User Session Management: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
(Created page with "This article describes the session and session id management in QPR ProcessAnalyzer. == Authentication and session id == Access to QPR ProcessAnalyzer is approved based on su...")
 
No edit summary
Line 2: Line 2:


== Authentication and session id ==
== Authentication and session id ==
Access to QPR ProcessAnalyzer is approved based on successful authentication. As a result of the successful authentication, the user will get a session id. The session id is a 128-bit number called Global Unique IDentifier (GUID). The length of the GUID (128 bits) can guarantee uniqueness across space and time. New GUIDs are created by using the NEWID () function provided by SQL Server [2]. The generated GUID is compliant with RFC 4122 [3].
Access to QPR ProcessAnalyzer is approved based on successful authentication. As a result of the successful authentication, the user will get a session id. The session id is a 128-bit number called Global Unique IDentifier (GUID). The length of the GUID (128 bits) can guarantee uniqueness across space and time. New GUIDs are created by using the NEWID() function provided by SQL Server (https://docs.microsoft.com/en-us/sql/t-sql/functions/newid-transact-sql?view=sql-server-2017). The generated GUID is compliant with RFC 4122 (https://tools.ietf.org/html/rfc4122).


Operation log as well as the server log keep track of all the usernames that tried to authenticate against QPR ProcessAnalyzer. Also, client IP address is also logged.
Operation log as well as the server log keep track of all the usernames that tried to authenticate against QPR ProcessAnalyzer. Also, client IP address is also logged.


== Session management and transport ==
== Session management and transport ==
Once the user is authenticated, subsequent requests authenticate the session. Users prove they own a session by submitting session id as parameters with each request. The session is then validated to all requests sent to QPR ProcessAnalyzer. Session id is also included during the log off mechanism.  
Once the user is authenticated, subsequent requests authenticate the session. Users prove they own a session by submitting session id as parameters with each request. The session is then validated to all requests sent to QPR ProcessAnalyzer. Session id is also included during the log off mechanism.
 
Cryptographically secure network communications are required to implement secure session management. As such it is recommended to use HTTPS protocol.
Cryptographically secure network communications are required to implement secure session management. As such it is recommended to use HTTPS protocol.


== Log off and session expiry ==
== Log off and session expiry ==
When user logs off, session id is marked as invalid in the session table in QPR ProcessAnalyzer database. There are two additional settings in the database related to session management: SessionIdleTimeout and SessionMaximumDuration [4]. User session will expire if the session has not been used after the time defined by SessionIdleTimeout (one hour by default). SessionMaximumDuration defines the maximum duration for an active session. Even if a session is used actively, the session is expired after the configured amount of time (one day by default).
When user logs off, session id is marked as invalid in the session table in QPR ProcessAnalyzer database. There are two additional settings in the database related to session management: SessionIdleTimeout and SessionMaximumDuration ([[Web.config file in QPR ProcessAnalyzer]]). User session will expire if the session has not been used after the time defined by SessionIdleTimeout (one hour by default). SessionMaximumDuration defines the maximum duration for an active session. Even if a session is used actively, the session is expired after the configured amount of time (one day by default).

Revision as of 07:41, 3 October 2019

This article describes the session and session id management in QPR ProcessAnalyzer.

Authentication and session id

Access to QPR ProcessAnalyzer is approved based on successful authentication. As a result of the successful authentication, the user will get a session id. The session id is a 128-bit number called Global Unique IDentifier (GUID). The length of the GUID (128 bits) can guarantee uniqueness across space and time. New GUIDs are created by using the NEWID() function provided by SQL Server (https://docs.microsoft.com/en-us/sql/t-sql/functions/newid-transact-sql?view=sql-server-2017). The generated GUID is compliant with RFC 4122 (https://tools.ietf.org/html/rfc4122).

Operation log as well as the server log keep track of all the usernames that tried to authenticate against QPR ProcessAnalyzer. Also, client IP address is also logged.

Session management and transport

Once the user is authenticated, subsequent requests authenticate the session. Users prove they own a session by submitting session id as parameters with each request. The session is then validated to all requests sent to QPR ProcessAnalyzer. Session id is also included during the log off mechanism.

Cryptographically secure network communications are required to implement secure session management. As such it is recommended to use HTTPS protocol.

Log off and session expiry

When user logs off, session id is marked as invalid in the session table in QPR ProcessAnalyzer database. There are two additional settings in the database related to session management: SessionIdleTimeout and SessionMaximumDuration (Web.config file in QPR ProcessAnalyzer). User session will expire if the session has not been used after the time defined by SessionIdleTimeout (one hour by default). SessionMaximumDuration defines the maximum duration for an active session. Even if a session is used actively, the session is expired after the configured amount of time (one day by default).