Tech-Podcasts.net

Hello and welcome everyone, this is episode 5, I’m Nawaf.  In this episode we are going to show you how to configure a new domain on WebLogic 10.0 Server.

 

 Podcast Video [5:20m]: Play Now | Play in Popup | Download (242)

Hello and welcome everyone, this is episode 4, I’m Nawaf Al Badia.

In this podcast I will tell about a problem I had few days ago with Http Session Id, Http Session id is used by the Web server and the browser for tracking mechanisms. Web applications usually use HttpSession to store some user related data such as Name, purchased items etc.  HttpSession object is stored and accessible only  within the Web Server. The relation between the session object and the Web Browser (user), is the session Id. This id is generated by the web server and guaranteed that no duplicates where to happen between active sessions. Generally session id is about 32 characters long, but sometimes web servers append some more characters for other purposes such as server session replications.

The Problem:
I have been called to analyze a problem of possible HTTP session duplicates where the support team has received a complaint from a client that he was accessing the system to process a registration procedure for his establishment employees. While interacting with the system all of the sudden he noticed that his establishment name has been changed to someone else’s name, and started to see employees details that don’t belong to his establishment. So then he reported that to the support team. After investigating and comparing DB records and we found out that the user have performed some transactions that were filed under someone else’s establishment.  As you can see this problem causes a severe damage to the system. Just to give a clear idea about how the big the system is. it’s a costume j2EE  ERP + Social Insurance system with workflow and DMS engines.  It’s about 6000000 Lines of code; it is equal to linux kernel in size; It’s deployed on three Web Servers for intranet users and  another three Web Servers for internet users, one  dedicated server for Web Service and four application servers for handling business  logic (EJBs). There are of course load balancer & SSL accelerator  etc.   Before I continue I should tell you that this system has been in production for more than four years and using very well known and stable j2EE complaint application server. Since it’s causing a very serious problems we have been asked to solve it in no time and the system will be down until we mend the problem.  

To make the situation much worse,  the system administrators cannot replicate the problem, so we don’t know why, where or even when the problem happens. So we started with a very simple and fast  method by creating HTTP listener servlet  that all request must go through and put a debug message.  In the debug message we simply print the user details such name and Id and the session Id. At that time we found some cases where two users both logged in and active, and both of them have the same session id?

There are many parties involved, there are Web Server, LoadBalancer, Application system and any component that’s between the browser and the web servers.  So we need to use tools to analyze and monitor all of these components.  The system also has failover feature turn on, in which for every session there is a primary and secondary server, so if the primary went down the automatically user will be transferred to the secondary server without he notice that, which made our debug mention  very complex.
 
Workaround:  
So we figured it will takes very long time for us to find out  the root cause, so we shifted our effort to find a rapid workaround to prevent this problem until network and system teams perform full monitoring and diagnostics.

The workaround works by mainly keeping records of all active users sessions in a repository. Then every time we authenticate a user we check this repository for possible duplicate, if the session doesn’t exists in this repository we validate the user and then store his session. Otherwise we invalidate the session causing the Web Server to generate another session id and ask the user to login again.  We remove the session id from the store upon session invalidation. However , during our investigation we found that the session get mixed not necessary at the login/authentication level but some times in the middle of normal transaction where initially the two users have their unique session ids, and all of the sudden they get mixed. To detect the last case we had to store the session Id (HASHED USING SHA-1) into the user Cookie whenever the user gets a new session id. So every time a request  hits the system our security filter (Listener/Main point, where all requests go through), reads the hashed HTTP session id from the cookie then compare it to the current (hashed) HTTP session id, if they differ then duplicate occurred.  By this method, whenever we encounter a duplicate we log it and then invalidate the user session and then ask him to login again. 
 
So the idea was to hash the session id then store it in the user cookie. Obviously, we had to use a timestamp along with the session then hash them to ensure it can’t be used again.  Using this method we were able to run the system again and ensure the problem never occurs and then start diagnosing the system without any pressure while preserving the availability of the system.
I hope you benefit from this workaround, in case you faced a similar problem. Goodbye

 

 Standard Podcast [6:55m]: Play Now | Play in Popup | Download (66)

Hello and welcome, this is episode 3, I’m Nawaf.

Before I start with the news I must apologize for not making any posdcast last week, I had some technical problems with the soundcard, whenever I record I get a noisy sound like shoo. Anyway  In today IT news:

[Summary]

• Yahoo rejects Microsoft offer.
• Yahoo seeks for alliance with News inc.  For more Information
• Yesterday Sun announced the JavaOne Conference schedule and Java University.
. http://java.sun.com/javaone/sf/schedule.jsp
• Firefox 3 Beta 3 Released.
http://www.mozilla.com/en-US/firefox/3.0b3/releasenotes/
• Microsoft acquires Danger Inc http://www.microsoft.com/presspass/press/2008/feb08/02-11Acquisition.mspx

That’s all for today, good bye

 

 Standard Podcast [2:16m]: Play Now | Play in Popup | Download (46)

Hello and welcome. Here are the some of the major IT industry news:

[Summary]

• Microsoft Bids 44.6 billion dollars  for yahoo.  or $31 a share.
• Microsoft releases Vista SP1 RTM (released to manufacturing) and Windows Server 2008.
• Grails 1.0 Release (http://grails.org/1.0+Release+Notes).
• SpringSource acquires covalent.

That’s all there is for today, goodbye

 

 Standard Podcast [2:33m]: Play Now | Play in Popup | Download (46)

Hello and welcome to tech-podcasts, my name is Nawaf, I’m Saudi and I live in Riyadh This is first podcast episode I do, in which I’m delighted to introduce tech-podcasts.net website. Tech-podcasts.net brings a technology focus to the area of podcasts. Mainly, it is geared towards developers and emerging technologies. We are going to cover multifarious technologies topics in Java EE 5, .NET, Web 2.0 development and interoperability. In addition to, we are going to do talks and shows about enterprise systems, design and conduct interviews with some of the key people in the community.

I have been inspired by a couple of friends who do podcasts. So I thought to create a podcast website to somehow communicate with others and try to contribute. Personally I like to do a talk or presentation rather than writing an article or essay. Also these activities will ameliorate my technical background and urge me to learn more. Tech-podcasts.net neither personal site nor geared towards a particular technology. So I welcome anyone who wants to help and contribute either by recording podcasts or doing interviews. There is huge potential about podcasts. Nowadays, many people possess iPods or mobile devices that are equipped with necessary means to run mp3 mp4 and other formats. Thousands more join every week. The question is how do use this change to our advantage. We can leverage the power of these devices and build communities with it. I believe this technology gives the opportunity to share with others our thoughts and ideas.

Before I conclude this short podcast, I would like to thank a very nice and intelligent person, who always supported me and helped start this site. Thanks Jihad Al Amaar, I truly value our friendship and I’m looking forward to record a podcast with you sometime soon.

You can email me at nawaf@tech-podcasts.net

 

 Standard Podcast [2:20m]: Play Now | Play in Popup | Download (56)