View Full Version : Using user_name as session Var


René Stout
11-09-2004, 08:25 AM
I use the login system that is shipped with the demo database.
Now I would like to use the user_name in grids. I guess I need to declare a session.variable that contains the value of User_Name, but I can't figure out how and where to do that.

Once it is declared, I want to filter in a grid using session.User_Name

Help.... please....


Lenny Forziati
11-09-2004, 08:46 AM

If you are using a dilog component for the login prompt, you can create your session variable in the AfterValidate event.

The sample app login mechanism is not particularly secure, it is intended to give a simple example of how a login system could be implemented. If you are trying to protect sensitive data, you should consider a stronger login system. To bypass the demo system, all a user or hacker would need to do is append "?session.FlagIsLoggedIn=.t." to the URL they are requesting. For example, http://was.alphasoftware.com/web_applications_demo/default/sendEmail.a5w?session.FlagIsLoggedIn=.t. will bring you to the "send an email" sample and bypass the login screen.

René Stout
11-09-2004, 10:39 AM

now I now what Not to do. Now I would like to know how to do it better.

I am a xbasic nono, so even the declaration of a session variable doesn't work, let alone developing a save hacker free environment...



Lenny Forziati
11-09-2004, 10:54 AM
We are adding advanced security to the components. This will allow you to enable security for your web project and then define which pages and components require a valid login. But this will not be released as part of V6.

For a secure solution, what you should do is give each site visitor a unique id. You can use the automatically generated session.session_id for this. Then use a table to track the vistor's ID and their corresponding login status. However, given your level of Xbasic experience, this may be difficult for you to build.

You could improve the security offered by the demo login system by changing the name of the variable used. Bypassing the login as I showed above depends on the hacker knowing that your app looks for a variable named "FlagIsLoggedIn". This task is made easy when you use a published example such as the demo app.

If you were to change this variable to something unknown to anyone but you and difficult to guess, your app would be more secure than it is now. Now for a hacker to get in, they would need to determine the correct variable that you are using.

To try to get past this changed login procedure, one would need to randomly guess at the variable name you used. There are automated tools to do this for hackers (or you could easily write one in about 5 lines of Xbasic), most of which are based on using dictionary words. So using a variable name that is not an actual word you would find in a dictionary and is long would make your app a bit more difficult to get in to.

This still is not an ideal level of security, but it is a step in the right direction with a minimal amount of work on your part.


René Stout
11-09-2004, 11:11 AM
Thanks Lenny,

That I can do.

Now for the session variable: I work on a devoloping computer. When I want to filter on var-"User_Id in a grid, I get an error message because that variable does not exist, which is logical because it is generated in a session. How do I cope with that?


Lenny Forziati
11-09-2004, 11:42 AM
You should have your filter use session.user_id, it needs the "session." prefix if you are working with a session variable.

Also if you use the expression builder, it will tell you the variable does not exist. You will see the same result when previewing the component. However when you run the A5W page with the grid, it will force you to login first which is where you will be creating the session.user_id variable. So once published, the app will work properly.


René Stout
11-09-2004, 12:07 PM
I'm sorry, Lenny, no go.

People log in with their Surname.

in Logindialog, "After validate" says:
if eval_valid("session.targetUrl") then
if session.targetURL "" "" then
Currentform.RedirectTarget = session.targetURL
currentform.redirectTarget = "_Menu.a5w"
end if
currentform.redirectTarget = "_Menu.a5w"
end if
session.sa3dwrd= .t.

So I think I declared a session variable with the Surname as value.

Situation: I built a grid where every menu line (record)has one ore more users. So there is a field called "owner" that contains one or more surnames, because menu lines may be accesseable for more people.

Now I want to filter: I want to show every record where {owner} contains session.User_Name.

That should be simple, but I don't get it.

I seem to go wrong on syntax, because A5 keeps telling me that I use an invalid or incomplete expression...

René Stout
11-13-2004, 11:51 PM
Still not working.

I'll try to explain again.

I have a grid called Menu that contains the field Eigenaar. In that field there may be one or more names, seperated by ,.

I want to filter that grid on one of those names.
So, if I would filter on my name, I enter in the Filter line:
"Rene" $ Eigenaar.
This is nice, but static.

Now I want to filter on the user name, which I get from the LoginDialog I sort of copied from the demo database.

To do that I declared a session variable that I call session.UserName:
in the After Validate I added on the bottom:

So, in the grid Menu I have to adjust the filter. But how?

I tried:
session.UserName $ Eigenaar
but that gives an error

Quote(session.UserName,") $ Eigenaar
but that gives me all records (why?).

Can you help? And please, give me the exact lines I should use, because I have no knowledge of xbasic.

Greetings, René

Pat Bremkamp
11-14-2004, 08:00 AM

As you have discovered, you can't use a session variable in a grid filter. Instead, you have to manipulate the grid component filter in the source for the web page.

Look at the following link.

This technique works well.


René Stout
11-14-2004, 08:36 AM

Thank you,

I'm afraid I still don't get it.

I am typically a Monkey See Monkee Do type.

I tried something like
dbf.filter = "\"session.UserName\" $ Eigenaar"+chr(34)
dbf.filter = "session.UserName $ Eigenaar"+chr(34)

but no go. I've got no clue, sorry.