APIs: Session Management
The session management API provides an interface to the Web Request Dispatcher (WRD) that enables you to change and control the HTTP session. You can invalidate the current session, or create a new session with (or without) the same state information and session attributes.
Session Commands
Using the API
Use the API to invalidate the current session and request a new session, optionally setting or deleting session attributes when doing so. This should only be required at critical points in the web application transaction, for example, after login and logoff, or before committing sensitive data.
You can call the API commands by putting them into
the $webinfoSESSIONCOMMANDS
channel before submitting an HTTP
request from the browser to the server.
When the HTTP request is received, the WRD looks for and executes the commands in this channel in the following order:
-
ChangeSession
-
DeleteAttributes
-
SetAttributes
-
WrdActivate
The WRD then forwards the request to the Uniface Server, which instantiates the DSP and activates the requested operation. The WrdActivate command can be used to activate callback operations on the DSP that get or set request context information that is stored by the WRD. This makes it possible for multiple DSPs, triggers, or operations that are activated during the course of s single HTTP request to share information.
Within a single session, it is possible to have many HTTP requests. To avoid the complexity caused by concurrent requests, you are advised to follow these guidelines when using the session management API:
-
Use a single DSP instance in your application architecture to centralize the session management.
-
Specify the scope of each public weboperation, weboperation, or trigger to avoid concurrent requests to this DSP.
For an example of how to use the API to change the session ID, see Session Fixation.