I have a main page with login authenticaiton. What I know when the end user open the browser the system already created a sessionid, after login it still the same sessionid. I would like after successfully login to generate another new session id for it. May I know where should i change it?
This is not supported by the default Session/Authentication mechanism, but you can do this on your own.
Basically you have to override the the OnAuthenticateUser()
method (you can copy the wwProcess
code and then modify in your process class) and inside of there you can Session.DeleteSession()
followed by Session.NewSession()
then make the session assignments after that:
FUNCTION OnAuthenticateUser(lcUserName,lcPassword,lcErrorMsg)
LOCAL loUser
*** THIS IS THE DEFAULT IMPLEMENTATION
*** To override behavior override this method
IF EMPTY(lcUserName)
lcUserName = ""
ENDIF
IF EMPTY(lcPassword)
lcPassword = ""
ENDIF
this.oUserSecurity = CREATEOBJECT(this.cAuthenticationUserSecurityClass)
*** Default implementation is not case sensitive
IF !this.oUserSecurity.Authenticate(LOWER(lcUserName),LOWER(lcPassword))
*** Set lcErrorMsg to pass back via REF parm
lcErrorMsg = this.oUserSecurity.cErrorMsg
this.Authenticate("LOGOUT") && explicitly log out if previously logged in
RETURN .F.
ENDIF
*** Assign the user
loUser = this.oUserSecurity.oUser
this.cAuthenticatedUser = loUser.UserName
this.cAuthenticatedName = loUser.FullName
Session.DeleteSession()
this.InitSession(... same settings as for call in OnProcessInit ...)
Session.SetSessionVar(this.cAuthenticationUserSecurityKey,lcUsername)
Session.SetSessionVar(this.cAuthenticationUserSecurityKey + "Name",this.cAuthenticatedName)
RETURN .T.
ENDFUNC
I haven't tried this but it should work without too much trouble.
Generally you do not want to kill the existing session before login because it may have things in it that you want to keep tracking. For example, in a shopping cart app you might allow people to add things to their shopping cart - if you kill the session and the session ID you would lose those things when the user logs in.
Generally I don't see the benefit of deleting and creating a new session - it just adds a bunch of overhead.
+++ Rick ---