Re: Create new Session & Login as User from Admin Session
Re: Create new Session & Login as User from Admin Session
- Subject: Re: Create new Session & Login as User from Admin Session
- From: Mike Schrag <email@hidden>
- Date: Tue, 6 Feb 2007 09:23:25 -0500
You are treading in some weird waters here. You have the potential
to cause very strange things from the user's perspective. For
instance, if you hijack their session, you'll be using the same
context ids they are. This means you can blow out their page cache
and cause strange state transitions. A much better way would be to
steal the USER of the session and create a new session with the same
user ...
While I haven't done the "hijack a session" option, I did recently
just write an active session browser/terminator (which might roll
into Project Wonder ... it's just kind of bound up in our auth API's
at the moment).
You would need to enumerate the currently open sessions and identify
which one is the one you're looking for. The first API you want is:
WOServerSessionStore sessionStore = (WOServerSessionStore)
WOApplication.application().sessionStore();
NSArray sessions = sessionStore._sessions().allValues();
This will give you an array of WOSessions.
** You want to probably be kind of careful with how you do things and
make sure you don't hold on to references to the sessions (like in
your page cache, etc). ** So any ivar that touches the session, you
need to very careful about cleaning up at the end of your RR loop. **
The easiest way to hijack their session is generate a direct action
URL and manually set wosid=oneofthesessions.sessionID(). Note that
if you generate direct action urls they, by default, will have your
existing wosid in them. So you might have to munge the URL some But
that should basically get you in.
I still recommend "becoming the same user" vs "becoming the same
session" though. Far less shoot-self-in-foot potential.
ms
On Feb 6, 2007, at 7:33 AM, email@hidden wrote:
Hi,
I would like to login as a user from a admins session. I don't want
to do this by a DA for security reasons. It would be great if the
admin clicks on "Login as whoever" and gets a new session with the
user data in a new browser window. The admin session should not be
terminated in between.
How can this been done? I know how to create a new session but I
don't know how to send the user to the correct component and set
the component values.
Cheers Dave
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40mdimension.com
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden