Pages: 1

#1 2025-11-27 13:47:59

anouri
Member
Registered: 2024-02-11
Posts: 160

Can't change SessionTimeOut

Hello,

I am having trouble with session timeouts in my REST server. I have set the SessionTimeout to 100, but the session still expires after 10 minutes.

Here is my OnAuthenticationUserRetrieve event handler:

fPassakServer.OnAuthenticationUserRetrieve := AuthenticationUserRetrieve;

function TfrmMain.AuthenticationUserRetrieve(Sender: TRestServerAuthentication; Ctxt: TRestServerUriContext; aUserID: TID;  const aUserName: RawUtf8): TAuthUser;
begin
  if ThreadSafeUsers.Exist(aUserName) then
  begin
    var User := ThreadSafeUsers.FindByLogonName(aUserName);
    Result := TAuthUser.Create;
    Result.LogonName := User.LogonName;
    Result.PasswordPlain := User.PasswordPlain;
    Result.IDValue := User.IDValue;
    Result.GroupRights := User.GroupRights; 
    Result.GroupRights.SessionTimeout := 100;
  end;

end;

create TUser objects and store them in a thread-safe array named ThreadSafeUsers.FUsers.

A separate issue I have is with initializing the TAuthGroup. When I try to create it with AuthGroup := TAuthGroup.Create, I get an Access Violation (AV) error. However, using AuthGroup := TAuthGroup.CreateWithID(1) works fine.

I am struggling to understand how to properly create users and groups dynamically in this framework.

My auth service:
https://gist.github.com/a-nouri/46f6b58 … 694b30616d

Last edited by anouri (2025-11-27 14:16:13)

Offline

#2 2025-11-27 16:23:30

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 15,305
Website

Re: Can't change SessionTimeOut

Thanks for posting a gist with some code. It is easier to find out what you did and what you expect.

If you debug a little bit, you would probably find that SessionTimeout is used by ComputeProtectedValues(), from TAuthSession.Create.

Then, in TAuthSession.Create, the TAuthGroup instance is created and read from the ORM.
Filing aUser.GroupRights with your own instance does not make any sense. It just won't work.

This is as documented: TAuthUser.GroupRights is not a TAuthGroup instance here, it is a TAughGroup ID (see comments like "retrieve pseudo TAuthGroup = ID")

So you need to create proper groups and store them in the ORM, not make your own fake in-memory pure TAuthGroup instances.

Online

#3 2025-11-28 13:52:56

anouri
Member
Registered: 2024-02-11
Posts: 160

Re: Can't change SessionTimeOut

if I don't create TAuthgroup this work:

Result.GroupRights := TAuthGroup(1);

but when I call
Result.GroupRights.sessionTimeout := 100;
I got an AV.

mormot.rest.server.pas:

  TOnAuthenticationUserRetrieve = function(Sender: TRestServerAuthentication;
    Ctxt: TRestServerUriContext; aUserID: TID;
    const aUserName: RawUtf8): TAuthUser of object;

TAuthUser defined in mormot.rest.core.pas :
  TAuthUser = class(TOrm)
  protected
    fLogonName: RawUtf8;
    fPasswordHashHexa: RawUtf8;
    fDisplayName: RawUtf8;
    fGroupRights: TAuthGroup;
    fData: RawBlob;
    procedure SetPasswordPlain(const Value: RawUtf8);
  public
...
    property GroupRights: TAuthGroup
      read fGroupRights write fGroupRights;

so GroupRights is TAuthGroup class not id.

Last edited by anouri (2025-11-28 13:55:36)

Offline

#4 2025-11-28 14:22:02

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 15,305
Website

Re: Can't change SessionTimeOut

Of course.

But you don't understand what I meant with TAughGroup ID (see comments like "retrieve pseudo TAuthGroup = ID")/
https://synopse.info/files/html/Synopse … ml#TITL_26

I know this is very confusing, but it is how it was defined and used in this case.
New code should better use a TID field, but we could not change the TAuthUser definition after so many years.

Online

#5 2025-11-28 15:21:55

anouri
Member
Registered: 2024-02-11
Posts: 160

Re: Can't change SessionTimeOut

I understand what you mean. I can create users (or groups) and add them to the ORM:

var bb := TAuthUser.Create;
bb.PasswordPlain := '2';
bb.IDValue := 10;
bb.LogonName := 'admin1';
bb.GroupRights := TAuthGroup(1);
Self.Server.Add(bb, True);

Let me explain my real problem.
I have an existing database that my customers use. Passwords are hashed with my own method and stored in the database. I don't know what the passwords are because they are hashed and saved in my existing users table in my MySQL database.

How can I use my own hashing method to verify that a user's password is correct?

Last edited by anouri (2025-11-28 15:29:47)

Offline

#6 2025-11-28 17:55:26

anouri
Member
Registered: 2024-02-11
Posts: 160

Re: Can't change SessionTimeOut

I find it.

I override TRestServerAuthenticationHttpBasic.CheckPassword.

Now it works as expected.

Thank you so much

Offline

Pages: 1

Board footer

Powered by FluxBB