|
|
(5 intermediate revisions by 2 users not shown) |
Line 1: |
Line 1: |
| = Lifecycle of an OX Session =
| | The content on this page has moved to https://documentation.open-xchange.com/7.10.3/middleware/login_and_sessions/session_lifecycle.html |
|
| |
|
| This page describes in detail how a session is created, the components of a session and how they work together and which stages a session goes through during its existence.
| | Note: Open-Xchange is in the process of migrating all its technical documentation to a new and improved documentation system (documentation.open-xchange.com). Please note as the migration takes place more information will be available on the new system and less on this system. Thank you for your understanding during this period of transition. |
| | |
| == Creating a session ==
| |
| | |
| Creating a session is a very straight forward process. Let's fire up a network sniffer and see what's exchanged between client and server during login (redacted for brevity, some of the stuff that's sent back and forth is not really relevant to our discussion):
| |
| | |
| <pre>
| |
| POST /ajax/login?action=login&modules=true&client=com.openexchange.ox.gui.dhtml&version=6.20.0%20Rev7&authId=eedc7ddf-8c4b-4ba4-b00d-88250574eee1 HTTP/1.1
| |
| Host: localhost
| |
| User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
| |
| Content-Type: application/x-www-form-urlenpred; charset=UTF-8
| |
| | |
| name=username%40contextname&password=somePassword
| |
| </pre>
| |
| | |
| Let's go through this one thing at a time. Look at the first line:
| |
| | |
| <pre>
| |
| POST /ajax/login?action=login&modules=true&client=com.openexchange.ox.gui.dhtml&version=6.20.0%20Rev7&authId=eedc7ddf-8c4b-4ba4-b00d-88250574eee1 HTTP/1.1
| |
| </pre>
| |
| | |
| It's an HTTP POST that wants to do a login ( /ajax/login?action=login ).
| |
| | |
| <pre>
| |
| POST /ajax/login?action=login&modules=true&'''client=com.openexchange.ox.gui.dhtml'''&version=6.20.0%20Rev7&authId=eedc7ddf-8c4b-4ba4-b00d-88250574eee1 HTTP/1.1
| |
| </pre>
| |
| | |
| The first thing we have to look at is the client identifier (&client=...). The client identifier is '''com.openexchange.ox.gui.dhtml'''. The client identifier is used to differentiate between different client programs that use the same cookie store. For example one session in your browser is opened by the OX frontend and another one by a browser plugin. In order for the cookies used in session handling not overwriting each other, each client program provides its own client identifier, that is later used to construct the cookie names by way of the '''Cookie Hash'''.
| |
| | |
| <pre>
| |
| POST /ajax/login?action=login&modules=true&client=com.openexchange.ox.gui.dhtml&version=6.20.0%20Rev7&'''authId=eedc7ddf-8c4b-4ba4-b00d-88250574eee1''' HTTP/1.1
| |
| </pre>
| |
| | |
| The second thing that jumps out is the Auth-ID and the Auth-ID that will show up in log files is '''eedc7ddf-8c4b-4ba4-b00d-88250574eee1'''. Whenever you have to track a login or logout request among different systems of your apache / OX server cluster, for example, the Auth-ID will come in handy. It's a unique String that shows up on the requests way through the systems.
| |
| | |
| <pre>
| |
| User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
| |
| </pre>
| |
| | |
| The User-Agent header is also used in constructing the cookie names used, or more precisely the '''Cookie Hash'''.
| |
| | |
| <pre>
| |
| name=username%40contextname&password=somePassword
| |
| </pre>
| |
| | |
| This line contains the parameters sent in the POST request. "name" is set to username@contextname, and the password is set to "somePassword". This information will be used by the authentication system to authenticate the user or deny the login request. Let's say everything goes right with our login attempts and look at the servers answer, again redacted for brevity and relevance to our discussion:
| |
| | |
| <pre>
| |
| HTTP/1.1 200 OK
| |
| Content-Type: text/javascript; charset=UTF-8
| |
| Set-Cookie: open-xchange-secret-2H65ETpH7sX1kOWi6eyw=d4da87aaddf04ae8a1194715b08eede6; expires=Tue, 24-May-2011 13:28:59 GMT; path=/
| |
| Transfer-Encoding: chunked
| |
| | |
| 90e
| |
| {"session":"4bb7202edae54094855b5a545d7123c3","random":"fd367d5c15ca4914b280982422008c4d","modules": '''/* SOME STUFF */''' }
| |
| 0
| |
| </pre>
| |
| | |
| The answer provides the client with the two parts it later needs to construct valid requests: The '''Session Secret''' and the '''Session ID'''. As you can see in this line, the session secret is transferred as a cookie:
| |
| | |
| <pre>
| |
| Set-Cookie: open-xchange-secret-2H65ETpH7sX1kOWi6eyw=d4da87aaddf04ae8a1194715b08eede6; expires=Tue, 24-May-2011 13:28:59 GMT; path=/
| |
| </pre>
| |
| | |
| Notice the name of the cookie, which always starts with '''open-xchange-secret-''' followed by the '''cookie hash''' that is normally calculated from the User-Agent header of the login request, and the value of the client parameter. The expiry time of the cookie is goverened by the cookie lifetime configuration parameter and whether '''autologin''' is permitted or not. As I tried this request on Tue, 17-May-2011, the cookie will live one week.
| |
| | |
| The '''Session ID''' is transmitted to the client in the response:
| |
| | |
| <pre>
| |
| {'''"session":"4bb7202edae54094855b5a545d7123c3"''',"random":"fd367d5c15ca4914b280982422008c4d","modules": /* SOME STUFF */ }
| |
| </pre>
| |
| | |
| This '''session id''' will later be sent to the server in all requests as the '''session''' parameter.
| |
| | |
| == Using a session ==
| |
| | |
| == Storing a session for autologin ==
| |
| | |
| == Retrieving a session with autologin ==
| |
| | |
| == Session hibernation for long running sessions ==
| |