irigsoft

Just add this check for User1 sessionId. 1. Create Directory of user1 : /files/sessionID when User1's session start 2. Generate PDF files of User1 and save them in /files/sessionID 3 Add In function check by sessionID like that if (POS (ARequestInfo.Host + '/files/' + uniSession.SessionId + '/',ARequestInfo.Host + ARequestInfo.URI) = 0) then ..... when User2 try to get files of User1, then function will check sessionID and block User2 to get files of User1.

URL: https://youdmain.com:8077/files/user1file.pdf this block url to get files from other directories. if You try to open something like https://youdmain.com:8077/systemdir1/user1file.pdf, You will get error 405 procedure TUniServerModule.UniGUIServerModuleHTTPCommand begin //check if is new session if (ARequestInfo.URI <> '/') and (ARequestInfo.Referer ='') then begin if (POS (ARequestInfo.Host + '/files/',ARequestInfo.Host + ARequestInfo.URI) = 0) then begin Handled := false; AResponseInfo.ResponseNo:=405; AResponseInfo.CloseConnection:=true; //AResponseInfo.ContentText := '<h1>Access denied</h1>'; Handled := true; AResponseInfo.ResponseNo:=405; //save log SaveHTMLLog ('NONE ACCEPTABLE COMMAND' + #9 + 'IP: ' + ARequestInfo.RemoteIP + #9 + 'URI: ' + ARequestInfo.URI + #9 + 'COMMAND: ' + ARequestInfo.Command + #9 + 'ROW COMMAND: ' + ARequestInfo.RawHTTPCommand + #9 + ARequestInfo.RawHeaders.Text + #9 + ARequestInfo.Document ); AResponseInfo.CloseConnection := true; AResponseInfo.CloseSession; exit; end; end; end;

David, You can use TUniServerModule.UniGUIServerModuleHTTPCommand to catch before open file

david_navigator, there is a problem: all directories are available, even the system directories ! with some instruments on web you will get all files and download it

david_navigator, You can apply something simple, when user1 starts to create (or open) pdf, need to add in url own code like "/? F = UjSdR100O" this code is generated for the user when opening the session, so when user2 trying to access the file by url, it must use the same code to get to user1's files. url will be: https://www.mydomain.com/files/user1_invoice.pdf&F = UjSdR100O , and download file procedure will check the f - code

I will add and this for list of security problems: If anybody know some solution, please help .

Sherzod, What is the best practice if I have different users and they all need to receive only their own files. A simple example: I have Stand Alone application My app allows users to watch video files. All of these videos are paid. If I have 3 users and user1 has paid for Video1, user2 has paid for video2 and user3 has paid for video3. If everyone can download video1 (2 or 3) from one directory (\ files) by url, that means that all user can download all these 3 video files without paying, right?

I'm not sure. If user2 tries to access the pdf file, the session must be opened and the access verification procedure must be performed when the session is opened. I'm using a different folder and trying to get a file from this directory and I can't. Maybe that's the solution

I am using a temporary folder for my application and in this folder I have different files from different users, if all the links can get these files by url, for me this is a security issue. if user2 can read from this directory, I need to do a server procedure (or mainmodule) that checks if this user has the right to download / open this file, one of my solutions will be my suggestion. When user2 tries to download a file created by user1 in the \ files \ directory, the session manager (or server) must check and block it. How to do it? "It is better for the user to create a unique folder that is stored in the DB." How to create directory in DB ? This pdf files maybe are temporary

Hello, if I can offer you: Connect a user to a user session so that only the user opens that session to see the pdf. Something like: 1. Create a pdf named usersession_pdfName.pdf 2. When viewing the url, make sure the user session is the same as the pdf name Or even cookie for user pdf creation procedure. 1 The user starts to create a pdf, before starting the procedure, create a temporary cookie 2. the user opens the pdf, but before opening the pdf check the cookie

I can't help on this point, sorry. If You make Your solution, if have too many connections, and too many errors, then i think production of the server will slowdown I think it ' s better sollution to send log files one or more time on day

If I can propose to You , make function that report to You every day log files. Just on 0:00 send mail with all log files generated on Server

There is only send mail, no get error message. You can use this to log messages on server local file: UniServerModule.Logger.AddLog ('SysLog',FormatDateTime ('dd.MM.yyyy HH:mm:ss',Now,UniServerModule.MySettings) + ' : ' + SomeMessage ,'HtmlLog'); So every moment on Try Except You can use that to save error message

I try to help with part of main code, but You must work on it; var AttachedFile : TIdAttachmentFile; //attachment mCount, I,J, iCodePage : Integer; SMTPClient : TSMTPSend; Msg : TMimeMess; MimePart : TMimePart; begin + '#Mail=YouMail + '#Host=YouMailHost + '#Port=587' //port to connect + '#User=YouMail + '#Pass=YouPassToMail + '#UseSSL=False' //False + '#Recepient=' + recepientMail + '#SubjectText=YourSubjectofMail + '#MessageText=YourErrorMessage //use SMTP to send message SMTPClient := TSMTPSend.Create; SMTPClient.TargetHost := YouHost SMTPClient.TargetPort := YouMailPort SMTPClient.UserName := MailUserName SMTPClient.Password := MailPass //SMTPClient.AutoTLS := True; //if sParameters.Values ['UseSSL'] <> '' then // SMTPClient.AutoTLS := StrToBool (sParameters.Values ['UseSSL']); //if sParameters.Values ['FullSSL'] <> '' then // SMTPClient.FullSSL := StrToBool (sParameters.Values ['FullSSL']); //if SMTPClient.Login then begin // for mCount := 0 to EmailsList.Count - 1 do begin Msg := TMimeMess.Create; TRY Msg.Header.Date := Now; Msg.Header.Priority := mp_Normal; //Msg.Header.CharsetCode := ISO_8859_1; Msg.Header.From := MailYouser Msg.Header.ToList.Add (Recepient); Msg.Header.Subject := SubjectofMail Msg.Header.XMailer {CustomHeaders.Values ['X-mailer']} := 'Sender Information'; //trade mark or something //connect to host if (SMTPClient.Login) and (SMTPClient.AuthDone) then begin if SMTPClient.MailFrom (GetEmailAddr (Msg.Header.From), Length(Msg.Lines.Text)) then begin if not SMTPClient.MailTo (RecepientMail) then Result := 'Error' + #13#10 + RecepientMail; //If No error message, send message if Result = '' then SMTPClient.MailData (Msg.Lines); end; end; //if (SMTPClient.Login) FINALLY Msg.Free; //MimePart.Free; AttFileList.Clear; AttFileList.Free; END; //end; //for mCount SMTPClient.Logout; //end;//if SMTPClient.Login then begin end; I wish You good luck.

this is it (I think): http://forums.unigui.com/index.php?/topic/11573-unidbgrid-current-page/&tab=comments#comment-61419 '"To do this, you would need to capture the current page number of the UniDBGrid. Does anyone know how to do this?" Calculate curent page: CurrPage = UniDBGrid1.DataSource.DataSet.RecNo div UniDBGrid1.WebOptions.PageSize + 1 "In short, I need to do the paging manually." Go to page ID: "In JS I've seen that UniSession.AddJS(UniDBGrid1.JSName+'.store.loadPage(1);'); is working, ..." To do paging manuаlly, You can hide pagepanel (custom css) and add own buttons for next /prev page

I don't know if this will help, but see here: Or this: Or this: I think the latter is the most useful. has everything to navigate the pages

Look in this, on last pages :

//uses SysUtils; SaveTokenQuery.ParamByName('dateexpire').AsDateTime := IncMinute (now,30); /// Now + 30 minutes

Hi, I have a function in timer that send to Client Message 2 minutes before session timeout expired. If You think can use it: procedure TUniForm1.DlgMsgCallBack1 (Sender: TComponent; Res: Integer); begin UniMainModule.StillThereAsked := False; end;//case procedure TUniForm1.UniTimer1Timer(Sender: TObject); var I, WaitStill : Integer; begin //This: send MessageDlg for client and wait answer every "AskStillThereEveryMin" minutes : Inc (UniMainModule.WaitForStillThere); TryStrToInt (UniServerModule.SistemSettingsList.Values ['AskStillThereEveryMin'],WaitStill); If (WaitStill > 0) AND ((UniMainModule.WaitForStillThere) >= WaitStill*60) AND (not UniMainModule.StillThereAsked) then begin UniMainModule.WaitForStillThere := 0; UniMainModule.StillThereAsked := True; uniGUIDialogs.MessageDlg ('Are You still there ?',mtConfirmation, [mbOK], DlgMsgCallBack1); end; //this: closes the session at the exact time of the day. Office - closed //If enabled time to closed office if (AnsiUPPERCase (UniServerModule.SistemSettingsList.Values ['CloseOnTime']) <> '') then begin if FormatDateTime ('HH:mm:ss',Now,UniServerModule.MySettings) = UniServerModule.SistemSettingsList.Values ['CloseOnTime'] then begin //close all sessions Try //UniServerModule.SessionManager.Sessions.Lock; for I :=UniServerModule.SessionManager.Sessions.SessionList.Count - 1 downto 0 do begin U := UniServerModule.SessionManager.Sessions.SessionList[I]; //U.LockSession; // Check mainModule availability. Some sessions may not have a MainModule instance if U.UniMainModule <> nil then begin // Do not close my OWN Session //if (UniApplication.UniSession.SessionID <> U.SessionId) //AND ((U.UniMainModule as TUniMainModule).sUserName = sesionUser) //then begin // LogOutUser ( (U.UniMainModule as TUniMainModule).sTermID, (U.UniMainModule as TUniMainModule).sUsername); UniTimer1.Enabled := False; TRY U.LockSession; U.ReleaseSession; U.Terminate ('End of Work + '</br>' + 'Your Credit is over.' ); FINALLY U.UnBusy; END; //end; // UniMainModule(U.UniMainModule as TUniMainModule).logout ((U.UniMainModule as TUniMainModule).sUsername); // Access custom MainModule props end; end; //UniServerModule.SessionManager.Sessions.Unlock; Finally End; end; end; end

No need to kill thread, session is closing after redirect. I use TerminateafterSec (20), but someone in the forum wrote that the session is closed when redirected and its attributes cannot be used. from the topic in the forum: "Oops my bad! yes redirect would destroy the previous session so my answer is wrong." When testing after redirection, I always get an message: "Session terminated" (I catch session destroy) Maybe this will help:

It's work for You ? Just for information.

@andyhill, And so, I think i succeeded to redirect: 1. Strange, but it works, add to MainModule.Servermessages.TerminateTemplate '<meta http-equiv="refresh" content="0; URL='http://www.google.com'"/>' from here: 2. Make Your code by this way: from 'http://127.0.0.1:8077/?Form=POS_N' to 'http://127.0.0.1:8077/?Form=AddN' unit MainModule; procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean); var s : String; //REQ : TIdHTTPRequestInfo; // uIdCustomHTTPServer RedirectURL : String; begin RedirectURL := 'http://127.0.0.1:8077/?Form=AddN'; //only if get some request if (UniSession.ARequest.URI = '/HandleEvent') //and not redirected AND (RedirectURL <> UniSession.ARequest.Referer) then begin Handled := True; s := UniSession.ARequest.Referer; //if this is not used, redirects forever!!!! UniSession.AResponse.ResponseNo := 308; UniSession.AResponse.ResponseText := 'redirected'; UniSession.UrlRedirect(RedirectURL); end; end; 3. Run project 4. Delete from MainModule.Servermessages.TerminateTemplate meta tag 5. Run project And no more errors, load first url and after some seconds redirect to second url, that is. I think the changes in MainModule.ServerMessages.TerminateTemplate make some change!

I try in new Project to redirect from http://127.0.0.1:8077/?Form=PosN to http://127.0.0.1:8077/?Form=AddN 1. Your code 2. Try redirect via javascript in Custom meta from here: 3. Try to reconect with Custom meta: <meta http-equiv="refresh" content="2; url=http://127.0.0.1:8077/?Form=AddN" /> If I redirect to other URL it's OK, but if try to redirect to same location always error is the same. Like on picture

I am get Your results, when i try to redirect to me. from http://127.0.0.1:8055/form=name1 to http://127.0.0.1:8055/form=name125

procedure TUniServerModule.UniGUIServerModuleHTTPCommand begin AResponseInfo.CustomHeaders.AddValue('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload'); end;