Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: Hide session ID from URL


This question is answered.


Permlink Replies: 7 - Last Post: Dec 18, 2017 9:09 AM Last Post By: Dan Barclay Threads: [ Previous | Next ]
Gerrit Schurer

Posts: 20
Registered: 3/19/04
Hide session ID from URL  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Dec 12, 2017 5:38 AM
Hi,

Is there a way to hide the session ID from the URL or make it differ from the name of the cookie ?

I'm using Intraweb 4.5.1 / Delphi Tokyo
Eitan Arbel

Posts: 508
Registered: 2/24/13
Re: Hide session ID from URL
Helpful
Click to report abuse...   Click to reply to this thread Reply
  Posted: Dec 12, 2017 6:55 AM   in response to: Gerrit Schurer in response to: Gerrit Schurer
Is there a way to hide the session ID from the URL or make it differ from the name of the cookie ?

I'm using Intraweb 4.5.1 / Delphi Tokyo

you use iw 4.5.1 ...??
are you sure that's the version of iw you use...? and with Tokyo...? :D

if it's a "normal" version of iw, then in the ServerController you can set :
  AllowMultipleSessionsPerUser:=False;
Gerrit Schurer

Posts: 20
Registered: 3/19/04
Re: Hide session ID from URL  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Dec 13, 2017 6:17 AM   in response to: Eitan Arbel in response to: Eitan Arbel
Hi Eitan,

Thanks for your answer. How is a 'user' defined ? I am not familiar with that concept. Is a user recognised by IP address or some other way, maybe by some sort of browser ID ? Most of my users will come from the same IP and yet they are really different users.

And you are right, the version I mentioned is a bit awkward ;-) I was wrong; in fact it is 14.2.4 and yes, in Delphi 10.2.
Eitan Arbel

Posts: 508
Registered: 2/24/13
Re: Hide session ID from URL
Correct
Click to report abuse...   Click to reply to this thread Reply
  Posted: Dec 13, 2017 7:52 AM   in response to: Gerrit Schurer in response to: Gerrit Schurer
let's think about intraweb as a system that have 2 cores :
the ServerController - which is where the app\server manages things that concerns the whole system, like the app behavior, security\SSL, port, session timeout, concurrent users etc'.
and the UserSessionUnit is responsible for everything that concerns the user (or session).

you can see it like, every user that is connected is actually a session.

every user\session get an ID (that's the SessionID you saw in the address bar of the browser) and that's how iw differentiate between the users.
(you will get 2 different SessionID's even if you are on the same computer, but with different browsers)

as for the "same IP" - if you are talking about an intrAnet system, then every user has his\her own internal IP.
but if you're talking about an iw app that is located "somewhere on the internet" and you are wondering about 2 users that come from the same router, then they both have different port (and SessionID).
Gerrit Schurer

Posts: 20
Registered: 3/19/04
Re: Hide session ID from URL  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Dec 18, 2017 12:07 AM   in response to: Eitan Arbel in response to: Eitan Arbel
Hi Eitan,

Thanks again. I think this might be the answer I was waiting for. Until now, my applications start every time with a blank slate, each time a user connects (even if it was teh same user in several windows of the same browser). They might be working on two cases simultaniously. For this application (where my question popped up) it is better to have one workflow at a time for every user, so I think I can use this setting very well. Thanks ! In case of a user having multiple sessions simultaniously, there is no way of hiding the session ID, I suppose ?

Thanks, Best regards.

Eitan Arbel wrote:
let's think about intraweb as a system that have 2 cores :
the ServerController - which is where the app\server manages things that concerns the whole system, like the app behavior, security\SSL, port, session timeout, concurrent users etc'.
and the UserSessionUnit is responsible for everything that concerns the user (or session).

you can see it like, every user that is connected is actually a session.

every user\session get an ID (that's the SessionID you saw in the address bar of the browser) and that's how iw differentiate between the users.
(you will get 2 different SessionID's even if you are on the same computer, but with different browsers)

as for the "same IP" - if you are talking about an intrAnet system, then every user has his\her own internal IP.
but if you're talking about an iw app that is located "somewhere on the internet" and you are wondering about 2 users that come from the same router, then they both have different port (and SessionID).
Eitan Arbel

Posts: 508
Registered: 2/24/13
Re: Hide session ID from URL  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Dec 18, 2017 3:28 AM   in response to: Gerrit Schurer in response to: Gerrit Schurer
In case of a user having multiple sessions simultaniously, there is no way of hiding the session ID, I suppose ?

a user can not have multiple sessions simultaneously.
for the system, a session is a user, and a user is a session (so even bots that starts a session are "users").
you can have different sessions and AppID's if you work with different browsers, but not on the same browser.
same browser = same user = same session.
(unless there was a session timeout, and now you see the "historical" session in one Tab, but work with the current session in the same browser in a different Tab)

here is an example of how you can really see it :
when you start a Stand Alone app, press F9 twice - that will show you the first page of your app twice, right? (in 2 different Tabs)
now, get into some page of your app in "user1", and in "user2" (the one you didn't move from the first page) - press F5 to refresh.
the "refreshed" page you will see in "user2", is the last page that "user1" used = same session.

i really hope i didn't confuse you even more, and that my english was good enough to explain... :D

Edited by: Eitan Arbel on Dec 18, 2017 2:12 PM
Chad Hower

Posts: 613
Registered: 3/2/07
Re: Hide session ID from URL  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Dec 18, 2017 7:59 AM   in response to: Gerrit Schurer in response to: Gerrit Schurer
On 12/18/2017 4:07 AM, Gerrit Schurer wrote:
Thanks again. I think this might be the answer I was waiting for.
Until now, my applications start every time with a blank slate, each
time a user connects (even if it was teh same user in several windows
of the same browser). They might be working on two cases
simultaniously. For this application (where my question popped up) it
is better to have one workflow at a time for every user, so I think I
can use this setting very well. Thanks ! In case of a user having
multiple sessions simultaniously, there is no way of hiding the
session ID, I suppose ?

There used to be a way using post params as well to do multiple sessions
without a cookie. There were some changes though a while back and I'm
not sure if its still an option.

Alexandre would know without having to look. I've CCed him.
Dan Barclay

Posts: 889
Registered: 11/9/03
Re: Hide session ID from URL  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Dec 18, 2017 8:59 AM   in response to: Chad Hower in response to: Chad Hower
Chad Hower wrote:
On 12/18/2017 4:07 AM, Gerrit Schurer wrote:
Thanks again. I think this might be the answer I was waiting for.
Until now, my applications start every time with a blank slate, each
time a user connects (even if it was teh same user in several windows
of the same browser). They might be working on two cases
simultaniously. For this application (where my question popped up) it
is better to have one workflow at a time for every user, so I think I
can use this setting very well. Thanks ! In case of a user having
multiple sessions simultaniously, there is no way of hiding the
session ID, I suppose ?

There used to be a way using post params as well to do multiple sessions
without a cookie. There were some changes though a while back and I'm
not sure if its still an option.

Alexandre would know without having to look. I've CCed him.

There is a ServerController property AllowMultipleSessions. When set to true, the session identification is managed through the URL parameters rather than cookie. Each separate browser session (say, three IE windows) will have its own session.

In order to enforce a single session (using cookie for ID) the AllowMultipleSessions must be set to False. [edit]As Eitan pointed out above, you can still get multiple sessions if using different browsers (one in FF one in IE) since their cookies are different.

Dan

Edited by: Dan Barclay on Dec 18, 2017 11:07 AM
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02