I´m writing a ISAPI extension in Delphi and looking for a way to overcome the http stateless problem. I would like to use sessions for such tasks but can´t find a way to start a session from my ISAPI module. Since sessions are very web server specific, I guess there is different way for each one and also guess that such functionality is accessed through a server specific DLL. I´m currently interested in Apache but information for IIS will be very much appreciated.
I downloaded the source code por PHP and examined session.c which holds the code of the PHPAPI void php_session_start(void) although not much came from it.
How can I start a session from a ISAPI Delphi web module (and therefore use session variables)?
How to use sessions in ISAPI modules written in Delphi
2.1k views Asked by alvaroc At
1
There are 1 answers
Related Questions in DELPHI
- How can I read the header of request to webserver
- Receiving Notifications for Individual Task Completion OmniThreadLibrary Parallel.ForEach
- Delphi - How to get result of function from QuickReport without viewing a report?
- Out of memory while adding documents to a Firebird BLOB field with Delphi
- How to MakeScreenshot fullpage on Delphi
- How to program a COM object with an IEnumerator, IEnumerable interface inside
- How to Dynamically Add Controls to Delphi Form
- How to write a string in Stringrid with DelimitedText in FMX Delphi 11
- TGrid/TStringGrid multi cell selection / multi editing in delphi firemonkey (12)
- How to localize "Today" in the Delphi TMonthCalendar?
- How can I call a SOAP webserver method in Vue.js?
- Efficiently Handling Large Number of API Calls with Delphi 10.4 and OmniThreadLibrary
- Delphi can not compile the unit create by its "XML Data Binding Wizard"
- Save Form Properties in File and then restore those Properties after reopening
- Is it possible to open a blob without saving it to file
Related Questions in SESSION
- Multiple Processes, Multiple Processors, Single Priority Queue - Java Thread-Safe and Concurrency -
- Securing routes with sessionStorage in NextJS
- Cant handle Session's cookie when Safari/iOS
- Quart_Sessions Redis deletes keys and create backups instead
- I cannot get ID from session in GET method in Next.js 14
- I am new to flutter, just trying to set and get logged in user's session but maybe I am missing something
- I'm going nuts with Heroku session management issues
- Have a problem with get session in nextjs
- Session custom property getting undefined when calling Node js API from Javascript fetch
- Best Approach for Preserving User Input Across Blazor Pages in ASP.NET Core Application with User-Specific Data Storage
- spring security + form login + redis session storage -> keep coming out anonymous User
- Check user login in backend
- Next.js Middleware for Session Authentication Redirects: Errors Encountered
- Ansible prompt "No existing session" in manual executing the playbook
- Running a program on different computers with different users that access a central database simultaneously - VB.NET XAMPP/MySQL
Related Questions in ISAPI-EXTENSION
- Cannot Load OpenSSL in IIS
- ISAPI extension timeout
- Why does this minimal ISAPI extension fail when there are simultaneous multiple users?
- How can I create a notification through Chrome API in JavaScript every time I press a specific button?
- How do I create a separate application thread pool for my ISAPI extension?
- It is a TWebModule created for each request within a Delphi ISAPI DLL
- Can't modify response header in isapi extension
- Zero bytes sent back to client from IIS using ISAPI extension
- Cookie size limit. Large cookies
- How to use sessions in ISAPI modules written in Delphi
- Storing ISAPI Extension parameters
- Httpd's ScriptMap for extensionless URLs
- II7: ISAPI Wildcard Extension generates 500 error (0x8007007f)
- Replacement for ASP.NET Virtual Directory for Multi-tenancy
- How to create an ISAPI Filter in VS 2005/2008
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Popular Tags
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
I had some experience on ISAPI modules over IIS. An ISAPI extension is no more than a DLL that implements a protocol to exchange data with the web server that received a request.
When IIS receives a request to a certain URL and you have registered a ISAPI extenstion to handle that URL, the corresponding DLL will be loaded (if not already in memory) by what is called IIS worker process. The DLL will be kept in memory while the worker process considers it as not idle. You can't control when the DLL will be unloaded, so do design your solution with that in mind.
TWebModuleabstracts a lot of ISAPI details in the form of events that are fired when requests are received and passed to it. However, there is no session infraestructure present, you will have to do it by yourself.The best way, in my opinion, is to use session cookies (that's what everybody does). So, after your logon process, what you need is to generate a string that is able to identify that the current user as a valid one. Of course you have to keep that string encripted and translated to Base64, but in your initial tests, your can simply fill the cookie with the user name.
So, after processing the logon, you should use the Response property (TWebResponse) in
TWebModuleto add a new cookie (property TWebResponse.Cookies) named, for instance,MY_APP_SESSION. This cookie will carry your session data, in this example, just the user name.After that, you will start to receive that cookie in any other requests (represented by
Requestproperty, classTWebRequest) originated from the browser used to perform the logon, so in all requests you will have to validate the session data in the cookie (found inCookieFields) and when you detect an expired session or a fake one, just refuse to process the request.When the user logs out, just remove the cookie.
I use to create my session cookies containing something to identify the user (not the name, but some kind of Id), the date and time until when the session will be valid and some security data (sometimes, a set of claims). All this must be encripted and converted to Base64. Notice that the cookie can be added with some security attributes too, read about them. Also, notice that security here must include HTTPS to be really trustwhorty. This is the critical moment where you will make your web application more or less secure!
So, in each request, the first thing is to check the URL requested for security. If it's concluded that the URL requires a session, check the session cookie, reverting the Base64, decripting it and evaluating the cookie content. If everything seems to be ok, then the request follows to be processed. So, it's clear that preventing the cookie to be faked is the key to avoid frauds.
As you can see, it's all about writing the good delphi code.
I hope this helps!