|
|
|
Home » Community » Newbie corner » sessions in Skylark
| sessions in Skylark [message #38375] |
Wed, 12 December 2012 23:26  |
Peter
Messages: 16
Registered: October 2012
|
Promising Member |
|
|
Hello.
I wrote a very simple authorization system using sessions. The general idea is as follows. I have two pages: main page and the other one with a login form. If the user tries to enter the main page without logging in, he/she will be redirected to login page. When the correct login ("john") and password ("doe") are given, a new session is established, the user gets redirected to the main page and a success message is displayed. This part works fine, here's the code:
main cpp:
#include <Skylark/Skylark.h>
using namespace Upp;
SKYLARK(Login, "login")
{
http.RenderResult("Sessions/login");
}
SKYLARK(HomePage, "")
{
if(IsNull(http[".SESSID"]))
http.Redirect(Login);
else
http << "<html><body>You are logged in.</body></html>";
}
SKYLARK(HomePagePost, "post:POST")
{
if((String)http["login"] == "john" && (String)http["password"] == "doe")
{
http.SessionSet(".SESSID", (int)Random());
http.Redirect(HomePage);
}
else
http.Redirect(Login);
}
SKYLARK(CatchAll, "**")
{
http.Redirect(Login);
}
struct MyApp : SkylarkApp {
MyApp() {
#ifdef _DEBUG
prefork = 0;
use_caching = false;
#endif
}
};
CONSOLE_APP_MAIN
{
#ifdef _DEBUG
StdLogSetup(LOG_FILE|LOG_COUT);
Ini::skylark_log = true;
#endif
MyApp().Run();
}
login.witz:
<html>
<body>
<form action=$HomePagePost method="post" accept-charset="utf-8" enctype="multipart/form-data">
<P>
$post_identity()
Login:<INPUT type="text" name="login" id=""><br>
Password:<INPUT type="password" name="password" id=""><br>
<INPUT type="submit" value="Log in">
</P>
</form>
</body>
</html>
Now I'd like to be able to decide how long a session should last before it expires. Unfortunately I don't know how to do it. The way it works now is as follows: in IE and Chrome the session doesn't expire until I close the browser window. In Firefox I remain logged in even after closing the browser window and opening a new one.
Let's say I want session to expire one minute after logging in. I thought setting SkylarkSessionConfig::expire to 60 would do the trick, but it didn't. I also tried to use Http::ClearSession, but it didn't work the way I expected. Can you please give me some tips?
|
|
|
|
| Re: sessions in Skylark [message #38381 is a reply to message #38375] |
Thu, 13 December 2012 08:07  |
|
|
Hi Peter,
I'm not exactly sure what is the problem, but there is a couple things you might or might not now:
The session storage is cleaned only once every 10 minutes. So setting session_expire in config file or SkylarkSessionConfig::expire to anything less then 600 doesn't make much sense.
The session variables are stored in cookies. The fact that Firefox behaves differently is probably caused by different cookie cleaning settings.
The expiration time for session is counted since last write (any call to SetSession(), NewSessionId(), NewIdentity() or SetLanguage()).
Http::ClearSession() seems to currently only delete the session variables "temporarily" - if you don't write anything new into the session, it will not be reset. I'm not sure if it is a bug or intended behavior. I think that if you want to get rid of the current session variables it is safer to call NewSessionId().
If none of the hints above helps you, let me know. I'll try to make an example application demonstrating how to use the session functionality for user logins.
Best regards,
Honza
|
|
|
|
| Re: sessions in Skylark [message #38444 is a reply to message #38375] |
Sun, 16 December 2012 00:32 |
Peter
Messages: 16
Registered: October 2012
|
Promising Member |
|
|
Thank you for your reply, Honza. My general knowledge about sessions and cookies is very limited - I know what they are and what they're used for, but I've never used them before (from a developer's point of view). Here's what I want to know:
1. Suppose I have a web portal that requires users to log in in order to gain access. Now, when a user is logged in, I would like him/her to get logged out after some fixed period of time during which he/she is inactive (doesn't toggle between pages). To be more precise, let's assume my web portal consists of 3 pages: a.html, b.html and c.html. Now, if a user is on one of those pages and refreshes it or moves to another one before 15 minutes have passed, then the current session is sustained for 15 more minutes (or another one is set - will it make any real difference?). If a user stays idle for 15 minutes or more, the current session expires and he/she gets logged out. Additionally, if the user clicks on a "log out" button, current session expires/gets cleared immediately. How can I do that in Skylark?
2. I seem to confuse session, session id and session variables.
I always thought session was just some file stored on server.
When session is created, two things happen: a session file is created on server and a cookie with some unique id session identifier (set automatically, not by me) is created on client.
Cookie needs to contain only the id while session usually contains some more information about client, such as his password etc. When session expires, session file is removed from server and corresponding cookie is removed from client. Is that how it works (more or less)? Now, using Skylark terminology:
- "session" = file stored on server
- "session id" = unique identifier corresponding to a given session, stored in cookie on client
- "session variable" - a variable defined in Skylark application, its value is stored in session file on server
Is my reasoning right?
Now let's assume I need to keep track of two things for any given user:
- is the user logged (is his/her session active)
- the user privileges (is he/she a portal admin and/or subadmin)
Of course this information must be passed between different pages of my website. I thought I should set 3 variables with SessionSet(): .SESSION (is the current user logged in), .ADMIN (is the current user an admin), .SUBADMIN (is the current user a subadmin), but now I don't think it's right - this sets three different sessions, doesn't it? Or does it just set one session and three variables storing values associated with that session?
3. Is there any way to read session id for currently logged users from within Skylark application?
Best regards,
Peter
[Updated on: Sun, 16 December 2012 00:33] Report message to a moderator |
|
|
|
| Re: sessions in Skylark [message #38445 is a reply to message #38444] |
Sun, 16 December 2012 17:30 |
|
|
| Peter wrote on Sun, 16 December 2012 00:32 |
1. Suppose I have a web portal that requires users to log in in order to gain access. Now, when a user is logged in, I would like him/her to get logged out after some fixed period of time during which he/she is inactive (doesn't toggle between pages). To be more precise, let's assume my web portal consists of 3 pages: a.html, b.html and c.html. Now, if a user is on one of those pages and refreshes it or moves to another one before 15 minutes have passed, then the current session is sustained for 15 more minutes (or another one is set - will it make any real difference?). If a user stays idle for 15 minutes or more, the current session expires and he/she gets logged out. Additionally, if the user clicks on a "log out" button, current session expires/gets cleared immediately. How can I do that in Skylark?
|
See attached package, it should demonstrate everything necessary. You can probably use most of the code as is, just remember to call CheckSession() in each handler, it updates the latest activity time.
| Peter wrote on Sun, 16 December 2012 00:32 |
2. I seem to confuse session, session id and session variables.
I always thought session was just some file stored on server.
When session is created, two things happen: a session file is created on server and a cookie with some unique id session identifier (set automatically, not by me) is created on client.
Cookie needs to contain only the id while session usually contains some more information about client, such as his password etc. When session expires, session file is removed from server and corresponding cookie is removed from client. Is that how it works (more or less)? Now, using Skylark terminology:
- "session" = file stored on server
- "session id" = unique identifier corresponding to a given session, stored in cookie on client
- "session variable" - a variable defined in Skylark application, its value is stored in session file on server
Is my reasoning right?
|
Yes, you're mostly right. It is a bit complex since some of the terms might have multiple meanings  Session is one record in the file stored on the server (or one row in database, if you configure it). Session id is a unique identifier, that is stored in the cookie in users browser cookie and is used as a key to find correct session record on the server. Session variables are variables that are stored on the server and provide a way to store data across multiple requests as long as the user sends cookie with constant session id.
| Peter wrote on Sun, 16 December 2012 00:32 |
Now let's assume I need to keep track of two things for any given user:
- is the user logged (is his/her session active)
- the user privileges (is he/she a portal admin and/or subadmin)
|
Tracking if the user is logged can be done as demonstrated in the attached code. User privileges are IMHO best stored in some globally accessible object that can translate some form of user id to his privileges. The user id can be set as a separate session variable on succesful log in (http.SessionSet("userid", ...) or something like that). It is easier to manage this way when the application starts to grow and you add more and more roles and privileges. There are of course other ways too, for simple web should work what you described too.
| Peter wrote on Sun, 16 December 2012 00:32 |
Of course this information must be passed between different pages of my website. I thought I should set 3 variables with SessionSet(): .SESSION (is the current user logged in), .ADMIN (is the current user an admin), .SUBADMIN (is the current user a subadmin), but now I don't think it's right - this sets three different sessions, doesn't it? Or does it just set one session and three variables storing values associated with that session?
|
Each session can store many variables, it is stored as a map with variable names as keys. So what you propose is OK and should work. But as I said above, I think there are better ways, but of course it is just my opinion 
| Peter wrote on Sun, 16 December 2012 00:32 |
3. Is there any way to read session id for currently logged users from within Skylark application?
|
Yes, as any other cookie, it can be read with the '@' prefix: http["@__skylark_session_cookie__"] in code or $@__skylark_session_cookie__ in witz (note that the cookie name can be changed in configuration). However, you should not rely on this for anything, it is just a random string. All the info you need to have available about the user should be stored in session variables.
Honza
-
Attachment: Login.zip
(Size: 2.67KB, Downloaded 185 times)
|
|
|
|
Goto Forum:
Current Time: Fri May 03 15:47:23 CEST 2024
Total time taken to generate the page: 0.01648 seconds
|
|
|
Members
Pages
Help
Register
Login
Home
