FoxPro Programming
Session change after user login successfully
Gravatar is a globally recognized avatar based on your email address. Session change after user login successfully
  KOO WEOI HORNG
  All
  Mar 12, 2019 @ 06:51pm

I have a main page with login authenticaiton. What I know when the end user open the browser the system already created a sessionid, after login it still the same sessionid. I would like after successfully login to generate another new session id for it. May I know where should i change it?

Gravatar is a globally recognized avatar based on your email address. re: Session change after user login successfully
  Rick Strahl
  KOO WEOI HORNG
  Mar 13, 2019 @ 01:17pm

This is not supported by the default Session/Authentication mechanism, but you can do this on your own.

Basically you have to override the the OnAuthenticateUser() method (you can copy the wwProcess code and then modify in your process class) and inside of there you can Session.DeleteSession() followed by Session.NewSession() then make the session assignments after that:

FUNCTION OnAuthenticateUser(lcUserName,lcPassword,lcErrorMsg)
LOCAL loUser

*** THIS IS THE DEFAULT IMPLEMENTATION 
*** To override behavior override this method
IF EMPTY(lcUserName)
   lcUserName = ""
ENDIF 
IF EMPTY(lcPassword)
   lcPassword = ""
ENDIF

this.oUserSecurity = CREATEOBJECT(this.cAuthenticationUserSecurityClass)

*** Default implementation is not case sensitive
IF !this.oUserSecurity.Authenticate(LOWER(lcUserName),LOWER(lcPassword))
	*** Set lcErrorMsg to pass back via REF parm
	lcErrorMsg = this.oUserSecurity.cErrorMsg
	
    this.Authenticate("LOGOUT")  && explicitly log out if previously logged in
	RETURN .F.
ENDIF	

*** Assign the user
loUser = this.oUserSecurity.oUser
this.cAuthenticatedUser = loUser.UserName
this.cAuthenticatedName = loUser.FullName

Session.DeleteSession()
this.InitSession(... same settings as for call in OnProcessInit ...)

Session.SetSessionVar(this.cAuthenticationUserSecurityKey,lcUsername)
Session.SetSessionVar(this.cAuthenticationUserSecurityKey + "Name",this.cAuthenticatedName)

RETURN .T.
ENDFUNC

I haven't tried this but it should work without too much trouble.

Generally you do not want to kill the existing session before login because it may have things in it that you want to keep tracking. For example, in a shopping cart app you might allow people to add things to their shopping cart - if you kill the session and the session ID you would lose those things when the user logs in.

Generally I don't see the benefit of deleting and creating a new session - it just adds a bunch of overhead.

+++ Rick ---

© 1996-2019