Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 625
  • Last Modified:

WebBroker question


I am creating a CGI using WebBroker technology.

Anyone know how to create/save/access a 'session' information?

I need to save some info about a session, for example username and password.

Please if you know the simplest solution for this ...

PS: Dont suggest me to use WebSnap :)

Thanks in advance,
1 Solution
I'll sugest You to use ISAPI :-)

Use cookies. Set them on login (user name, password and/or session number) and read them after that on every request you are processing. Check if it's a valid session for that user/password and if 'yes' then continue with the real work.

Another way is to set a parameter in the URL query part of every response. This way, when you receive a request there is a session number in the CGIRequest.QueryFields property. Example:


Regards, Geo
CGI do not supports session, instead they supports cookies (Client side storing of information)

Read this article, I copy if from my EBook (Delphi programming Guide):


Cookies used by CGI/ISAPI applications to store data in Client computers.
For example if some one enter a login name and password and send these information to the server (CGI/ISAPI application), the server can send it again to the client (Browser) after authentication, and store it in a temporary location called (Cookies). After logining, if the user browses pages and he/she requests any information which can not be displayed without authentication (for example the user wants to see his E-Mail messages), in this case user cookies will be sent automatically withen the request and CGI/ISAPI application can understand
that this user is already authenticated, and of course the CGI can know user's loggin name and password.
Suppose that there is no cookies, how can the CGI/ISAPI authenticate each request?
The answer is very simple, in each request the user must send the login name and password. For example when the user clicks on Inbox folder he must type his login name and password, and when he want to read a message he must also type his login name and password again and again to let the CGI know who is this user in each request because there is no relation between each request and the next one in the server side. Actually this also happens with cookies, when the user clicks at any CGI link, he will send his login name and password in each time but the difference is that the cookies will be sent automatically with every request until it expires.

Setting cookies:

Cookies always must be set after logining. For example suppose that the user enter his name and password in a login form then he submit it to this CGI application:

  Login, Password: string;

  // Read Login name and Password from Login form

  // After checking Login name and password in users Database
  // send Login name and Password to user's cookies

  Response.Cookies.Items[0].Name:= 'Login';
  Response.Cookies.Items[0].Value:= Login;
  Response.Cookies.Items[0].Expires:= Now + 1;
  Response.Cookies.Items[1].Name:= 'Password';
  Response.Cookies.Items[1].Value:= Password;
  Response.Cookies.Items[1].Expires:= Now + 1;


This code of OnAction event will save current user Login and Password in his cookies to be used later in other requests.
Expires property set the expiration date of the cookie, for example if we set it to Now + 1 that means this cookie will not be sent with requests after a day since last setting for that cookie (Logining). Also you can set expiration date after an hour (Now + 1/24), see Date and time routines

Reading cookies:

Now after logining the user want to send requests such as asking a question or see his messages, etc...
The user will click in CGI link but this time he would not send the
Login name and Password again, because they are already stored in his cookies. The authentication of the CGI will be like the code below:

  Login, Password: string;

  // Read cookies to check is the user already logged on


  // Check user login and password, if the fields are empty that
  // mean the user does not logged in. In this case you can
  // display login form:

  if Login = '' then
  // Response to his request
  // ...


For security purpose there are cookies for each CGI application, so that in your CGI application you cann't read other sites cookies which stored in your client computer, for example there are two different cookie storage place for below URLs:


And it seem that the URL is case sensitive so that below addresses are even has different cookies:


Anothe important thing is that you have to set and read cookies using the same CGI application.

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

ziolko: ISAPI is good... for IIS. Just imagine that you use Apache ;o)

muis2002: If you care about sessions, use HTTP authorization. To give the user an opportunity to store passwords, use cookies. The following sample is taken from Delphi on-line help. It uses cookies as well as HTTP authorization:

This example shows an OnAction event handler that adds a cookie to the response message. The cookie stores the current authorization information. This allows the current client to revisit the URL without resupplying a password for a limited period (1 day). Because a password is sensitive information, the cookie can only be sent on a secure connection.

procedure TWebModule1.PasswordCookieActionAction(Sender: TObject; Request: TWebRequest; Response: TWebResponse; var Handled: Boolean);

  Handled := False; { adding a cookie does not handle the request }
  with Response.Cookies.Add do
    Name := 'LastPassword';
    { Set the LastPassword cookie to the current authorization }
    { Or, if no authorization was supplied this time, carry over }
    { the authorization from the LastPassword cookie of the request }
    Value := Request.Authorization;
    if Value = '' then
      Value :=  Request.CookieFields.Values('LastPassword');

    Secure := True; { be sure to use a secure connection!!!!}
    Expires := Now + 1; { this cookie expires in one day }

To add some sequrity use secure connection (SSL, etc.). It could be set up in the Web server configuration (CGI/ISAPI scripts just generates an HTTP responce and do not care of transport protocol).
with Delphi you can create CGI/ISAPI/APACHE(DSO) modules with ease.
that's not a good idea to send over the net cookies with usernames and passwords. if you have an access to some DB you can use some table to store sessions (examp. of structure - SessID, UserName, Expires. maybe some session dependent data etc.) and in cookie (or in URL as param) send to client only SessID. before each request to db delete expired sessions (or, to keep previous data, select non-expired and, if authorized, restore data from last session data) and check against authorization.
if you don't expect big user activity then in place of DB you can use flat file with synchronized access to it from your cgi app (with mutex and waitForSingleObject() I think).

wbr, mo.
mocarts: if passwords will never be transmitted over the network how the server will assure that client knows password? With pure spirit? Just imagine it ;-)
well, i agree that you should not transmit over the correct username/pwd over the network... perhaps the server can transmit an MD5 hash of both the username and pwd, then at the client side, when the user keys in username/pwd, the client software will get the MD5 hash of what the user keyed in and compare it with the hash received from the server?
DragonSlayer: there is one thing I don't understand: why to use hash? Hash with a one element - original solution ;).

P. S. Passwords are usually transmitted over secure connection (SSL, so on).
because you cannot "unhash" it to obtain the original password.
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now