?
Solved

WebBroker question

Posted on 2003-03-10
10
Medium Priority
?
591 Views
Last Modified: 2010-04-04
Hi,

I am creating a CGI using WebBroker technology.

Anyone know how to create/save/access a 'session' information?

I need to save some info about a session, for example username and password.

Please if you know the simplest solution for this ...

PS: Dont suggest me to use WebSnap :)

Thanks in advance,
0
Comment
Question by:muis2002
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 21

Expert Comment

by:ziolko
ID: 8102555
I'll sugest You to use ISAPI :-)
ziolko.
0
 
LVL 17

Expert Comment

by:geobul
ID: 8103066
Hi,

Use cookies. Set them on login (user name, password and/or session number) and read them after that on every request you are processing. Check if it's a valid session for that user/password and if 'yes' then continue with the real work.

Another way is to set a parameter in the URL query part of every response. This way, when you receive a request there is a session number in the CGIRequest.QueryFields property. Example:

http://www.domain.com/scripts/yourApp.exe?sess=1045

Regards, Geo
0
 
LVL 7

Accepted Solution

by:
Motaz earned 105 total points
ID: 8103093
CGI do not supports session, instead they supports cookies (Client side storing of information)

Read this article, I copy if from my EBook (Delphi programming Guide):

-------------

Cookies used by CGI/ISAPI applications to store data in Client computers.
For example if some one enter a login name and password and send these information to the server (CGI/ISAPI application), the server can send it again to the client (Browser) after authentication, and store it in a temporary location called (Cookies). After logining, if the user browses pages and he/she requests any information which can not be displayed without authentication (for example the user wants to see his E-Mail messages), in this case user cookies will be sent automatically withen the request and CGI/ISAPI application can understand
that this user is already authenticated, and of course the CGI can know user's loggin name and password.
Suppose that there is no cookies, how can the CGI/ISAPI authenticate each request?
The answer is very simple, in each request the user must send the login name and password. For example when the user clicks on Inbox folder he must type his login name and password, and when he want to read a message he must also type his login name and password again and again to let the CGI know who is this user in each request because there is no relation between each request and the next one in the server side. Actually this also happens with cookies, when the user clicks at any CGI link, he will send his login name and password in each time but the difference is that the cookies will be sent automatically with every request until it expires.


Setting cookies:

Cookies always must be set after logining. For example suppose that the user enter his name and password in a login form then he submit it to this CGI application:

var
  Login, Password: string;
begin

  // Read Login name and Password from Login form
  Login:=
    Request.ContentFields.Values['Login'];
  Password:=
    Request.ContentFields.Values['Password'];

  //....
  // After checking Login name and password in users Database
  // send Login name and Password to user's cookies

  Response.Cookies.Add;
  Response.Cookies.Items[0].Name:= 'Login';
  Response.Cookies.Items[0].Value:= Login;
  Response.Cookies.Items[0].Expires:= Now + 1;
 
  Response.Cookies.Add;
  Response.Cookies.Items[1].Name:= 'Password';
  Response.Cookies.Items[1].Value:= Password;
  Response.Cookies.Items[1].Expires:= Now + 1;

  Response.SendResponse;

This code of OnAction event will save current user Login and Password in his cookies to be used later in other requests.
Expires property set the expiration date of the cookie, for example if we set it to Now + 1 that means this cookie will not be sent with requests after a day since last setting for that cookie (Logining). Also you can set expiration date after an hour (Now + 1/24), see Date and time routines


Reading cookies:


Now after logining the user want to send requests such as asking a question or see his messages, etc...
The user will click in CGI link but this time he would not send the
Login name and Password again, because they are already stored in his cookies. The authentication of the CGI will be like the code below:

var
  Login, Password: string;
begin

  // Read cookies to check is the user already logged on

  Login:=
    Request.CookieFields.Values['Login'];
  Password:=
    Request.CookieFields.Values['Password'];

  //...
  // Check user login and password, if the fields are empty that
  // mean the user does not logged in. In this case you can
  // display login form:

  if Login = '' then
    Response.SendRedirect('Login.htm')
  else
  // Response to his request
  // ...


Notes:

For security purpose there are cookies for each CGI application, so that in your CGI application you cann't read other sites cookies which stored in your client computer, for example there are two different cookie storage place for below URLs:

http://www.yourserver.com/cgi-bin/users.exe
and
http://www.otherserver.com/cgi-bin/users.exe

And it seem that the URL is case sensitive so that below addresses are even has different cookies:

http://www.yourserver.com/cgi-bin/users.exe
and
http://www.YourServer.com/CGI-BIN/Users.exe

Anothe important thing is that you have to set and read cookies using the same CGI application.

-------------
Motaz
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:msa2003
ID: 8103871
ziolko: ISAPI is good... for IIS. Just imagine that you use Apache ;o)

muis2002: If you care about sessions, use HTTP authorization. To give the user an opportunity to store passwords, use cookies. The following sample is taken from Delphi on-line help. It uses cookies as well as HTTP authorization:

This example shows an OnAction event handler that adds a cookie to the response message. The cookie stores the current authorization information. This allows the current client to revisit the URL without resupplying a password for a limited period (1 day). Because a password is sensitive information, the cookie can only be sent on a secure connection.

procedure TWebModule1.PasswordCookieActionAction(Sender: TObject; Request: TWebRequest; Response: TWebResponse; var Handled: Boolean);

begin
  Handled := False; { adding a cookie does not handle the request }
  with Response.Cookies.Add do
  begin
    Name := 'LastPassword';
    { Set the LastPassword cookie to the current authorization }
    { Or, if no authorization was supplied this time, carry over }
    { the authorization from the LastPassword cookie of the request }
    Value := Request.Authorization;
    if Value = '' then
      Value :=  Request.CookieFields.Values('LastPassword');

    Secure := True; { be sure to use a secure connection!!!!}
    Expires := Now + 1; { this cookie expires in one day }
  end;
end;

To add some sequrity use secure connection (SSL, etc.). It could be set up in the Web server configuration (CGI/ISAPI scripts just generates an HTTP responce and do not care of transport protocol).
0
 
LVL 9

Expert Comment

by:mocarts
ID: 8104375
with Delphi you can create CGI/ISAPI/APACHE(DSO) modules with ease.
that's not a good idea to send over the net cookies with usernames and passwords. if you have an access to some DB you can use some table to store sessions (examp. of structure - SessID, UserName, Expires. maybe some session dependent data etc.) and in cookie (or in URL as param) send to client only SessID. before each request to db delete expired sessions (or, to keep previous data, select non-expired and, if authorized, restore data from last session data) and check against authorization.
if you don't expect big user activity then in place of DB you can use flat file with synchronized access to it from your cgi app (with mutex and waitForSingleObject() I think).

wbr, mo.
0
 
LVL 5

Expert Comment

by:msa2003
ID: 8104593
mocarts: if passwords will never be transmitted over the network how the server will assure that client knows password? With pure spirit? Just imagine it ;-)
0
 
LVL 14

Expert Comment

by:DragonSlayer
ID: 8125251
well, i agree that you should not transmit over the correct username/pwd over the network... perhaps the server can transmit an MD5 hash of both the username and pwd, then at the client side, when the user keys in username/pwd, the client software will get the MD5 hash of what the user keyed in and compare it with the hash received from the server?
0
 
LVL 5

Expert Comment

by:msa2003
ID: 8128764
DragonSlayer: there is one thing I don't understand: why to use hash? Hash with a one element - original solution ;).

P. S. Passwords are usually transmitted over secure connection (SSL, so on).
0
 
LVL 14

Expert Comment

by:DragonSlayer
ID: 8134121
because you cannot "unhash" it to obtain the original password.
0
 

Expert Comment

by:CleanupPing
ID: 9316861
muis2002:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an auto free TStringList The TStringList is a basic and frequently used object in Delphi. On many occasions, you may want to create a temporary list, process some items in the list and be done with the list. In such cases, you have to…
Introduction I have seen many questions in this Delphi topic area where queries in threads are needed or suggested. I know bumped into a similar need. This article will address some of the concepts when dealing with a multithreaded delphi database…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses
Course of the Month8 days, 15 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question