The DataFlex Web Framework is designed to perform session management via a pre-defined interface. The cWebSessionManager class provides this interface as a skeleton. You would use this class as a foundation for implementing your own customized session management services.
The DataFlex Web Framework also provides a subclass of cWebSessionManager that performs standard session management services, user login and basic rights management. When you create a new web application via the WebApp Project Wizard the Studio will create a session manager object based on the cWebSessionManagerStandard class. See cWebSessionManagerStandard for more information.
Your application's session manager object is available via the ghoWebSessionManager global object handle.
Use cWebSessionManager.pkg Object oSessionManager is a cWebSessionManager End_Object
Normally you do not need to declare a cWebSessionManager object. The New Web App Wizard will generate a session manager based on the cWebSessionManagerStandard class and include it in your application. See cWebSessionManagerStandard for more information.
When a WebApp is first loaded to the client, the session manager will create a unique session key that is returned and stored at the client. Each subsequent server call from this client will be accompanied by this session key.
Session keys are stored on the client using a session cookie and will accompany each call to your WebApp from the client's browser until the browser is closed.
The cWebSessionManager class does not store the generated session keys at the server and thus is not capable of verifying session keys that are sent by the client.
Augment the CreateSession method to save the generated session key and any other relevant information you wish to record about the new session. The cWebSessionManagerStandard class is already designed to save session information about each new session.
In order to create a secure web application your application should verify the session key for each server call received from a client.
Augment the ValidateSession method to validate the client session key. The cWebSessionManagerStandard class is already designed to validate session keys.
Get psSessionKey to retrieve the session key of the currently connected client. This property is set each time a server call is validated. You should not set this property.
Your application should augment and use the EndSession method to mark the connected client's session key as invalid. You would use this message to implement a Log Out operation in your web application. This is intended to prevent further access from the client using this session key.
Since the cWebSessionManager does not store or validate session keys it is also has no implementation for EndSession. It is up to you to mark the session key as inactive. The cWebSessionManagerStandard class fully implements EndSession.
User login support is activated in your web application by setting peLoginMode to lmLoginRequired in the cWebApp object. Typically, your application will also define a modal dialog that will handle the user interface for logging in a certified user. In this case, you should set the phoLoginView property of your cWebApp object to the object handle of this modal dialog object. See cWebApp for more information.
The session manager class provides the following interface to support user login services:
Send RequestLogin to activate your application's login dialog. If login services are activated, this is performed automatically when the web application is first loaded to a client.
Send RequestLogout to end the current session (via EndSession), create a new session key, and reload the web application at the client.
Augment UserLogin to perform the necessary action to verify the user credentials and connect the current session key with this user. This should be sent by your login dialog to verify the entered user credentials. The cWebSessionManager does not store any session or user information and has no implementation of UserLogin. The cWebSessionManagerStandard class fully implements UserLogin.
Augment IsLoggedIn to test if the client making the current server call is logged in. The cWebSessionManager does not store any session or user information and has no implementation of IsLoggedIn. The cWebSessionManagerStandard class fully implements IsLoggedIn.
Your application should send NotifyChangeRights to the session manager object whenever the current user's rights level changes. This will ensure that your application's menu system and cWebApp object will receive the OnChangeRights event. The cWebSessionManagerStandard class is already designed to send NotifyChangeRights when the current user's rights level is changed.
OnChangeRights can be augmented in your cWebApp object, menu objects, etc, to perform special rights management tasks. See OnChangeRights for more information.
Augment AllowViewAccess to control whether the currently logged in user has rights to a particular view or modal dialog. The allow access logic can be implemented globally in the session manager object or augmented in each appropriate view, or both. See cWebView for more information.