User Session Management

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search

This page describes how user sessions are managed in QPR ProcessAnalyzer.

Authentication and Session id

Access to QPR ProcessAnalyzer is approved based on successful authentication. As a result of the successful authentication, the user will get a session id. The session id is a 128-bit number called Global Unique IDentifier (GUID). The length of the GUID (128 bits) can guarantee uniqueness across space and time. New GUIDs are created by using the NEWID() function provided by SQL Server (https://docs.microsoft.com/en-us/sql/t-sql/functions/newid-transact-sql?view=sql-server-2017). The generated GUID is compliant with RFC 4122 (https://tools.ietf.org/html/rfc4122).

Server log keep track of all the usernames that try to authenticate to QPR ProcessAnalyzer. Also, client IP address is logged.

Session Management and Transport

Once the user is authenticated, subsequent requests authenticate the session. Users prove they own a session by submitting session id as parameters with each request. The session is then validated to all requests sent to QPR ProcessAnalyzer. Session id is also included during the log off mechanism.

Cryptographically secure network communications are required to implement secure session management. As such it is recommended to use HTTPS protocol.

Log off and Session Expiration

When user logs off, session id is marked as invalid in the session table in QPR ProcessAnalyzer database. There are two additional settings in the database related to session management: SessionIdleTimeout and SessionMaximumDuration (Web.config file in QPR ProcessAnalyzer). User session will expire if the session has not been used after the time defined by SessionIdleTimeout (one hour by default). SessionMaximumDuration defines the maximum duration for an active session. Even if a session is used actively, the session is expired after the configured amount of time (one day by default).

Authentication

The user accounts are stored on the QPR ProcessAnalyzer service and their passwords are stored as one-way hash values calculated with SHA-256 algorithm. Salt is used in the hashing for protection against the use of rainbow tables.

Failed login attempts result in a timeout to the login for protection against brute force attacks. The failed login attempts are also logged.

QPR ProcessAnalyzer can load data from external systems, such as SAP or Salesforce.com. When a session is created, credentials are entered by the user and are stored in Windows profile with additional encryption. Users loading data from Salesforce.com enter their Salesforce credentials in the Integration Service for Salesforce web UI when launching the transfer. Credentials are not stored on the QPR ProcessAnalyzer.

Authorization

Authorization is based on a role-based access control. All access rights are associated with projects.

All requests to the QPR ProcessAnalyzer include an ID and the service authorizes requests systematically based on users and groups allowed to access the project associated with the ID. QPR ProcessAnalyzer application uses a single account which has owner privileges to the database, granting full access to the database objects belonging to the application.