So, I created a new Role, called TaskAdmin.  To this role, I added 3 privs:

%Admin_Task

%DB_CACHESYS

%Development (so user could login to terminal)

I included the only tables I could find in %SYS that are relevant: 

%SYS_Task.Config

%SYS_Task.History

I added my own tables and views that use these tables.

To this role, I added a new user called task_admin, to test a query from the terminal.  i.e. I created a new user, task_admin, and added this single role.

This test user, task_admin, can run the SQL shell in the terminal and select * from %SYS_Task.History. (%SYS.Task is a different story!).  So, success.

In order for a real user to see my table, which is a mix of %SYS.Task, %SYS_Task.Histoy, and my own tables, and my own view based on those same tables, I had to add my own tables and views to the role TaskAdmin as well; but it did work finally work.

I also remembered seeing somewhere that embedded SQL  does not check SQL privs, which is maybe why I could see all this table data in the <tablePane> without adding tables. (?) I admit that the user looking at my table data did have %Admin_Task and %DB_CACHESYS privs already (from some role). But the user could not call a query/view that queried %SYS_Task.History directly until I added my own tables.

Yes, I really l mean that about the <tablePane>.  My user had the privs, but not the tables, and yet could see the data in a <tablePane>.  Is this included in embedded SQL?

So, basically I think I got it, and the real user needed my tables/view added to a role; the test user needed the %SYS tables added since he (it) was querying just the %SYS tables.

Thank you for your help!

Laura

OK, thank you; We'll have to take a look.  

I need some kind of Authenticated flag to check, and if false, use OnPreHTTP to call %response.Redirect... 

But the login page is already the Login page, which forces the user to authenticate first; it also go to the login page upon logout.

I tried this on some random web application; clicking on a bookmark brought me immediately to their login page; I didn't even have to login to get redirected.

Ooh, fun, thanks.  Can I use it with %ListOfDataTypes too?  I have both returned from methods, and I need to use them in the %session array.  

That's a good idea. For future reference, here's an example:

http://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY=...

(see the Example section).  I'll probably try it after consulting with some other programmers. I'm not sure it's critical to know, at this point.  But it would be interesting to know.

Thanks,

Laura

AH.  IF we use cookies, they will be stored in the Session Cookie Path.  We don't, but the Application must use at least the one login cookie to pass authentication between applications.  I can see it in my browser, and it's called CSPSESSIONID +other stuff.  

I'm thinking that this login cookie would be used somehow if the Login Cookie is selected? Or not used?  We don't want that either-- we like the continuity between applications. But, what does happen if the Login Cookie is selected in the web application?

What could we store in a cookie?  Can we possibly find out if a second tab has been opened by using a cookie?

nope.  i'm talking about Cache web applications. There are two properties onthe web application page: Loging Cookie, and Session Cookie Path.  The Session cookie path is a path.  We set all of our applications to use the same session cookie path. We do not have the Login Cookie option set.  So, presumably all of our applications use the same (cache) authentication because of the session cookie path.

Jsut wondering what would happed if I check that little Login COokie Path box.

I also see cookies in my browser, with the same session ID as some of my CSP sessions. Wondering what that cookie is.  Not a login cookie?

Thanks,

Laura

Thanks Sean.  Jonathan at IS did call me today, and we discussed sessions.  I found that I had been timeing users out incorrectly, but that i'm doing it correctly now.

We decided that I would set the Events Class to my session events class for all the web applications that we're using.

The problem is that I did that, but the sessions still dont' seem to be timing out. I began to play with the session object at a terminal window (for future reference, it's the %CSP.Session class, and it's persisten).  I was not able to edit a session object with ID = SessionId, because of an error.  I think this may be causing a lot of problems on our end.  

Yes, IS will have to help with this.

Thanks!

Laura

We set the SessionEvents class programmatically.  When I end a session via management portal, it does not end.  Sometime it sets the Timeout to NOW (UTC time) but it's still in the list of CSP Sessions in mgmt portal.

I can see the application it's using, so I set the SessionEvent class in the web application to our SessionEvent class, (sounds redundant but it's not), then tried to end it again.  It's still there. 

There are some sessions using the web application /isc/studio/usertemplates/ with a timeout of 2016-08-30 17:30:41.

Does the CSP.Daemon try to run our own SessionEvents class? Are there settings for this somewhere?

Thanks,

Laura

Yes, we have had a SessionEvents class, since before I took over logouts and sessions.  

I have since had the user logout with ?CacheLogout=end, which calls OnEndSession in the sessionevents class,  which then calls  Do ##class(%ZEN.Controller).OnEndSession() per the documentation.  I do a little cleanup in OnEnsSession, too, but nothing worth noting ( a little temp global cleanup ) (ok, so I just noted it).

Yes, before I took over this, the OnEndSession actually set EndSession = 0; I don't think we knew what to do.

But NOW, wouldn't the Daemon just clean stuff up? 

Say, am I logging out correctly now and ending everything? That is, as log as the user logs out.  If he just closes the browser (you can never really stop them from doing this), what happens to the session and to the license? 

Thanks

Laura

Hi Sean,

Yes, there are 241 csp sessions, and all but 9 have timeouts in the past.  I have been working on logouts and sessions, and have changed things in the code, but the default timeout was always 3600 at most (set in the web application), and now it's 45*60 (45 minutes), set in the code.

How do I clean these up?  If I can at least clean them up, I can see if the current logout code will reclaim sessions/licenses.

I was playing around with that... actually I was looking at the ZEN version "onunloadHandler".  From  the documentation: "This client-side page method, if defined, is called when the client page is about to unload. It is triggered by the page’s HTML onbeforeunload event."

But it was causing a popup to appear when the user is simple navigating around the application -- of dozens of pages.  I assume each page is unloading before the next one appears.

I wonder if I have access to the URL of the next page.

I'm really surprised HTML5 doesn't have something like this yet, to capture a tab/browser close event rather than just an unload.

Anyway, thanks -- I'll see what I can do.

Laura

I'll look into the AJAX thing, thanks.  

We do set an AppTimeout, and upon timeout we ask the user first if he really wants to timeout.  If so, then the session is logged out, not timed out, and the license is released.  But, this is only if the user is good and either accepts the timeout or logs out with the logout link.

If he closes the browser (bad user) then the license is not released.  We have some that have been active for 11 days, and I know they're not being used.

I'll see if I can catch a 'close' just before the tab or browser closes.

Is there a way to tell cache to remove the license if nothing has been done with it in, say, 24 hours?

And for the future record, it's the %response object, which actually references onPreHTTP() in the Context property.  So yeah, I'll be looking at all that.

Thanks all.

Well, I'm not a web programmer, and I don't know anything about web sockets.  So let's go with "not using".

We do store the namespace in the %session.Data variable.  howver, it's possible to chnage the namespace while on a second tab, and then when you come back and file data, oops, you're filing it into the wrong namespace.  

We'll just have to implement checks with the %session variable, perhaps a URL parameter, and what namespace the user thinks he's in based on a field on the screen.  

In the meantime, I'm going to have to say "no second tabs, even though it can make you feel more productive to work on separate clients/applications at one time".

Sigh.  Thanks.

Ok, it's really easy to mess up MgmtPortal; however, I do see the $NAMESPACE=namespace in the URL (at times).  Although not completely consistent (try it - so easy to confuse it), at least it gives you a starting point of where the user thinks  you should be.

Is that the only way mgmt portal knows?  Is it switching namespaces on the other tabs every time you change one tab?  Or is it keeping the tabs' namespaces separate?