david_navigator Posted March 24, 2021 Share Posted March 24, 2021 How do I get the user's SessionID within the TUniServerModule.UniGUIServerModuleHTTPCommand procedure ? Everything I try either gives me an AV or a Invalid Class Typecast Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 24, 2021 Share Posted March 24, 2021 Hi, can You post here Your procedure, maybe is problem there ? I am not of uniGui team , but every problem is important for me. In my examples (ver 1524 prof), everything works, the compilation goes through and returns values. uniSession.sessionID returns an error until the session is created, but the unigui cookie always returns a value before the session is created empty, then there is a sessionID. Quote Link to comment Share on other sites More sharing options...
Administrators Farshad Mohajeri Posted March 24, 2021 Administrators Share Posted March 24, 2021 Hi, You can get the sessionID from HTTP parameters, but the actual session is not available at that stage. Quote Link to comment Share on other sites More sharing options...
Administrators Farshad Mohajeri Posted March 24, 2021 Administrators Share Posted March 24, 2021 procedure TUniServerModule.UniGUIServerModuleHTTPCommand( ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean); var SessionId : string; begin SessionId := ExtractSessionId(ARequestInfo.UnParsedParams); end; uses UniGUIVars, uniGUIJSUtils; 2 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 24, 2021 Share Posted March 24, 2021 super Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 24, 2021 Share Posted March 24, 2021 33 minutes ago, Farshad Mohajeri said: Hi, You can get the sessionID from HTTP parameters, but the actual session is not available at that stage. Hello Is there a way to disable User2 from receiving files for User1? If we have a directory for temporary files that the application works with. User1 creates and downloads (views) pdf files such as an invoice, and if User2 knows the url to User1's pdf, it could download / view the file created by User1. How to block User2 ? Quote Link to comment Share on other sites More sharing options...
Administrators Farshad Mohajeri Posted March 24, 2021 Administrators Share Posted March 24, 2021 1 hour ago, irigsoft said: Hello Is there a way to disable User2 from receiving files for User1? If we have a directory for temporary files that the application works with. User1 creates and downloads (views) pdf files such as an invoice, and if User2 knows the url to User1's pdf, it could download / view the file created by User1. How to block User2 ? "files" folder is only for custom JS/Css files and other shared resources. For private files you need to put them under session local folder. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 24, 2021 Share Posted March 24, 2021 9 minutes ago, Farshad Mohajeri said: "files" folder is only for custom JS/Css files and other shared resources. For private files you need to put them under session local folder. thanks, how to block User2 to get files of User1, I use temp folder for created pdf files like invoices. I make function and check if User1 sessionId is the same with temp folder/user1 sessionid folder/. If is the same, then view file, if is not then block session. This I can reach in UniGUIServerModuleHTTPCommand, but the problem is get sessionId befor session creation. So Is there is a standart function in uniGui application for this restriction for files from one session to other ? Quote Link to comment Share on other sites More sharing options...
Administrators Farshad Mohajeri Posted March 24, 2021 Administrators Share Posted March 24, 2021 Just now, irigsoft said: thanks, how to block User2 to get files of User1, I use temp folder for created pdf files like invoices. I make function and check if User1 sessionId is the same with temp folder/user1 sessionid folder/ if is the same , then view file, if is not then block session This I can reach in UniGUIServerModuleHTTPCommand, but the problem is get sessionId befor session creation. So Is there is a standart function in uniGui application for this restriction for files from one session to other ? You can create sub folders with random file names, so no one else can access that folder. You can use ServerModule's function below: function NewCacheFileUrl(const Global:Boolean; const Ext, FileName, SubDir: string; var AUrl: string; AvoidBrowserCache: Boolean = False):string; There is no way for uniGUI to disable access to a file. As long as that file exists a valid URL will load it. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 24, 2021 Share Posted March 24, 2021 Real example is this: I also added my own example. Is there a solution? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 24, 2021 Share Posted March 24, 2021 8 minutes ago, Farshad Mohajeri said: You can create sub folders with random file names, so no one else can access that folder. You can use ServerModule's function below: function NewCacheFileUrl(const Global:Boolean; const Ext, FileName, SubDir: string; var AUrl: string; AvoidBrowserCache: Boolean = False):string; There is no way for uniGUI to disable access to a file. As long as that file exists a valid URL will load it. and I think by this way, but I create folder under tempfolder with name of User1's SessionID, when User2 get url of User1, befor to open file is application must check sessionID of User2. If User2's sessionID is not the same like folder from where geting file, then application will block session creation. Quote Link to comment Share on other sites More sharing options...
Administrators Farshad Mohajeri Posted March 24, 2021 Administrators Share Posted March 24, 2021 There's no way for user2 to know the session id of user1. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 24, 2021 Share Posted March 24, 2021 11 minutes ago, Farshad Mohajeri said: There's no way for user2 to know the session id of user1. there is a way: injecting javascript and an infected computer. But, another possible example: User1, User2, User3, pay to receive Video files, if all these users are friends, they can exchange url and pay for one file instead of 3 * 3. And my solution to this problem is to block users from receiving files through the user session. Another possible solution is to create my own Dir name and keep that name in the unimainmodule as a variable. So each session will have its own directories and do this check through this variable. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 24, 2021 Share Posted March 24, 2021 In this theme: i test some problems and javascript injection will work . so every try can get session cookie with sessionID. Is not serious vulnerability but is possible to know session ID of other user the other problem is that if I know under the temp folder what the files are, then I can get them without opening a session, etc. I tried this with an app like StandAlone and all the directories and files under the root directory and everything was available So I added my own procedure to block other directories except uniServerModule Tempfolder, but the file problem still exists. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.