Dot or Slash Separator On AS400 JDBC Resource

Recently I had to debug a Java web application and being new to the platform there were quite a few things I was unfamiliar with. One of those things was how to tell an AS400 resource whether it’s libraries and procedures were going to be separated by a slash or a dot. The application I was working on used slashes and apparently my connection’s default was dots. At first I changed all the calls but I always knew there had to be another way.

Here is how I specified what kind of naming the application should use on the server.xml file.

  url="jdbc:as400://AS400URL.COM; libraries= mylib, yourlib, theirlib; naming=system; prompt=false"

Note the naming on the URL property.
“System” causes the connection to interpret the slash character as a separator.


“Sql” causes the connection to interpret the dot character as a separator.


Secure Session ID Cookies on IIS6 Using Metabase And Classic ASP

I have been looking for a solution to this problem for weeks! How do you mark a cookie as secure so that it will only be transmitted via an SSL connection in IIS6? The first (and best) solution is so simple that I am annoyed by the amount of time I wasted on workarounds (solution 2).

Please keep in mind these are two different solutions. I suggest using the first one or the second one (if you have to) but not both together.

Solution 1

  1. Enable Direct Metabase Editing- As it mentions this allows you to edit the Metabase.xml file while running IIS.
  2. Navigate to and open the Metabase.xml file.
  3. Change the value of the property ASPKeepSessionIDSecure to equal “1” instead of “0”. Note the number must be in quotes.

More Metabase Properties:

Solution 2

I do not suggest this approach as it seems to require an extra trip to the server for the cookie to be marked secure. In which if you think about it, still leaves you vulnerable to being packed sniffed. The attacker can get your session cookie prior to you logging in and since the same cookie gets marked secure, he could then use the insecure cookie with your same session ID to hijack your session. This can be mitigated however by requiring SSL for the directory the user is browsing.

Nonetheless here is the code that marks your cookie secure. It must be included on every page through a sort of server side include.

' secureAspSessionCookie
' Notes:
'	If on SSL takes asp session cookie and marks it secure. If user changes
'	to non-SSL, new cookie is issued.
Function secureAspSessionCookie() 
    If Request.ServerVariables("HTTPS") = "on" Then         
        Dim AspSessionCookie
        AspSessionCookie = Request.ServerVariables("HTTP_COOKIE")
        If len(AspSessionCookie) > 0 Then
            AspSessionCookie = "ASPSESSIONID" & Split(AspSessionCookie,"ASPSESSIONID")(1)
            If InStr(1, AspSessionCookie, ";") then
                AspSessionCookie = Split(AspSessionCookie, ";")(0)                     
            End If
            Response.AddHeader "Set-Cookie", AspSessionCookie & "; Secure; Path=/"  
        End If
    End If
End Function


How to Check if ‘mod_rewrite’ is On Using PHP

I needed to rewrite my menu’s based on whether mod_rewrite was turned on in the htaccess file and not necessarily if the module existed. This is how I did it in two parts.

Part 1- In the .htaccess file

#Turn on rewrite 
RewriteEngine On

#Notify PHP that rewrite is on

#Continue with your rewrite rules below

Part 2- In the PHP file

function modRewriteIsEnabled() {
    if (strtolower($_SERVER['HTTP_MOD_REWRITE']) == 'on') {
      return true;
    } else {
      return false;

Remove Trailing Slash From URL In Htaccess

This is a simple one and it’s relative to the user’s current location. This is important because you don’t want to hard-code your website’s URL onto the htaccess file. The main reason being because you don’t want to switch the user over to an HTTP connection when they are in a HTTPS connection.

RewriteEngine On
RewriteRule ^([a-zA-Z0-9]+)/$ /$1 [R=301,L]

ETag Removal

The main purpose of ETags is for servers to validate whether there is a new version of the file they are requesting. The problem is that sites served on multiple servers are likely to have ETags that do not match. This problem exists for both IIS and Apache served sites. This mismatch is not important in a small site served by a single server. However it is suggested that ETags be removed on larger websites with multiple servers, this decreases header data and thus allows for a faster load. Leaving the mismatching ETag however is said to bog down busier sites. Below is a simple piece of code that shows you how to remove ETags, just add it to your .htaccess file.

FileETag None