User Session Management: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
This page describes how user sessions are managed in QPR ProcessAnalyzer.
This page describes how user sessions are managed in QPR ProcessAnalyzer.


== Authentication and Session id ==
== Authentication and session token ==
Access to QPR ProcessAnalyzer is approved based on successful authentication. As a result of the successful authentication, the user will get a session id. The session id is a 128-bit number called Global Unique IDentifier (GUID). The length of the GUID (128 bits) can guarantee uniqueness across space and time. New GUIDs are created by using the NEWID() function provided by SQL Server (https://docs.microsoft.com/en-us/sql/t-sql/functions/newid-transact-sql?view=sql-server-2017). The generated GUID is compliant with RFC 4122 (https://tools.ietf.org/html/rfc4122).
Access to QPR ProcessAnalyzer is approved based on successful authentication. As a result of the successful authentication, the user will get a session id. The session id is a 128-bit number called Global Unique IDentifier (GUID). The length of the GUID (128 bits) can guarantee uniqueness across space and time. New GUIDs are created by using the NEWID() function provided by SQL Server (https://docs.microsoft.com/en-us/sql/t-sql/functions/newid-transact-sql?view=sql-server-2017). The generated GUID is compliant with RFC 4122 (https://tools.ietf.org/html/rfc4122).


Line 7: Line 7:


== Session Management and Transport ==
== Session Management and Transport ==
Once the user is authenticated, subsequent requests authenticate the session. Users prove they own a session by submitting session id as parameters with each request. The session is then validated to all requests sent to QPR ProcessAnalyzer. Session id is also included during the log off mechanism.
Once the user is authenticated, subsequent requests authenticate the session. Users prove they own a session by submitting session id as parameters with each request. The session is then validated to all requests sent to QPR ProcessAnalyzer. Session token is also included during the log off mechanism.


Cryptographically secure network communications are required to implement secure session management. As such it is recommended to use HTTPS protocol.
Cryptographically secure network communications are required to implement secure session management. As such it is recommended to use HTTPS protocol.


== Log off and Session Expiration ==
== Log off and session expiration ==
When user logs off, session id is marked as invalid in the session table in QPR ProcessAnalyzer database. There are two additional settings in the database related to session management: SessionIdleTimeout and SessionMaximumDuration ([[Web.config file in QPR ProcessAnalyzer]]). User session will expire if the session has not been used after the time defined by SessionIdleTimeout (one hour by default). SessionMaximumDuration defines the maximum duration for an active session. Even if a session is used actively, the session is expired after the configured amount of time (one day by default).
When user logs off, session token is marked as invalid in the sessions table in QPR ProcessAnalyzer database, and thus the session cannot be used anymore. There are the following settings related to session management ([[PA_Configuration_database_table_in_QPR_ProcessAnalyzer|more information]]):
* Session idle timeout: If the user session has not been used (i.e. there are no requests sent to the server), the session is invalidated after this duration. The purpose is to get the session invalidated soon, e.g. if user has forgotten to log out the session. By default this time is one hour.
* Session maximum duration: Duration starting from the login after which the session is invalidated anyways (even though it is used continuously). The purpose is to get the session invalidated e.g. in cases where some automated script maintains the user session for ever. The best practice for these kind of scripts is to logout the session after the communication has been completed. The session maximum duration is by default 24 hours.


== Authentication details ==  
== Authentication details ==  

Revision as of 23:30, 21 September 2021

This page describes how user sessions are managed in QPR ProcessAnalyzer.

Authentication and session token

Access to QPR ProcessAnalyzer is approved based on successful authentication. As a result of the successful authentication, the user will get a session id. The session id is a 128-bit number called Global Unique IDentifier (GUID). The length of the GUID (128 bits) can guarantee uniqueness across space and time. New GUIDs are created by using the NEWID() function provided by SQL Server (https://docs.microsoft.com/en-us/sql/t-sql/functions/newid-transact-sql?view=sql-server-2017). The generated GUID is compliant with RFC 4122 (https://tools.ietf.org/html/rfc4122).

Server log keep track of all the usernames that try to authenticate to QPR ProcessAnalyzer. Also, client IP address is logged.

Session Management and Transport

Once the user is authenticated, subsequent requests authenticate the session. Users prove they own a session by submitting session id as parameters with each request. The session is then validated to all requests sent to QPR ProcessAnalyzer. Session token is also included during the log off mechanism.

Cryptographically secure network communications are required to implement secure session management. As such it is recommended to use HTTPS protocol.

Log off and session expiration

When user logs off, session token is marked as invalid in the sessions table in QPR ProcessAnalyzer database, and thus the session cannot be used anymore. There are the following settings related to session management (more information):

  • Session idle timeout: If the user session has not been used (i.e. there are no requests sent to the server), the session is invalidated after this duration. The purpose is to get the session invalidated soon, e.g. if user has forgotten to log out the session. By default this time is one hour.
  • Session maximum duration: Duration starting from the login after which the session is invalidated anyways (even though it is used continuously). The purpose is to get the session invalidated e.g. in cases where some automated script maintains the user session for ever. The best practice for these kind of scripts is to logout the session after the communication has been completed. The session maximum duration is by default 24 hours.

Authentication details

The user accounts are stored on the QPR ProcessAnalyzer service and their passwords are stored as one-way hash values calculated with SHA-256 algorithm. Salt is used in the hashing for protection against the use of rainbow tables.

Failed login attempts result in a timeout to the login for protection against brute force attacks. The failed login attempts are also logged.

QPR ProcessAnalyzer can load data from external systems, such as SAP or Salesforce.com. When a session is created, credentials are entered by the user and are stored in Windows profile with additional encryption. Users loading data from Salesforce.com enter their Salesforce credentials in the Integration Service for Salesforce web UI when launching the transfer. Credentials are not stored on the QPR ProcessAnalyzer.