long as no new page was loaded, possibly accessing data or performing changes he is not authorized to do.
    • With 3.8 onward, Orbeon Forms checks that a valid session is present with Ajax requests, so Mallory won’t be able to do anything with that form in the first tab, .

The session is maintained by the servlet container or application server (e.g. Tomcat) using a cookie, typically JSESSIONID. That cookie is set the first time the browser requests a form, and then sent in subsequent requests, including Ajax requests.

JSESSIONID cookie received in form request and sent in Ajax requests
JSESSIONID cookie received in form request and sent in Ajax requests

If you have some kind of proxy between the browser and Orbeon Forms, you need to make sure that the session is properly kept, and if you’re investigating a cookie issue, tools like Firebug or the Chrome Dev Tools will help you, allowing you to see the cookies received and sent by your browser. Assuming Orbeon Forms is deployed on, the first time your browser requests the page, the server will set the cookie with the following header in the response:

Set-Cookie: JSESSIONID=1122315805F64E5505CC048C1CCBE00E; Path=/orbeon

Make sure the path in that cookie (here /orbeon) corresponds to the the beginning of the path to your form, as you see it in the URL. If it doesn’t, the browser will ignore that cookie. Then as you interact with the form, you will see requests made to Those are the Ajax requests mentioned earlier. Check that the same cookie initially set when the first form was loaded is also sent in those Ajax requests:

Cookie: JSESSIONID=1122315805F64E5505CC048C1CCBE00E

If it isn’t, this is maybe because the Ajax request is sent to a different host than the one from which the form was loaded, or that the path in the Ajax request, here /orbeon/xforms-server doesn’t start with the Path for that cookie, here /orbeon.

And for some background information on how cookies work in browsers, you might want to check the Implementation section, on the Wikipedia page about HTTP cookies.

No comments:

Post a Comment