irigsoft Posted March 17 Share Posted March 17 My case is this: 1. The user is connected to public Wi-Fi 2. a new session is created and the server knows from which remoteIp 3. after 15 minutes, as the User works with the open session, the Wi-Fi signal is lost and automatically connects to a mobile network on his phone 4. The session has not timed out and the session has not been terminated, but the user's IP address has already changed. I need to know when point 4 happens, is this possible? I try via TUniMainModule.UniGUIMainModuleHandleRequest get it from TUniGUISession (ASession).RemoteIP, but the IP doesn't change, the RemoteIp is always equal to what we started the session with ! is there some Global variable that collect this information ? Quote Link to comment Share on other sites More sharing options...
Sherzod Posted March 17 Share Posted March 17 1 hour ago, irigsoft said: I need to know when point 4 happens, is this possible? This post may help you: Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 17 Author Share Posted March 17 28 minutes ago, Sherzod said: This post may help you: Thanks, but this not work. RemoteIP is always the Same !!! My code (uniGUI_runtime_1.90.0.1551 - Proffessional) : 1. procedure TUniMainModule.UniGUIMainModuleCreate(Sender: TObject); begin mInnerSessionID := UniSession.RemoteIP; end; 2. procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean); begin if (mInnerSessionID <> TUniGUISession(ASession).ARequest.RemoteIP) then begin Handled := True; TUniGUISession(ASession).Terminate ('Session is closed'); end; end; Quote Link to comment Share on other sites More sharing options...
Sherzod Posted March 17 Share Posted March 17 So, were you able to achieve success? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 17 Author Share Posted March 17 11 minutes ago, Sherzod said: So, were you able to achieve success? No, I don't know why but when creating the new session the RemoteIP is for example 123.123.123.123 After I change the network (from Wi-Fi to Mobile they are from different operators) and try to keep working with my StandAloneApp, through the function TUniMainModule.UniGUIMainModuleHandleRequest I check what is TUniGUISession(ASession).ARequest.RemoteIP, it is always the same (123.123.123.123) as when opening the session. I think the RemoteIP should change but even after 5 minutes it still hasn't, and session is still Alive!?! @Sherzod, I must to say that I change network to User's mobile device, not at Server ! Quote Link to comment Share on other sites More sharing options...
Sherzod Posted March 18 Share Posted March 18 5 hours ago, irigsoft said: No Have you checked the solution from the link above? Quote Link to comment Share on other sites More sharing options...
Sherzod Posted March 18 Share Posted March 18 Are you using a mobile device? If so, which device, browser? And what application do you use: mobile or desktop? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 18 Author Share Posted March 18 43 minutes ago, Sherzod said: Are you using a mobile device? If so, which device, browser? And what application do you use: mobile or desktop? I try it with mobile device Samsung (Android 10 Chrome + WebView), RedMi (Android 10 Chrome) , Lenovo Tab 3 (Android 5.0 Chrome) I use uniGui Proffessional 1551 and Desktop StandAlone Application for Server Quote Link to comment Share on other sites More sharing options...
Sherzod Posted March 18 Share Posted March 18 So you open the desktop application on mobile devices? Can you check the above solution on desktop (PC, notebook)? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 18 Author Share Posted March 18 12 minutes ago, Sherzod said: So you open the desktop application on mobile devices? Can you check the above solution on desktop (PC, notebook)? Yes, I will try. 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 18 Author Share Posted March 18 37 minutes ago, Sherzod said: Can you check the above solution on desktop (PC, notebook)? I try on Laptop Win 7 Chrome, it it's not work again. In my code (that I write above) is not change RemoteIP (using TUniGUISession(ASession).ARequest.RemoteIP) when I change network Quote Link to comment Share on other sites More sharing options...
Sherzod Posted March 18 Share Posted March 18 1 minute ago, irigsoft said: ARequest.RemoteIP Strange, in principle this should always return the actual "IP". Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 18 Author Share Posted March 18 1 minute ago, Sherzod said: Strange, in principle this should always return the actual "IP". Yes, I know. 1. procedure TUniMainModule.UniGUIMainModuleCreate(Sender: TObject); begin mInnerSessionID := UniSession.RemoteIP; end; 2. When I use this on TUniServerModule.UniGUIServerModuleHTTPCommand begin sSessionID := ExtractSessionId(ARequestInfo.UnParsedParams); SessionManager.Sessions.Lock; for I := SessionManager.Sessions.SessionList.Count - 1 downto 0 do begin Try U := SessionManager.Sessions.SessionList[I]; // Check mainModule availability. Some sessions may not have a MainModule instance if (U.UniMainModule <> nil) then begin //Access custom MainModule variable if (U.SessionId = sSessionID) then begin TUniMainModule (U.UniMainModule).sInnerSessionID := ARequestInfo.RemoteIP; end; end; Except End; end; SessionManager.Sessions.Unlock; end; end; 3. procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject; var Handled: Boolean); begin if (mInnerSessionID <> sInnerSessionID ) then begin Handled := True; TUniGUISession(ASession).Terminate ('Session is closed'); end; end; then this work ! This is slowdown the server when I have more then 50 active session, so I search solution without using TUniServerModule.UniGUIServerModuleHTTPCommand Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 18 Author Share Posted March 18 @Sherzod, did You can share with me Is it possible to protect (some how) my StandAlone application from Session Hijacking . I know methods like: using VPN, not using open Wifi, don't open suspicious emails, but there all is from User Side and I don't have control over it. I need some methods that I can apply on Server APP. 1. I have protection from XSS 2. I already use Session Restriction like srOnePerIP/srOnePerPC 3. I already use short time of SessionTimeout 4. I have https now I need: https://www.linkedin.com/advice/1/what-best-ways-prevent-session-hijacking#monitor-and-audit-sessions 1. to check User's data when session is opened and work with it! 2. Set SessionID Coockie = Secure and HTPPOnly Or You can just tell me: "We have Session Hijacking protections, You need to do this ......" Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.