Last Updated: 9/21/2008
|Sections above here:|
Home » Development » Session Management
Sections below here:
Sessions are managed automatically by IntraWeb. Sessions are stored in memory on the server and there fore are secure from users who may attempt to modify the session data.
Each session is assigned a unique session ID that is used to identify the session. The session ID is constructed in a secure manner so that session IDs are not predictable and thus prone to hacking. In addition each session is tied to the users browser and if another browser is detected attempting to use the same session an error will be returned.
For further security use the ServerController's RestrictIPs property. This will check the user's IP address against the session and return an error if the IP address changes. This option is false by default and should only be set to true in Intranets or Extranets with controlled clients. This is because some proxy servers such as Microsoft's ISA proxy server change IP addresses between HTTP requests for a given user and will cause multiple IP addresses to be seen by the IntraWeb server.
Besides, you can authenticate users before session to be created (to refer to see TIWServerControllerBase.AuthList property in the IntraWeb component reference help file). Setting AuthBeforNewSession property of ServerController to TRUE could prevent session creating until authenticating succeeds. The creation order is as follows:
By default the session ID is embedded in each HTML page and tracked with each HTTP request. This allows a single user to have multiple sessions per application. The disadvantage is that once the user is inside the application they cannot leave the application and return to it. Because of this when using this method of session ID tracking any non application web pages must be opened in new windows unless it is in response to the application terminating.
(C) 2002-2009 - Atozed Software Ltd.