IntraWeb and Session Timeout

This week I had to maintain an IntraWeb application. For those who are not familiar with IntraWeb it allows you to create a web application with Delphi. This means that you can design your web application with components and their properties in the same way as a Delphi desktop application. At runtime the controls render themselves, they create html code so that they look and feel in the same way as in the designer preview. That’s why the IntraWeb version that ships with Delphi is called the VCL for the Web.

I have to mention that there are huge differences between the various IntraWeb versions. In this case I used IntraWeb 12 in Delphi XE2 with full source code. In the version that ships with Delphi there are some limitations so that maybe the code I will show will not work. Currently Atozed is shipping a new IntraWeb version, the version 14.

If you create a new IntraWeb application you normally create two different apps: A stand-alone webserver for debugging purpose and a ISAPI dll that will be used in the real world.

The IntraWeb project wizard creates amongst others two important units: A server controller and a user session unit. Its is not surprising, the server controller controls your IntraWeb server app. Since web apps are stateless the user session gives you the possibility to save data that can be exchanged between your forms.

Let’s go back to the original problem: If your web apps shows some confidential data the app should get into a timeout after several minutes of inactivity. Therefore you can simply set the SessionTimeout property of the ServerController to a value in minutes after which your session gets into a timeout. In order to show the user a webesite after a timeout you can put a TIWURLResponderRedirect onto the ServerController and set the TimeoutResponse property to the TIWURLResponderRedirect. The TIWURLResponderRedirect has a property URL that will be shown in the case of a timeout.

This approach has two disadvantages: On the one hand the URL property points to a static website and on the other hand the client shows the timeout website not till then the client sends the next request to the server. The first point could be a deployment problem, the second point could be a problem since confidential data will rest on the screen.

That’s why I prefer a strategy in which the client polls the server, the server checks the inactivity time and if necessary redirects the client to a dynamic timeout website. Therefore I would like to place a timer on every form. The time polls the server, the server differs between the special timer request and a normal request, saves the last access in the session and redirects to the timeout form in the case the session has expired.

First I added the property LastAccess to the UserSession.

Since Delphi supports visual inheritance I derived every form from a base form and placed a timer on it. In the timer event I checked if the session has expired.

In the ServerController there is after every request an event fired in which I can decide if it was a normal request or a timer request.

In the timeout form I added a TIWURL component so that the user can navigate back to the login dialog. I set the URL property dynamically so that there is no problem concerning deployment.

Last bust not least I terminate the session manually (Please guys from Atozed don’t look at this code).

This entry was posted in Tips and Tricks and tagged , . Bookmark the permalink.

8 Responses to IntraWeb and Session Timeout

  1. Jorgen Lanesskog says:

    Great stuff ! 🙂

    Thank you 🙂

  2. Kevin G. McCoy says:

    Roman,

    Thanks for posting this!

    I am trying your technique (slightly modified) in my project, but have run across a couple problems.

    What does the urlWebWorkflowHTMLTag code do, and how do you hook it to the app?  It appears to be some sort of event handler, but which event?  I am using IW12, BTW.

    In my initial tests, I got the timeout to work… Once.  I have a TIWURL that relaunches the app using /$/start/ as the end of the URL.  The user can click on this URL if his session expires.  The problem is that the fresh restart of the app no longer fires the timer event.  Do you have any ideas?

    Best regards,

    Kevin

  3. Kevin G. McCoy says:

    Oops!  My bad!  The failure to restart the timer was due to a URL error. I was pointing to a different web site.  I’d still like to know what the event handler does though 🙂

    • roman says:

      I put a TIWURL on the form. It is a link component. The event is fired when the component creates its HTML tag. With this event handler I can set the content of the tag dynamically.


      Thanks,

      Roman

  4. Ricardo Alves says:

    Roman,

    Thanks for post.

    BTW, do you have a better tutorial for Intraweb other than that provided in Atozed’ site?

    I’m currently working in a project using Intraweb and I should confess: I’m hating because everything in Intraweb sounds too much confused and error prone.

    Best regards,

    Ricardo.

     

    • roman says:

      Dear Ricardo,

      I’m sorry I do not have a better tutorial. The best place to get some information is the EMBT intraweb forum.


      Thanks,

      Roman

  5. Hello,

    How can i create timer countdown per usersession? But its not session time out

    I’m sorry for my bad english,

    Thank’s

    • roman says:

      With client side JavaScript. Google for it, there are many examples for JavaScript, timer and current date and time.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.