Dredging SAM-Consult: User Management

Read how sessions are handled

The class CUser is called every time the class CFullXMLEngine is initialized. Then the initialization (function Init) of CUser is done and the class checks the permissions of the current user (function CheckUser).

Class_Initialize()

Initialize class CUser.

At first we need a object for accessing the file system to handle the file session.xml and a XML object to handle the file member.xml.
Dim objFSO : Set objFSO = server.CreateObject("scripting.Filesystemobject")
...
set m_oXMLSession = server.CreateObject(MSXML_PROGID)
m_oXMLSession.async = false

FullXML use the file session.xml to store the information about all current visitors (anonym and logged on). Every entry has an id, generated by FullXML.
<sessions>
   ...
   <session id="4nXidu-4fYRlv-uJH9E5" username="" password="" groupname="anonymous" userid="0" groupid="0" date="" localip="127.0.0.2" remoteip="127.0.0.2"/>
   <session id="QpjyCD-CyGYGs-D1Hxgu" username="JeS" password="xxx" groupname="administrator" userid="4" groupid="0" date="200306032027" localip="127.0.0.1" remoteip="127.0.0.1"/>
   ...
</sessions>

Now we know the user on the server side. On client side FullXML uses a cookie. In this file we find the session id. So the first thing is to check, if the file session.xml exists. If the file exists, FullXML loads the file into memory, in other case FullXML has to create the file.
If objFSO.FileExists(SESSIONS_PATH) Then
      if not m_oXMLSession.load(SESSIONS_PATH) then
         ...
         Exit sub
      end if
   Else
      m_oXMLSession.loadxml("<sessions/>")
end if

The initializing phase is finished with giving standard values to global variables. If the cookie doesn't exist, m_sSessionID is NULL.
m_sSessionID = Request.Cookies(COOKIE_NAME)(COOKIE_VALUE_SESSION)
m_sUserName  = ""
m_sPassword  = ""
m_sGroupName = "anonymous"
m_iUserID  = 0
m_iGroupID  = 0
m_sLocalIP  = Request.ServerVariables("LOCAL_ADDR")
m_sRemoteIP  = Request.ServerVariables("REMOTE_ADDR")
m_sDate   = Year(Now) & Right("0" & Month(Now), 2) & Right("0" & Day(Now), 2) & right("0" & datepart("h",Now),2) & right("0" & datepart("n",Now),2)

Property Count

The property returns the number of active sessions.

All sessions with actions within the last 20 minutes are current sessions.
thedate = dateadd("n", -20, Now)
thedate = Year(thedate) & Right("0" & Month(thedate), 2) & Right("0" & Day(thedate), 2) & right("0" & datepart("h",thedate),2) & right("0" & datepart("n",thedate),2)

Now FullXML looks for these sessions in file session.xml and returns the number of founded sessions.
set oNodeList = m_oXMLSession.selectNodes("/sessions/session[@date >= number(" & thedate & ")]")
...
Count = oNodeList.length

Property CountMembers

The property returns the number of identified sessions.

All sessions of logged on members with actions within the last 20 minutes are counted.
thedate = dateadd("n", -20, Now)
thedate = Year(thedate) & Right("0" & Month(thedate), 2) & Right("0" & Day(thedate), 2) & right("0" & datepart("h",thedate),2) & right("0" & datepart("n",thedate),2)

Now FullXML looks for these sessions in file session.xml and returns the number of founded sessions.
set oNodeList = m_oXMLSession.selectNodes("/sessions/session[@date >= number(" & thedate & ") and string-length(@username)>0]")
...
Count = oNodeList.length

Function Init()

At first FullXML checks, if a session exists and will create one if it doesn't.
if len(m_sSessionID)=20 then
Call Load()
else
Call Create()
end if

The next step is to get the login name and password from login form. The class CUser try to get this value every time the class is initialized. If the user already loged on the values of these variables are filled with NULL.
l_sFrmLogin = URLDecode(m_oFO.Form("lgn"))
l_sFrmPassword = URLDecode(m_oFO.Form("pwd"))

If the user tries to log on, FullXML checks if the combination of username and password is correct. FullXML saves the information into a cookie if this check is successfull. The class oRc4 is used to encrypt the username and password.
if lenb(l_sFrmLogin)>0 and lenb(l_sFrmPassword)>0 then
   if CheckUser(l_sFrmLogin, l_sFrmPassword) then
      If lenB(m_oFO.Form("rememberme"))>0 then
         Response.Cookies(COOKIE_RMB_NAME)(COOKIE_VALUE_USR) = oRc4(l_sFrmLogin, CRYPT_RC4_KEY)
         Response.Cookies(COOKIE_RMB_NAME)(COOKIE_VALUE_PWD) = oRc4(l_sFrmPassword, CRYPT_RC4_KEY)
         Response.Cookies(COOKIE_RMB_NAME).Expires = DateAdd("M", 1, Date)
      End If
      ...
      call Save()
   else
      Init = ERR_LOGIN_PWD
   end if
end if

Now we should save the file session.xml .
call purge()
call Save()

Sub LogOff()

Log off the user, so it returns to a anonymous state.

The global variables gets standard values and the information in cookie are set to default values, too. The session id is kept.
m_sUserName  = ""
m_sGroupName = "anonymous"
m_iUserID  = 0
m_iGroupID  = 0
m_sDate   = ""

Response.Cookies(COOKIE_RMB_NAME)(COOKIE_VALUE_USR) = ""
Response.Cookies(COOKIE_RMB_NAME)(COOKIE_VALUE_PWD) = ""

And now it's time to save the file session.xml.
call Save()

Sub Load()

Load the session corresponding to the sessionID.

In session.xml FullXML looks for the session id found in cookie. If a node is found, the information are loaded into global variables. After loading the data, the combination of username and password is checked.
set oNodeList = m_oXMLSession.selectNodes("/sessions/session[@id='" & m_sSessionID & "']")
if oNodeList.length>0 then
   m_sUserName  = oNodeList.item(0).attributes.getnameditem("username").text
   m_sGroupName = oNodeList.item(0).attributes.getnameditem("groupname").text
   m_sPassword  = oNodeList.item(0).attributes.getnameditem("password").text
   m_iUserID  = oNodeList.item(0).attributes.getnameditem("userid").text
   m_iGroupID  = oNodeList.item(0).attributes.getnameditem("groupid").text
   m_sDate   = Year(Now) & Right("0" & Month(Now), 2) & Right("0" & Day(Now), 2) & right("0" & datepart("h",Now),2) & right("0" & datepart("n",Now),2)

   Call CheckUser(m_sUserName, m_sPassword)
end if

Sub Create()

The function creates an anonymous new session.

A unique session id is created by this function.
m_sSessionID = GetGuid(6) & "-" & GetGuid(6) & "-" & GetGuid(6)

Function CheckUser()

This function checks the combination of username and password.

At first we have to replace any additional and unneeded character.
p_sLogin = replace(p_sLogin, "'", "")
p_sPassword = replace(p_sPassword, "'", "")

After loading the file member.xml, FullXML looks for the given username and password. This is done by using the funxtions of the xml parser. XML is case sensitive, that's why username and password have to have right case.
if m_oXML.load(MEMBER_PATH) then
Set oMemberNode = m_oXML.SelectNodes("/members/member[(pseudo='" & p_sLogin & "' or email='" & p_sLogin & "') and password='" & p_sPassword & "' and visible='on']")

If a user is found, global variables get the values stored in member.xml by using function GetXPathValue(). If no node is found, the global variables are filled with standard values to identify a anonymous session.
If oMemberNode.length>0 then
   ...
   call GetXPathValue(m_sUserName, "/members/member[(pseudo='" & p_sLogin & "' or email='" & p_sLogin & "') and password='" & p_sPassword & "' and visible='on']/pseudo")
   call GetXPathValue(m_sGroupName, "/members/member[(pseudo='" & p_sLogin & "' or email='" & p_sLogin & "') and password='" & p_sPassword & "' and visible='on']/type")
   call GetXPathValue(m_iUserID, "/members/member[(pseudo='" & p_sLogin & "' or email='" & p_sLogin & "') and password='" & p_sPassword & "' and visible='on']/id")
   CheckUser = true
else
   m_sUserName  = ""
   m_sGroupName = "anonymous"
   m_iGroupID  = 0
   m_iUserID  = 0
   CheckUser = false
End if

Sub Save()

Save the session file.

If the user has an active session in session file with another session id than stored in cookie. This session node is deleted.
if len(m_sUserName)>0 then
   set oNodeList = m_oXMLSession.SelectNodes("/sessions/session[@username='" & m_sUserName & "' and @id!='" & m_sSessionID & "']")
   if oNodeList.length>0 then
      for each Item in oNodeList
         Item.parentNode.removeChild(Item)
      next
   end if
end if

Now we look for the session belonging to the session id. If no session is found, a new node is created. In other case the existing session node is updated.
set oNodeList = m_oXMLSession.SelectNodes("/sessions/session[@id='" & m_sSessionID & "']")
if oNodeList.length=0 then
   set oNewNode = m_oXMLSession.documentelement.appendChild(m_oXMLSession.createElement("session"))
   call addAttribute("id", m_sSessionID, oNewNode)
   call addAttribute("username", m_sUserName, oNewNode)
   ...
   call addAttribute("remoteip", m_sRemoteIP, oNewNode)
else
   m_oXMLSession.SelectSingleNode("/sessions/session[@id='" & m_sSessionID & "']/@username").value = cstr(m_sUserName)
   m_oXMLSession.SelectSingleNode("/sessions/session[@id='" & m_sSessionID & "']/@password").value = cstr(m_sPassword)
   ...
   m_oXMLSession.SelectSingleNode("/sessions/session[@id='" & m_sSessionID & "']/@date").value = cstr(m_sDate)
end if

After that saving session file is needed.
call SaveXMLFile(SESSIONS_PATH, m_oXMLSession.xml)

Sub addAttribute()

The function creates attribute to a xml node.

Set newAtt = m_oXML.createAttribute(sName)
newAtt.value = cstr(sValue)
oNode.Attributes.setNamedItem newAtt

Sub Purge()

Removes old sessions from session file.

Every session older than 20 minutes is removed from session file by this function.
thedate = dateadd("n", -20, Now)
thedate = Year(thedate) & Right("0" & Month(thedate), 2) & Right("0" & Day(thedate), 2) & right("0" & datepart("h",thedate),2) & right("0" & datepart("n",thedate),2)
set oNodeList = m_oXMLSession.selectNodes("/sessions/session[@date < number(" & thedate & ")]")
for each item in oNodeList
item.parentNode.removeChild(item)
next

Sub GetXPathValue()

The function gets node value from the xpath.

The function gets the value of the node and returns the value if the node exists.
set oNodeList = m_oXML.selectNodes(sXPath)
if oNodeList.length>0 then
sVariable = oNodeList.item(0).text
end if