Forcing a new session - something is not right

[peterH]

Hi Bruce,

You've stated earlier that you can force a new session by adding:
p_web.DeleteSession()
p_web.NewSession()
in the loginform procedure, top of generate form routine.

That used to be right (up to 5.09 I think). I had problems in 5.12 where all my login forms stopped working so I rolled back. Now, after you were bugging me the other day about being a dinosaur <g> I decided to update to 5.15 - but I'm having the same problem here and I've finally found out what's wrong (but not how to fix it).

Something has definately changed somewhere. You can easily try it yourself: just add the above lines to the web3 example and it'll immediately stop working.

Peter

[Bruce]

Ok, thanks Peter, I'll check into it.

cheers
Bruce

[Bruce]

yeah, ok, you can't do it there.

To understand why, may be helpful.

The form runs through many "stages" - which are broadly categorized into 3 phases;

a) initialization before the form displays
b) generating the form
c) handling the "Ok" button of the form.

Now you're killing the session smack-bang in the middle of the 3 phases. Meaning that anything set up during phase (a) is lost. And this is a bad thing. (It prevent's (c) from working).

So, a better place for the two lines of code, is at the top of the InitForm routine, which runs towards the beginning of phase 1.

[peterH]

Thanks, Bruce.

I take it that you did make some internal changes after 5.09 that affects session management since it did work before - but who cares, as long as we can make it work again 

Peter

[Bruce]

Hi Peter,

yes, internally, it is storing the "Settings" for the form earlier than before.

Cheers
Bruce

[Robert Iliuta]

Hallo,

This is not working for me.... I need to reset the seesionID everytime a user login.

I put this Form in InitForm embed:

p_web.DeleteSession()
p_web.NewSession()

nothing happens...

Can someone help me on this?

Thank you,
Robert

[Bruce]

>> I need to reset the sessionID everytime a user login.

Can you explain a bit what you're really trying to do? I think you're attacking a solution here which may not be the best solution to your real problem. I'm pretty sure you don't want to delete the session when the user logs in - that makes no sense. Perhaps you are needing to delete when they log out?

Cheers
Bruce

[Robert Iliuta]

I posted here because of the subject. I need to force a new session every time the login form is called. Also when the user logout I want to delete the session. This is what I'm trying to do.

Robert

[Bruce]

>> I need to force a new session every time the login form is called.

there's a property of the WebServer (not the WebHandler) called;
.ChangeSessionOnLogInOut
You can set this in the webServer procedure in the Init method of the window.

If this is set then the session number is changed when a user logs in or out. The session itself remains,
ie the values in the session remains, but the number itself is changed. This prevents a specific session-hijacking attack where a user supplies you with a pre-determined session number, and gets you to log in on that session number.

>> Also when the user logout I want to delete the session. This is what I'm trying to do.

Add the .DeleteSession call to the .SetSessionLoggedIn method in the WebHandler, you can test the
parameter to see if the user is logging in or out.

I suspect deleting a session when a user logs in will make your system not work very well, but I guess that's up to you.

cheers
Bruce

[Robert Iliuta]

Hallo Bruce,

It works ok now.
Thank you,
Robert