JegasAPI - Jegas, LLC - Copyright(c)2016

Unit uj_sessions

DescriptionUsesClasses, Interfaces, Objects and RecordsFunctions and ProceduresTypesConstantsVariables

Description

JAS Specific Functions

Overview

Functions and Procedures

function bJAS_CreateSession(p_Context: TCONTEXT):boolean;
function bJAS_ValidateSession(p_Context: TCONTEXT): boolean;
Function bJAS_RemoveSession(p_Context: TCONTEXT):Boolean;
function saJAS_GetSessionKey: ansistring;
function bJAS_GenerateSecKeys(p_Context: TCONTEXT): boolean;
function bJAS_PurgeConnections(p_Context: TCONTEXT; p_iMinutesOld: integer):boolean;
function bJAS_PurgeOrphanedSessionData(p_Context: TCONTEXT): boolean;
function bJAS_LoadSessionData(p_Context: TCONTEXT): boolean;
function bJAS_SaveSessionData(p_Context: TCONTEXT): boolean;
function bJAS_ValidateSessionPeek(p_Context: TCONTEXT; p_JSess_JSession_UID: ansistring; var p_JUser_Name_ReturnedHere: ansistring): boolean;
function saJAS_DecryptSingleKey(p_Context: TCONTEXT; p_saData: ansistring; p_saSecKey: ansistring): ansistring;

Constants

cnMaxLoginAttempts=10;

Description

Functions and Procedures

function bJAS_CreateSession(p_Context: TCONTEXT):boolean;

JASAPI function This function uses the following information from p_Context to decide if creating a session for a particular user will be attempted:

Required: p_Context.CGIENV.DataIn.FoundItem_saName('USERNAME',False)
Required: p_Context.CGIENV.DataIn.FoundItem_saName('PASSWORD',False)
Required: p_Context.CGIENV.ENVVAR.FoundItem_saName('REMOTE_ADDR',False)
Optional: p_Context.CGIENV.DataIn.FoundItem_saName('CHANGEPASSWORD',False)
Optional: p_Context.CGIENV.DataIn.FoundItem_saName('NEWPASSWORD1',False)
Optional: p_Context.CGIENV.DataIn.FoundItem_saName('NEWPASSWORD2',False)

Additionally, the user's AllowedSessions field in the juser table is taken into account. If the user's AllowedSessions field is set to 1, then if an existing session will be removed and the user is granted a new session.

IF a user is allowed numerous sessions, then a new session will be created unless they have exceeded their allowed number of logins. If they do exceed there AllowedSessions, then they will not be granted anymore.

We'd like to add a user interface so this scenario can be resolved by the user themselves but this is on our todo list. Systems such as VICI do not generally allow users multiple logins, and for telemarketing scenarios where VICI is used, it is easier to tie VICI logins to JAS users by limiting their AllowedSessions to one.

Above you might have noticed the IP address bit that this function analyzes. Basically if a request comes in from an IP address other than that of the session's originator - then access to the system is denied.

If the function returns true you are good to go. If you like, for instance an error is returned, you can interrogate what happened by getting the result code from: p_Context.rSession.i4ResultCode

Upon successful session creation, a cookie with the SESSION ID (jdconnection.JDCon_JDConnection_UID) is stored on the client named JSID. Note that form variables override COOKIE. So, it's actually cleaner to not send JSID yourself in forms posts etc unless you have a good reason. If you do not follow this advice, have a web page up and your session times out, you can not login in another page and then refresh the page you were at because you essentially hardcoded the session id into the webpage.

Values are defined in uxxj_definitions.pp Example: cnSession_PasswordsDoNotMatch

function bJAS_ValidateSession(p_Context: TCONTEXT): boolean;

Validate session does what it's name implies but it also removes old sessions from the database; in effect as the system is used, it takes care of itself. Validate Session gather the Session ID from either the request itself or from the cookie verifies the Session ID (jdconnection.JDCon_JDConnection_UID) exists.

If the remote ip address doesn't match the session creator's, then access is denied. If the session has gone beyond it's configured timeout period its removed BY this function before this function attempts to look it up so timeout periods are enforced.

Function bJAS_RemoveSession(p_Context: TCONTEXT):Boolean;

Removes current user's session - essentially logging them out.

function saJAS_GetSessionKey: ansistring;

This is just a random number generator

function bJAS_GenerateSecKeys(p_Context: TCONTEXT): boolean;

This loads the jseckey table with BOTH public and private keys - 512 bytes saved as contiguas hex pairs per key. (1024 char/1K each key). One Row has two keys.

function bJAS_PurgeConnections(p_Context: TCONTEXT; p_iMinutesOld: integer):boolean;

This function is what does the old session clean up, called internally by bJAS_ValidateSession.

function bJAS_PurgeOrphanedSessionData(p_Context: TCONTEXT): boolean;

this function purges orphaned session data. Currently session data is database driven. Making a likely faster filebased session data mechanism is slated for developement.

function bJAS_LoadSessionData(p_Context: TCONTEXT): boolean;

this function saves session data Currently session data is database driven. Making a likely faster filebased session data mechanism is slated for developement.

function bJAS_SaveSessionData(p_Context: TCONTEXT): boolean;

this function saves session data Currently session data is database driven. Making a likely faster filebased session data mechanism is slated for developement.

function bJAS_ValidateSessionPeek(p_Context: TCONTEXT; p_JSess_JSession_UID: ansistring; var p_JUser_Name_ReturnedHere: ansistring): boolean;

This function allows "peeking" to see if a passed session id (JSession UID) is valid and returns the user name owning the session.

function saJAS_DecryptSingleKey(p_Context: TCONTEXT; p_saData: ansistring; p_saSecKey: ansistring): ansistring;

this function takes the encrypted data and the UID passed as saSecKey and loads the record from the jseckey table and uses the public key to call uxxg_jcrypt.saJegasEncryptSingleKey to decrypt the passed data.

Constants

cnMaxLoginAttempts=10;

============================================================================= ============================================================================= ***************************************************************************** ============================================================================= ***************************************************************************** !@!Declarations ***************************************************************************** ============================================================================= *****************************************************************************

http://www.jegas.com
Generated by PasDoc 0.14.0.