Pages: 1

#1 2014-09-02 11:55:36

emaxx
Member
Registered: 2014-07-03
Posts: 18

Async session handling

Signed sessions are per design sequential. Every new signed session signature can't be older in time than the last one, see

function TSQLRestServerAuthenticationSignedURI.RetrieveSession
	…
	(aTimeStamp>=result.fLastTimeStamp) and // check time stamp coherency

Unfortunately this is an issue for us and prevents us from doing simple async AJAX-calls within one main session. We are using libraries like jQuery and source based on RangerX's auth-schema. In fact, it isn't possible to predict which in sequence signed AJAX-call will arrive at mORMot server at first. Especially with large BLOB-Uploads there are sometimes issues with 403-Forbidden ):

Surely, the problem can be solved with additional sessions for parallel tasks, but for our purposes it's good enough to comment out the aTimeStamp-Line, so that there is no more need of session-handling-overhead.

@ab, is there a way to allow this "weaker security" by the  framework within a property or is there something that we have overlooked?

Offline

#2 2014-09-02 12:42:42

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: Async session handling

Good idea.

We have just added tge TSQLRestServerAuthenticationSignedURI.NoTimeStampCoherencyCheck to optionally disable the session timestamp check during URI signature authentication.
Now AuthenticationRegister() will be a function returning the existing authentication instance, to customize it.

You should be able to write now:

  (aServer.AuthenticationRegister(TSQLRestServerAuthenticationDefault) as TSQLRestServerAuthenticationSignedURI).NoTimeStampCoherencyCheck := true;

Thanks for the feedback.

Offline

#3 2014-09-02 14:41:20

emaxx
Member
Registered: 2014-07-03
Posts: 18

Re: Async session handling

Hi Arnaud, thank you for adoption and quick implementation. Works very well as expected.

BTW, one note to consider: shorthand overloaded function

AuthenticationRegister(const aMethods: array of TSQLRestServerAuthenticationClass)

falls into disuse for this new feature. But this has no impact, mORMot rocks smile Thank you very much!

Offline

#4 2014-09-02 15:35:02

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,655
Website

Re: Async session handling

Yes, AuthenticationRegister([aClass1,aClass2]) can not return an array of instances.
But you can just call AuthenticationRegister(aClass1) later: since aClass1 is already there, it will return the existing instance, so that you can set its options.

Thanks for the idea!
8)

Offline

Pages: 1

Board footer

Powered by FluxBB