SessionID dont change - NT and SW

[walter.dasilva]

Hi,

If i login with a user it get a sessionID that fill my in-memory tables right.
after that i loggou and make login with Admin(default first user) and the p_web.SessionID it´s the same as previous login with different user

is it correct? using NT and SW how to p_web.DeleteSession if User/Logout is calling secwinwebloginform directly?

thanks

[Bruce]

a session is bound to the browser - and is independent of whether the user is logged in or not. ie login <> session.

you can delete a session when the user logs out if you like.
ie in the web handler
SetSessionLoggedIn method
test the parameter, and do a self.DeleteSession if the user is logging out.
(I'd do it after the parent call.)

cheers
Bruce

[walter.dasilva]

Hi Bruce,

i´m not sure about testing p_Value. i´m doing this:
   if p_Value=0
     self.DeleteSession()
   END
   
and i can´t login in. and more, this method is called 3 times.

[Bruce]

Hi Walter,

If you are deleting the session, when the user is on the login screen, then obviously you will not be able to login. The login screen, like any form, relies on session values to work - if you delete the session half-way though, you're gonna make it fail.

Perhaps you should reconsider your need to "delete the session" in the first place. Perhaps what you should be doing is clearing specific session values which you feel should not exist between users.

If you wish to delete the session you will
a) need to remove the implicit "logout" usually in the Login Form and
b) provide an alternate logout to the user.

Of course when a user changes from one to another, _without_ an intermediate logout, then you may also need to do extra management there.

I think simply re-assigning the session values that you feel are an issue is really what you want to do here- not delete the session.

cheers
Bruce

[walter.dasilva]

Hi Bruce,

The problem is. when a user make a login the browse give a session and all information from this login are stamped with this sessionid. so if this user make logoff and next it another user make a login and the browse give for this one the same sessionid, all information from the first users will be avalible for the second one. the problem are:

. the way sw make logout is calling login. you are testing if has a session loggin on and then decide for logoff; i think (as you suggest) sw could be a separate logoff;

. stamp data with sessionid is not enough, i must stamp with specific user identification. in this case the use .deletesession to cleanning up session id is not resolve the case for all situation.

the main here is, this solution will be running in a public terminal for a company and could be a queue of people to use it. since browse not close, i think session could be the same. is it right?

thanks

[Bruce]

>> all information from the first users will be available for the second one.

I don't see why. This is the point where I think we're diverging.
Obviously you can clear specific sessiondata when the new person logs in.

I guess you might need to make an example to show the problem, because I'm not seeing it.

cheers
Bruce