Include a session specific url parameter in the session timeout page

[magosk]

We have a web application with a static session timeout page looking like this:

Code:

<html>

<head>
<meta http-equiv="Content-Language" content="en">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>RapidReach logout</title>
</head>

<body>

<table border="0" width="100%">
  <tr>
    <td width="100%" bgcolor="#FFFFFF"><img border="0" src="/img/TopImage_RR.png" width="594" height="48"></td>
  </tr>
  <tr>
    <td width="100%"><b>Your session is no longer valid. You have been logged out due to inactivity or too many simultaneous sessions.</b></td>
  </tr>
  <tr>
    <td width="100%"><a href="/">Click here to login again.</a></td>
  </tr>
</table>
&nbsp;
</body>

</html>

A user in the web application is associated to an account. Some accounts have a url-parameter in their login-url. For a session that belongs to such account, I would like to include that url parameter in the "Click here to login again." link, e.g. href="/?sso=MyAccount". Always including the sso url parameter but having it empty for some (most) accounts would also work. How would I do this in the best way?

Also, I would like to do the same thing in the default logout page (with very similar HTML code as above) (although I suspect that most customers in question would override the logout url). So same question on this (I suspect in might be easier than the session timeout case?).

Best regards

Magnus Oskarsson

[Alexandre Machado]

Hi Magnus,

The best way to accomplish that is subclassing the TIWExceptionRenderer and overriding the RenderHTML() method.

I wrote a very basic first version of this demo that I intend to enhance, but the basic thing that you need is already there:

https://github.com/Atozed/IntraWeb/tree/...imeoutPage

Check the unit CustomExceptionRenderer.pas. The code is simple and straightforward.

You basically need some tags in your HTML file (in that example is {%URLPARAMS%} that will be replaced by the custom exception renderer class with the data that you want. Basically anything can be done using this technique.

Please let me know if you need any other information

[magosk]

Thanks Alexandre for looking at this!

I am trying to run your demo, but I must be missing something. The main web form is just empty, and if I try to refresh it after the session should have timed out I just get an HTTP Error 400 in the browser. When I check the code for TCustomExceptionRenderer, I wonder how it can get information from the UserSession object? Wouldn't that be nil in the EExpiredSession case (and the same if you also included the EInvalidSession and EInvalidAppID cases)? Is there any information of interest in these exception objects (like the (no longer valid) AppID) that you could make use of?

Best regards

Magnus Oskarsson

[Alexandre Machado]

Yes, in the specifiic case of EExpiredSession you won't have a valid session to retrieve the session data. You will need to use some other data structure to keep this data around. I have some ideas, but I'll need at least 1 day to be able to go back to that demo and move it forward.

I'll get you posted.

[magosk]

Hi Alexandre! An update on this topic. A colleague gave me a nice idea for a totally different solution to the source issue. Instead of trying to get dynamic information into the static timeout and logout pages, I now store this dynamic information in a cookie field. I added a "return=true" url parameter in all versions of the static timeout and logout pages so that I can know that we want to repeat the last login (which possibly included the above mentioned "sso" url parameter) (Note: I need to distinguish this re-login from the case where you deliberately try to access the login page without the "sso" parameter (e.g. if SSO login did not work as intended in the last attempt)).

So, from my point of view I am satisfied with this workaround and I am no longer waiting for a solution to my question above.

Best regards

Magnus Oskarsson