About the Application:
My prospect has a multi-tiered Web application consisting of Web Browser -> Portal Application Server (HTTP) -> Report Server (HTTP) -> Database. The Portal (Application Server) makes both GET and POST calls to ReportServer depending on the type of End User's action.
The App Server passes on the Portal Username to Report Server in the GET Request as a URL parameter and in the POST Body as a parameter. I have set-up username extraction for both GET and POST to extract the User name from the Portal to ReportServer traffic with an objective of following a User's actions from Browser to Portal and further to ReportServer (expected to work with some approximations and not at individual user transaction level).
The traffic from Portal to ReportServer doesnt have any User session and user name needs to be extracted from each HTTP request and there is no Session identifier (like JSESSIONID).
My Issue: I set the property - Method of truncating URLs = 'NO CUT' in the Software Service and found the full GET URL is seen in the Operations report as shown below; but username extraction was not working.
Then I set property - Method of truncating URLs = 'CUT AFTER FIRST SEPARATOR' and found that user name extraction works; however the GET URL's are shown as 'http://10.250.10.110/reports/rwservlet' which is not very appealing.
Username extraction from the POST calls from Portal to ReportServer work in both settings of 'Method of truncating URLs = 'NO CUT' and 'CUT AFTER FIRST SEPARATOR'.
My Objective: I want the best of both - i.e the full GET URL needs to displayed and username extraction should work as well. Does anyone have any suggestions?
Below are examples of GET request. username in is parameter 'p_user'
I would say it's rather expected that "NOCUT"method "holds" username recognition as since we no longer divide URL into params we don't know where username and session identifier is.
If you're disappointed how URL looks like after default cut method you should take a look at monitoring parameters. Just get to know which of these parameters are business sensitive and include them in monitoring so you would get URLs for example like: http://10.250.10.110/reports/rwservlet?server=uat&desformat=htmlcss&destype=cache&report=sa_daly_ret... ...
When using the "HTTP POST param....." or the "HTTP GET para...." it's always required to have a cookie in the definition - why?
Cookies are not always required so why do we require them to idetify a user?
As in Praveens example, there can be scenarios were f.ex. Oracle only uses the URL and the parameters for user identification.
As GET/POST usernames are seen in the traffic only in the moment of login process there is no other way to pin it to other URLs (for given user session) than associate it with particular cookie name that identifies logical user session ...