Darth Florus Posted September 1, 2020 Posted September 1, 2020 Hi!: My security deparment request to me to change the session ID (_S_ID value from ajax requests) after a successfull login. I find no way to do this on UniGUI. I realize that is possible to change the session id via the UniSession.SessionID property, but If I make the change, I loose my session an it broke in invalid session. There is a way to do that? Thanks Pals and Best Regards
Mehmet Emin Posted September 5, 2020 Posted September 5, 2020 You can try the following: After a successful login, save the current unigui session id to a log table with a timestamp and one time use flag. Terminate the current unigui session, redirect user to a special URL like /refreshsid?_S_ID=<your old session id>. As browser redirects to new URL unigui will generate a new session id. Check the old session id received from params[] to log table if exists then flag this user's mainmodule (it is recreated since you terminated the previous session) as logged in. So you have changed the session id after login without asking password again It is easier if you to handle your login procedure manually instead of using unigui build in login form logic for the above case and many other cases. Why the security guys ask to change session id after login? Aren't you using SSL always, before and after login? 3
Darth Florus Posted July 22, 2021 Author Posted July 22, 2021 Yes I do, but security guys are annoyng people. Best Regards
rhennink Posted December 9, 2024 Posted December 9, 2024 HI! how did you fix this in the end?? Richard
Recommended Posts