I´m writing a ISAPI extension in Delphi and looking for a way to overcome the http stateless problem. I would like to use sessions for such tasks but can´t find a way to start a session from my ISAPI module. Since sessions are very web server specific, I guess there is different way for each one and also guess that such functionality is accessed through a server specific DLL. I´m currently interested in Apache but information for IIS will be very much appreciated.
I downloaded the source code por PHP and examined session.c which holds the code of the PHPAPI void php_session_start(void) although not much came from it.
How can I start a session from a ISAPI Delphi web module (and therefore use session variables)?
How to use sessions in ISAPI modules written in Delphi
2.1k Views Asked by alvaroc At
1
I had some experience on ISAPI modules over IIS. An ISAPI extension is no more than a DLL that implements a protocol to exchange data with the web server that received a request.
When IIS receives a request to a certain URL and you have registered a ISAPI extenstion to handle that URL, the corresponding DLL will be loaded (if not already in memory) by what is called IIS worker process. The DLL will be kept in memory while the worker process considers it as not idle. You can't control when the DLL will be unloaded, so do design your solution with that in mind.
TWebModuleabstracts a lot of ISAPI details in the form of events that are fired when requests are received and passed to it. However, there is no session infraestructure present, you will have to do it by yourself.The best way, in my opinion, is to use session cookies (that's what everybody does). So, after your logon process, what you need is to generate a string that is able to identify that the current user as a valid one. Of course you have to keep that string encripted and translated to Base64, but in your initial tests, your can simply fill the cookie with the user name.
So, after processing the logon, you should use the Response property (TWebResponse) in
TWebModuleto add a new cookie (property TWebResponse.Cookies) named, for instance,MY_APP_SESSION. This cookie will carry your session data, in this example, just the user name.After that, you will start to receive that cookie in any other requests (represented by
Requestproperty, classTWebRequest) originated from the browser used to perform the logon, so in all requests you will have to validate the session data in the cookie (found inCookieFields) and when you detect an expired session or a fake one, just refuse to process the request.When the user logs out, just remove the cookie.
I use to create my session cookies containing something to identify the user (not the name, but some kind of Id), the date and time until when the session will be valid and some security data (sometimes, a set of claims). All this must be encripted and converted to Base64. Notice that the cookie can be added with some security attributes too, read about them. Also, notice that security here must include HTTPS to be really trustwhorty. This is the critical moment where you will make your web application more or less secure!
So, in each request, the first thing is to check the URL requested for security. If it's concluded that the URL requires a session, check the session cookie, reverting the Base64, decripting it and evaluating the cookie content. If everything seems to be ok, then the request follows to be processed. So, it's clear that preventing the cookie to be faked is the key to avoid frauds.
As you can see, it's all about writing the good delphi code.
I hope this helps!