User Session Management
This article describes the session and session id management in QPR ProcessAnalyzer.
Authentication and Session id
Access to QPR ProcessAnalyzer is approved based on successful authentication. As a result of the successful authentication, the user will get a session id. The session id is a 128-bit number called Global Unique IDentifier (GUID). The length of the GUID (128 bits) can guarantee uniqueness across space and time. New GUIDs are created by using the NEWID() function provided by SQL Server (https://docs.microsoft.com/en-us/sql/t-sql/functions/newid-transact-sql?view=sql-server-2017). The generated GUID is compliant with RFC 4122 (https://tools.ietf.org/html/rfc4122).
Operation log as well as the server log keep track of all the usernames that tried to authenticate against QPR ProcessAnalyzer. Also, client IP address is also logged.
Session Management and Transport
Once the user is authenticated, subsequent requests authenticate the session. Users prove they own a session by submitting session id as parameters with each request. The session is then validated to all requests sent to QPR ProcessAnalyzer. Session id is also included during the log off mechanism.
Cryptographically secure network communications are required to implement secure session management. As such it is recommended to use HTTPS protocol.
Log off and Session Expiration
When user logs off, session id is marked as invalid in the session table in QPR ProcessAnalyzer database. There are two additional settings in the database related to session management: SessionIdleTimeout and SessionMaximumDuration (Web.config file in QPR ProcessAnalyzer). User session will expire if the session has not been used after the time defined by SessionIdleTimeout (one hour by default). SessionMaximumDuration defines the maximum duration for an active session. Even if a session is used actively, the session is expired after the configured amount of time (one day by default).