Session Implementation

Last Updated: 9/21/2008



Sections above here:
Home  »  Development  »  Session Management

Sections below here:

    Topics in this section:
    Session Management
    Session Implementation
    Storing Additional Data
    Session Related Events
    Memory Consumption
    How Session Management Works

    Search Documentation:

    Sessions are managed automatically by IntraWeb. Sessions are stored in memory on the server and there fore are secure from users who may attempt to modify the session data.

    Each session is assigned a unique session ID that is used to identify the session. The session ID is constructed in a secure manner so that session IDs are not predictable and thus prone to hacking. In addition each session is tied to the users browser and if another browser is detected attempting to use the same session an error will be returned.

    For further security use the ServerController's RestrictIPs property. This will check the user's IP address against the session and return an error if the IP address changes. This option is false by default and should only be set to true in Intranets or Extranets with controlled clients. This is because some proxy servers such as Microsoft's ISA proxy server change IP addresses between HTTP requests for a given user and will cause multiple IP addresses to be seen by the IntraWeb server.

    Besides, you can authenticate users before session to be created (to refer to see TIWServerControllerBase.AuthList property in the IntraWeb component reference help file).  Setting AuthBeforNewSession property of  ServerController to TRUE could prevent session creating  until authenticating succeeds. The creation order is as follows:

    AuthBeforeNewSession=false:

    1. Session created.
    2. Authentication performs
    3. If Authentication failed session is destroyed
    4. If Authentication succeeds session runs as user session


    AuthBeforeNewSession=true:

    1. Authentication performs
    2. If Authentication failed no session is created
    3. If Authentication succeeds session is created and runs as user session


    By default the session ID is embedded in each HTML page and tracked with each HTTP request. This allows a single user to have multiple sessions per application. The disadvantage is that once the user is inside the application they cannot leave the application and return to it. Because of this when using this method of session ID tracking any non application web pages must be opened in new windows unless it is in response to the application terminating.

    Session tracking can be set to use cookies instead of embedding in the HTML page by setting the ServerController's SessionTrackingMethod property to tmCookie. This will instruct IntraWeb to use cookies to track the user's session instead. The advantage is that the user can move in and out of the application to other web pages with ease. The disadvantage is that many users disable cookies and also that the user can only have one session per application.




    (C) 2002-2009 - Atozed Software Ltd.