NetTalk Central

Author Topic: Forcing a new session - something is not right  (Read 5754 times)

peterH

  • Sr. Member
  • ****
  • Posts: 413
    • View Profile
Forcing a new session - something is not right
« on: February 11, 2011, 04:17:42 AM »
Hi Bruce,

You've stated earlier that you can force a new session by adding:
p_web.DeleteSession()
p_web.NewSession()
in the loginform procedure, top of generate form routine.

That used to be right (up to 5.09 I think). I had problems in 5.12 where all my login forms stopped working so I rolled back. Now, after you were bugging me the other day about being a dinosaur <g> I decided to update to 5.15 - but I'm having the same problem here and I've finally found out what's wrong (but not how to fix it).

Something has definately changed somewhere. You can easily try it yourself: just add the above lines to the web3 example and it'll immediately stop working.

Peter

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11245
    • View Profile
Re: Forcing a new session - something is not right
« Reply #1 on: February 14, 2011, 12:08:16 AM »
Ok, thanks Peter, I'll check into it.

cheers
Bruce

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11245
    • View Profile
Re: Forcing a new session - something is not right
« Reply #2 on: February 16, 2011, 07:18:17 AM »
yeah, ok, you can't do it there.

To understand why, may be helpful.

The form runs through many "stages" - which are broadly categorized into 3 phases;

a) initialization before the form displays
b) generating the form
c) handling the "Ok" button of the form.

Now you're killing the session smack-bang in the middle of the 3 phases. Meaning that anything set up during phase (a) is lost. And this is a bad thing. (It prevent's (c) from working).

So, a better place for the two lines of code, is at the top of the InitForm routine, which runs towards the beginning of phase 1.

peterH

  • Sr. Member
  • ****
  • Posts: 413
    • View Profile
Re: Forcing a new session - something is not right
« Reply #3 on: February 16, 2011, 07:41:40 AM »
Thanks, Bruce.

I take it that you did make some internal changes after 5.09 that affects session management since it did work before - but who cares, as long as we can make it work again  ;)

Peter

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11245
    • View Profile
Re: Forcing a new session - something is not right
« Reply #4 on: February 16, 2011, 09:13:49 PM »
Hi Peter,

yes, internally, it is storing the "Settings" for the form earlier than before.

Cheers
Bruce


Robert Iliuta

  • Sr. Member
  • ****
  • Posts: 472
    • View Profile
    • Email
Re: Forcing a new session - something is not right
« Reply #5 on: March 08, 2011, 05:39:56 AM »
Hallo,

This is not working for me.... I need to reset the seesionID everytime a user login.

I put this Form in InitForm embed:

p_web.DeleteSession()
p_web.NewSession()

nothing happens...

Can someone help me on this?

Thank you,
Robert

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11245
    • View Profile
Re: Forcing a new session - something is not right
« Reply #6 on: March 08, 2011, 06:59:30 AM »
>> I need to reset the sessionID everytime a user login.

Can you explain a bit what you're really trying to do? I think you're attacking a solution here which may not be the best solution to your real problem. I'm pretty sure you don't want to delete the session when the user logs in - that makes no sense. Perhaps you are needing to delete when they log out?

Cheers
Bruce

Robert Iliuta

  • Sr. Member
  • ****
  • Posts: 472
    • View Profile
    • Email
Re: Forcing a new session - something is not right
« Reply #7 on: March 08, 2011, 12:56:02 PM »
I posted here because of the subject. I need to force a new session every time the login form is called. Also when the user logout I want to delete the session. This is what I'm trying to do.

Robert

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11245
    • View Profile
Re: Forcing a new session - something is not right
« Reply #8 on: March 08, 2011, 10:26:25 PM »
>> I need to force a new session every time the login form is called.

there's a property of the WebServer (not the WebHandler) called;
.ChangeSessionOnLogInOut
You can set this in the webServer procedure in the Init method of the window.

If this is set then the session number is changed when a user logs in or out. The session itself remains,
ie the values in the session remains, but the number itself is changed. This prevents a specific session-hijacking attack where a user supplies you with a pre-determined session number, and gets you to log in on that session number.

>> Also when the user logout I want to delete the session. This is what I'm trying to do.

Add the .DeleteSession call to the .SetSessionLoggedIn method in the WebHandler, you can test the
parameter to see if the user is logging in or out.

I suspect deleting a session when a user logs in will make your system not work very well, but I guess that's up to you.

cheers
Bruce

Robert Iliuta

  • Sr. Member
  • ****
  • Posts: 472
    • View Profile
    • Email
Re: Forcing a new session - something is not right
« Reply #9 on: March 11, 2011, 02:42:47 AM »
Hallo Bruce,

It works ok now.
Thank you,
Robert