WebSpeed Session Handling
- Thread starter israelm
- Start date
RealHeavyDude
Well-Known Member
You don't give any basic information like the Progress/OpenEdge version you're running ...
What do you mean by "is WebSpeed able to handle session" ?.
If you want to maintain context between successive request you need to implement your context management. WebSpeed and the AppServer provide all features you need to do so.
HTH, RealHeavyDude.
What do you mean by "is WebSpeed able to handle session" ?.
If you want to maintain context between successive request you need to implement your context management. WebSpeed and the AppServer provide all features you need to do so.
HTH, RealHeavyDude.
israelm
New Member
Hi,
Im using Progress/Open Edge
Version: 10.2.0.00
OpenEdge Release: 10.2A
My question is if it can handle Session Vars, i have never worked with OPenEdge before and i am not sure how to create session vars.
PHP i use something like:
session_start();
$_SESSION['MyVar'];
session_destroy();
That way the server create a unique session id (SID) and allow me to distinguish different users.
What i am trying to do is to validate users after they logged and know if they have had more than 15m of inactivity and things like that.
I think this could be fixed by the context management you mentioned, but how can i implement it ?
Thank's in advance.
Best Regards!
Israel M.
Im using Progress/Open Edge
Version: 10.2.0.00
OpenEdge Release: 10.2A
My question is if it can handle Session Vars, i have never worked with OPenEdge before and i am not sure how to create session vars.
PHP i use something like:
session_start();
$_SESSION['MyVar'];
session_destroy();
That way the server create a unique session id (SID) and allow me to distinguish different users.
What i am trying to do is to validate users after they logged and know if they have had more than 15m of inactivity and things like that.
I think this could be fixed by the context management you mentioned, but how can i implement it ?
Thank's in advance.
Best Regards!
Israel M.
Hi.
Although most people prefer to make there own session management, WebSpeed also comes with a build in session management.
on the messenger you need to set in $DLC/properties/ubroker.porperties: useConnID=1
in the environment section of the webspeed agent you need to set SESSION_PATH. This should point to a directory where you woud like to store the session variables.
If you have done this then you can use setSession("VarName","VarValue") to set variables and getSession("Varname") to retrieve values.
The sessionvariables are stored in a file name ENCODE(SESSION:SERVER-CONNECTION-ID).tmp.
This method of has its flaws like: Values are always stored as character and maximum size of file is 32K (well at least it used to be) and so on.
But if the stuff youy are going to do isn't too complicated then its a good starting point. One can always expand this by starting to implement there own sessionManager.
HTH,
Casper.
Although most people prefer to make there own session management, WebSpeed also comes with a build in session management.
on the messenger you need to set in $DLC/properties/ubroker.porperties: useConnID=1
in the environment section of the webspeed agent you need to set SESSION_PATH. This should point to a directory where you woud like to store the session variables.
If you have done this then you can use setSession("VarName","VarValue") to set variables and getSession("Varname") to retrieve values.
The sessionvariables are stored in a file name ENCODE(SESSION:SERVER-CONNECTION-ID).tmp.
This method of has its flaws like: Values are always stored as character and maximum size of file is 32K (well at least it used to be) and so on.
But if the stuff youy are going to do isn't too complicated then its a good starting point. One can always expand this by starting to implement there own sessionManager.
HTH,
Casper.
We have messenger installed at separate machine and we use apache:
to edit the properties file go on machine where messenger is installed to $DLC/properties/ubroker.properties and add useConnID=1 in Webspeed.Messenger.CGIIP section.
Or if you can use progress explorer on that machine: messenger --> CGIIP --> properties --> Advanced features --> check Session Connection ID
HTH,
Casper.
to edit the properties file go on machine where messenger is installed to $DLC/properties/ubroker.properties and add useConnID=1 in Webspeed.Messenger.CGIIP section.
Or if you can use progress explorer on that machine: messenger --> CGIIP --> properties --> Advanced features --> check Session Connection ID
HTH,
Casper.
israelm
New Member
I got it, now session vars are available.
The first times i ran the program it worked properly.
After couple of runs this code is printing "?" instead print "user"
setSession("user", "user").
{&out} getSession("user").
Do you know why is occurring this situation?
*I already restarted my broker and apache server.
Regards!.
The first times i ran the program it worked properly.
After couple of runs this code is printing "?" instead print "user"
setSession("user", "user").
{&out} getSession("user").
Do you know why is occurring this situation?
*I already restarted my broker and apache server.
Regards!.
Apart from a book by Geoff Crawford (WebSpeed complete: http://www.innov8cs.com/publications_books.html), I don't know of any documentatfion but the code itself.
There are more FW available for WebSpeed.
One was from FFW (FreeFrameWork) But the side appears to be down for some time now (ah found a place where they still have it): http://es.sourceforge.jp/projects/sfnet_freeframework/releases/).
Furthermore there is the more sophisticated FW called PS-eScript (see: http://www.progresstalk.com//showthread.php?98013-ps-eScript) it is now hosted by Proaxima (http://www.proaxima.com/escript.shtml). Very nice but not for free I believe. (Although I am not sure).
Coming at that I think it is also usefull to take a look at jQuery: http://www.progresstalk.com//showth...th-webspeed-and-external-javascript-functions WebGuy gave some good examples on usage. (but ok that has nothing to do with sessionmanagement
.
Regards,
Casper.
There are more FW available for WebSpeed.
One was from FFW (FreeFrameWork) But the side appears to be down for some time now (ah found a place where they still have it): http://es.sourceforge.jp/projects/sfnet_freeframework/releases/).
Furthermore there is the more sophisticated FW called PS-eScript (see: http://www.progresstalk.com//showthread.php?98013-ps-eScript) it is now hosted by Proaxima (http://www.proaxima.com/escript.shtml). Very nice but not for free I believe. (Although I am not sure).
Coming at that I think it is also usefull to take a look at jQuery: http://www.progresstalk.com//showth...th-webspeed-and-external-javascript-functions WebGuy gave some good examples on usage. (but ok that has nothing to do with sessionmanagement
.Regards,
Casper.
israelm
New Member
Thank you, i found many interesting things like the FW usage for WebSpeed.
There's no documentation about Session Handling.
I have one more question:
Let's say im validating user inactivity, limit is 10 minutes. Once the program detects that user haven't had activity on the last 10 minutes i need to destroy the session and take the user to the log in page.
So far i drop the user, but im not sure whats happening whit the session and it's vars.
Is there some kind of "session_destroy" command or something to unset the session vars?
Thanks again.
Regards!
There's no documentation about Session Handling.
I have one more question:
Let's say im validating user inactivity, limit is 10 minutes. Once the program detects that user haven't had activity on the last 10 minutes i need to destroy the session and take the user to the log in page.
So far i drop the user, but im not sure whats happening whit the session and it's vars.
Is there some kind of "session_destroy" command or something to unset the session vars?
Thanks again.
Regards!
I believe you have to run:
This deletes the file where the session information is stored. One disadvantage of this is that you need to close the webbrowser in order to get a new session. And to make things even worse with IE 8 and tabbed pages you have to close all open Explorer session to get a new session.
I myself tend to manual reset the values of each entry which need to be reset.
Casper.
Code:
run endSession in web-utilities-hdl.I myself tend to manual reset the values of each entry which need to be reset.
Casper.
israelm
New Member
Yes, you're right. That's why i hate IE.
So following your advise i set to blank all my session vars and end the session. That way doesn't matter what happens the user will lose the access to the system.
Let me share my last code ->
If the user have had more than "n" minutes of inactivity then i call this funx.
Next time the user try to access the system i verify the sessionTime var,
If blank then the user have no access and take it out again to log-in page.
Thank's for your help Casper.
Best Regards!
Israel M.|
So following your advise i set to blank all my session vars and end the session. That way doesn't matter what happens the user will lose the access to the system.
Let me share my last code ->
If the user have had more than "n" minutes of inactivity then i call this funx.
Code:
FUNCTION dropUser RETURNS CHAR (INPUT dropMessage AS CHAR):
SETSESSION("sessionTime","").
RUN endSession IN web-utilities-hdl.
RETURN "<a href='login.html' target='_parent'>" + dropMessage + "</a>".
LEAVE.
END FUNCTION.If blank then the user have no access and take it out again to log-in page.
Thank's for your help Casper.
Best Regards!
Israel M.|
I read the post with much interest and managed to get this to work on my own webspeed server. Problem is that
criticals informations maybe stored in plain text in that .tmp file like the "user" information.
That means that if someone for any reasons has access to that file he may access to that information which can be a security problem.
Is there a way to encrypt that information and to reverse that encryption in order to use it into the application after ?
criticals informations maybe stored in plain text in that .tmp file like the "user" information.
That means that if someone for any reasons has access to that file he may access to that information which can be a security problem.
Is there a way to encrypt that information and to reverse that encryption in order to use it into the application after ?
israelm
New Member
Hi there,
Yes, you're right, there could be a security issue.
Im sure that WebSpeed must have some kind of encryption system, but so far i have not found it..
But we have more options.
You can use JavaScript to encrypt your data even before to be sent from the client to the server. This practice is very secure since there's no opportunity other persons can catch them before encryption.
There are at least two diferent methods: md5 and sha1.
To learn more about JS Encryption go to:
http://membres-liglab.imag.fr/donsez/cours/exemplescourstechnoweb/js_securehash/
hope this can be useful.
Best Regards!
Yes, you're right, there could be a security issue.
Im sure that WebSpeed must have some kind of encryption system, but so far i have not found it.
.But we have more options.
You can use JavaScript to encrypt your data even before to be sent from the client to the server. This practice is very secure since there's no opportunity other persons can catch them before encryption.
There are at least two diferent methods: md5 and sha1.
To learn more about JS Encryption go to:
http://membres-liglab.imag.fr/donsez/cours/exemplescourstechnoweb/js_securehash/
hope this can be useful.
Best Regards!
You must realize that the information is stored on the server where the database runs and not on the webserver. Normally the webserver would be in hte dmz so the database server is behind the firewall. If security on the database machine is an issue then you also have to realize that connection from the messenger to the appserver is also not encrypted. Only in recent releases of OpenEdge you can make a secure (SSL) connection to the Appserver.
This method has more disadvantages like the limit of information to store is 32K (If I'm correct). If one is planning to make a more sofisticated website then the best thing is to build your own session manangement and use tables in the database to store the session information.
Nonetheless this is an easy out of the box way to get started making a web application.
It is however possible to store the information using the build in security features progress has (like encrypt/decrypt).
Regards,
Casper.
Here is what i did
My websession is used as a key to encrypt and to decrypt the user.
The base64 methods are used to avoid any special cars (0x00...) that could truncate the xmemuser variable and make the decrypt method to fail.
Code:
DEFINE VARIABLE encryptedUser AS CHAR NO-UNDO.
encryptedUser = BASE64-ENCODE(ENCRYPT(exu,GENERATE-PBE-KEY(SESSION:SERVER-CONNECTION-ID)) ).
setSession("exuser",encryptedUser).
Code:
DEFINE VARIABLE xmemUser AS MEMPTR NO-UNDO.
ASSIGN SET-SIZE(xmemUser) = LENGTH(getSession("exuser"))
xmemUser = BASE64-DECODE(getSession("exuser"))
exu = STRING(DECRYPT(xmemUser,GENERATE-PBE-KEY(SESSION:SERVER-CONNECTION-ID))).The base64 methods are used to avoid any special cars (0x00...) that could truncate the xmemuser variable and make the decrypt method to fail.