How to get SessionID ?

[david_navigator]

How do I get the user's SessionID within the TUniServerModule.UniGUIServerModuleHTTPCommand procedure ?

Everything I try either gives me an AV or a Invalid Class Typecast

 

[irigsoft]

Hi, can You post here Your procedure, maybe is problem there ?

I am not of uniGui team , but every problem is important for me.

In my examples (ver 1524 prof), everything works, the compilation goes through and returns values.

uniSession.sessionID returns an error until the session is created, but the unigui cookie always returns a value before the session is created empty, then there is a sessionID.

[Farshad Mohajeri]

Hi,

You can get the sessionID from HTTP parameters, but the actual session is not available at that stage.

[Farshad Mohajeri]

procedure TUniServerModule.UniGUIServerModuleHTTPCommand(
  ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo;
  var Handled: Boolean);
var
  SessionId : string;
begin
  SessionId := ExtractSessionId(ARequestInfo.UnParsedParams);

end;

uses
  UniGUIVars, uniGUIJSUtils;

 

[irigsoft]

super

[irigsoft]

33 minutes ago, Farshad Mohajeri said:

Hi,

You can get the sessionID from HTTP parameters, but the actual session is not available at that stage.

Hello

Is there a way to disable User2 from receiving files for User1?

If we have a directory for temporary files that the application works with.

User1 creates and downloads (views) pdf files such as an invoice, and if User2 knows the url to User1's pdf, it could download / view the file created by User1.

How to block User2 ?

[Farshad Mohajeri]

1 hour ago, irigsoft said:

Hello

Is there a way to disable User2 from receiving files for User1?

If we have a directory for temporary files that the application works with.

User1 creates and downloads (views) pdf files such as an invoice, and if User2 knows the url to User1's pdf, it could download / view the file created by User1.

How to block User2 ?

"files" folder is only for custom JS/Css files and other shared resources.

For private files you need to put them under session local folder.

[irigsoft]

9 minutes ago, Farshad Mohajeri said:

"files" folder is only for custom JS/Css files and other shared resources.

For private files you need to put them under session local folder.

thanks,

how to block User2 to get files of User1, I use temp folder for created pdf files like invoices.

I make function and check if User1 sessionId is the same with temp folder/user1 sessionid folder/.

If is the same, then view file, if is not then block session.

This I can reach in UniGUIServerModuleHTTPCommand, but the problem is get sessionId befor session creation.

So Is there is a standart function in uniGui application for this restriction for files from one session to other ?

[Farshad Mohajeri]

Just now, irigsoft said:

thanks,

how to block User2 to get files of User1, I use temp folder for created pdf files like invoices.

I make function and check if User1 sessionId is the same with temp folder/user1 sessionid folder/ if is the same , then view file, if is not then block session

This I can reach in UniGUIServerModuleHTTPCommand, but the problem is get sessionId befor session creation.

So Is there is a standart function in uniGui application for this restriction for files from one session to other ?

You can create sub folders with random file names, so no one else can access that folder.

You can use ServerModule's function below:

 

    function NewCacheFileUrl(const Global:Boolean; const Ext, FileName, SubDir: string; var AUrl: string; AvoidBrowserCache: Boolean = False):string;

 

There is no way for uniGUI to disable access to a file. As long as that file exists a valid URL will load it.

[irigsoft]

Real example is this:

I also added my own example. Is there a solution?

[irigsoft]

8 minutes ago, Farshad Mohajeri said:

You can create sub folders with random file names, so no one else can access that folder.

You can use ServerModule's function below:

 

    function NewCacheFileUrl(const Global:Boolean; const Ext, FileName, SubDir: string; var AUrl: string; AvoidBrowserCache: Boolean = False):string;

 

There is no way for uniGUI to disable access to a file. As long as that file exists a valid URL will load it.

and I think by this way, but I create folder under tempfolder with name of User1's SessionID, when User2 get url of User1, befor to open file is application must check sessionID of User2.

If User2's sessionID is not the same like folder from where geting file, then application will block session creation.

 

[Farshad Mohajeri]

There's no way for user2 to know the session id of user1.

[irigsoft]

11 minutes ago, Farshad Mohajeri said:

There's no way for user2 to know the session id of user1.

there is a way: injecting javascript and an infected computer.

But, another possible example:

User1, User2, User3, pay to receive Video files, if all these users are friends, they can exchange url and pay for one file instead of 3 * 3.

And my solution to this problem is to block users from receiving files through the user session.

Another possible solution is to create my own Dir name and keep that name in the unimainmodule as a variable. So each session will have its own directories and do this check through this variable.

[irigsoft]

In this theme: 

i test some problems and javascript injection will work .

so every try can get session cookie with sessionID. Is not serious vulnerability but is possible to know session ID of other user

the other problem is that if I know under the temp folder what the files are, then I can get them without opening a session, etc. I tried this with an app like StandAlone and all the directories and files under the root directory and everything was available

 

So I added my own procedure to block other directories except uniServerModule Tempfolder, but the file problem still exists.