Products

Price/Order

Support

Partners

Testimonials

Test Results

About us

Contact
 Centralized session enforcement
Bottom
 
Total posts: 8
 Author Centralized session enforcement
Jerry Hayes

13.09.2006 17:41:59
Registered user
Danijel,

What's the most centralized place to enforce an active session at the server?

I'm looking for one place where I can say, either:
1.  "This is a login request, it can go through without an active session"
2.  "This request has an active session, let it go"
3.  "No session, reject & goodbye".

Thanks,

Jerry
Danijel Tkalcec [RTC]

13.09.2006 19:15:16
Registered user
I guess you are asking this because you want to keep your code "compact". My recommendation would be to write a class or a global object to implement all functions you need for user authentication with session handling, so you have all your code in one place. Then, it's simply a question of using the authentication methods from your RtcFunction/RtcDataProvider events.

If you were looking for a place where you could "plug-in" something to have central user management for all connections going through the Server, this would only be possible if you would get all the information required to authenticate the user in HTTP headers and you were only using TRtcDataProvider components, since they give you access to raw HTTP data. Well ... since I know how much work that would be, just to avoid writing a few lines of code in each event to check Session data, I highly recommend against doing it.

Please keep in mind that RTC SDK is a plug-in framework and each plug-in has (whether it is a  TRtcDataProvider, TRtcServerModule or TRtcFunction) has to be able to work in any Server, regardless of the functionality implemented in other plug-ins. For this to work correctly, you are not allowed to read data from a connection inside the OnCheckRequest event, unless you have Accepted the request and will be processing it. But, after you have accepted a request, no other components will get access to the request, so you would need to implement all your functionality in that one component.

But, by following those simple rules, you can simply plug a complete Forum or Messenger implementation into any RTC Server, without having to worry much about the rest of your app. And *THAT* works only because plug-ins are not messing up each other's request data.

Well ... I thought about going a bit deeper with this discussion, but after having written a full page of possible scenarios, each with more complications than you possible gains, I just want to say that I highly recommend against anything else but my first recommendation ;)

Write a class or a global object and pack all user authentication code there, then use that class/object from any event that requires user authentication.

Best Regards,
Danijel Tkalcec
Jerry Hayes

13.09.2006 19:17:33
Registered user
Thanks, Danijel.

BTW, I'm not worried about compact -- I'm worried about missing a session verification for security.
Danijel Tkalcec [RTC]

13.09.2006 19:54:58
Registered user
I guess, you should then separate your code in pre-authentication and post-authentication, then make sure that all post-authentication code is calling your "AuthorizeUser" method before it starts doing anything else. Btw ... you have given me an idea what I could add to the next RTC SDK update ;-)

Best Regards,
Danijel Tkalcec
Jerry Hayes

13.09.2006 19:56:29
Registered user
>> Btw ... you have given me an idea what I could add to the next RTC SDK update ;-)
yeah!

Maybe in the module, by the OpenSession, CloseSession...ValidateSession?
Danijel Tkalcec [RTC]

13.09.2006 20:02:13
Registered user
Will have to think about the best way to implement this, without compromising existing functionality.
Jerry Hayes

19.09.2006 23:25:18
Registered user
Danijel, been thinking here...

Role based security may be different based on each individual function or provider.  Are you an admin? then you can do 'x', not? even if you're logged in, you can't...

So, you really need to get to the 'executable' object.

Since I have my own stream/file providers anyway, I'm going to play around in the 'accept request' area of these functions and see what makes sense.  Will post back anything interesting.

HTH.
Danijel Tkalcec [RTC]

20.09.2006 00:11:35
Registered user
Ok, thanks. Looking forward to your ideas :)

Best Regards,
Danijel Tkalcec