Thank you for your input, as always! :) I am studying all possible scenarios at the moment and I am trying to avoid a session management database but sounds like I am not left with many choices either. However, I am going to test the possibilities of running ghost apps; i.e. Tango app processing the main login and then calling up a php login app via @url and go from there to session time out etc..
thanks, Ezra
On Thursday, March 20, 2003, at 04:29 PM, Scott Cadillac wrote:
Hi Ezra,
Inherently, Session variables are not normally available across Application
environments, i.e., PHP, Witango, ColdFusion, ASP, etc....
But....It can be done, with some custom coding based on the following principles:
~~ Outside of the Server, nearly all modern Web-application environments
employ the same Session
Management methodology, in that they all utilize "session-cookies" to match
and track individual Users to Session Variables stored on the Server.
~~ Most of these modern Web-application environments have a work-around solution for when "session-cookies" are disabled. For example:
................................
The Witango <@USERREFERENCE> value is captured either from the HTTP Request
header containing a "session-cookie" value or from the alternate
<@USERREFERENCEARGUMENT> Metatag which creates a URL Search argument value
pair, which is the same value as the "session-cookie". Example:
&<@USERREFERENCEARGUMENT> ...creates... &UserReference=06130935C6A382663E7A2840
................................
PHP has similar functionality, where the session_id() function returns
either the HTTP "session-cookie" value or the PHPSESSID= search argument
value.
................................
Likewise, ASP.NET is similar, but they embed the SessionID as part of the
URL for "cookieless" session management. Example:
http://localhost/(lit3py55t21z5v55vlm25s55)/Application/ SessionState.aspx
The difference here is that the <@USERREFERENCEARGUMENT> Metatag doesn't
have to be added to all your <A HREF=""></A> values or FORM ACTION
attributes.
Then, simply calling SessionID returns the value regardless of how it is
managed with the browser.
--------------------------------- So, with all that said, in basic terms you need to do the following:
~ After validating a User's logon session, capture the User's Session ID AND
Application type (Witango, PHP, etc..) and store in a database table, along
with the current timestamp.
~ Update the Session record periodically (once every 5 minutes for example)
with new page requests.
Then, when the user hits a page that is a different type (e.g., PHP) from
where they started (e.g. Witango), AND no user$user_id equivalent is
found -- then you check the database table to see if another validated
session is currently active (based on the recent timestamp).
If another validated session is found, and has not expired yet - then "auto-logon" the user to the PHP page.
(remember, the above is some of the basic logic required)
---------------------------------
Some things to keep in mind, are that you examine the timing you want to
employ to make your process as secure as possible, such as how often to
update the session record verses your environment's default expiry timeout
and such.
Another point to note are the actual Session / User variables. The above
process just "validates" the allowed user, and the actual variables are not
automatically available to each environment. You'll need to implement a
"auto-logon" function of some kind (in each environment) that assigns your
required variables. Once this is done, then variables can be shared through
either another database table or dynamically written text (or XML) files.
It is alot of work, but can be done if you understand the principles of
Session management, and are strict about what you assign to your User scope.
Another "simpler" solution would be to just use POST or Search arguments -
but this is not considered secure because "session" variables are then
exposed to the web outside or your Server, and of course can add performance
overhead.
................ By the way, I have successfully implemented this process myself where Sessions are being automatically validated between Witango and ASP.NET pages.
Hope this helps. Cheers............
Scott Cadillac, Witango.org - http://witango.org 403-281-6090 - [EMAIL PROTECTED] -- Information for the Witango Developer Community ---------------------
XML-Extranet - http://xml-extra.net 403-281-6090 - [EMAIL PROTECTED] -- Well-formed Development (for hire) ---------------------
----- Original Message ----- From: "Ezra" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 20, 2003 11:52 AM Subject: Witango-Talk: Sharing vars between witango & php
What is the best way to share variables between a php app and a witango
app? I need to share a few vars (userid/pass/status/sessionID, etc..)
between two apps so there is no need for users to login again when
calling apps of different types. I think setting up cookies and have
both wi and php apps look for it might be one but not good if cookies
are turned off. Any ideas?
Don't tell me to convert those php apps to witango! :)
thanks, Ezra
On Tuesday, March 18, 2003, at 01:58 PM, Troy Sosamon wrote:
How about this clock - ha ha.
http://www.yugop.com/ver3/stuff/03/fla.html
Troy Sosamon
-----Original Message----- From: Aseem Mal [mailto:[EMAIL PROTECTED] Sent: Friday, March 14, 2003 1:45 PM To: [EMAIL PROTECTED] Subject: Witango-Talk: RE: Client-Side Clock
Hi, I need to use the client-side system-time to build my taf. Is there a Tango function I can use, or do I have to resort to good old JavaScript?
Aseem Mal Web Applications Engineer Execpro Information Services Inc., 1250, 4th Street Santa Monica, CA 90401 E-mail: [EMAIL PROTECTED]
-----Original Message----- From: Chris Millet [mailto:[EMAIL PROTECTED] Sent: Friday, March 14, 2003 11:34 AM To: [EMAIL PROTECTED] Subject: Witango-Talk: Sending email with authentication
Does anyone know how to have Witango send an email using an SMTP server
that
requires authentication?
Chris
_____________________________________________________________________ __
_
TO UNSUBSCRIBE: send a plain text/US ASCII email to
[EMAIL PROTECTED]
with unsubscribe witango-talk in the message body
_____________________________________________________________________ __
_
TO UNSUBSCRIBE: send a plain text/US ASCII email to
[EMAIL PROTECTED]
with unsubscribe witango-talk in the message body
_____________________________________________________________________ __
_
TO UNSUBSCRIBE: send a plain text/US ASCII email to
[EMAIL PROTECTED]
with unsubscribe witango-talk in the message body
______________________________________________________________________ __
TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED]
with unsubscribe witango-talk in the message body
_______________________________________________________________________ _
TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED]
with unsubscribe witango-talk in the message body
________________________________________________________________________ TO UNSUBSCRIBE: send a plain text/US ASCII email to [EMAIL PROTECTED] with unsubscribe witango-talk in the message body
