Sessions

A simple example

Dreisam provides the operators session() and destroy_session() for creating and destroying a session.

The following example uses a login page to create a session which keeps track of the user's name.

The login page looks like this:

<html>
<head>
<title>Login</title>
<body>
<form action="/fcgi-bin/dreisam.fcgi/login" method="POST">
<p>Name: <input name="login_name">
<p>Password: <input type="password" name="password">
<p><input type="submit">
</form>
</html>

Now let's create the login operator:

insert http_actions tup { path '/login', opname 'login', method 'POST' };

operator login (model tup { login_name string, password string}, view string,
                req http.http_request, resp http.http_response)
        updates { model, view, req, resp };
    /* Password check would have to go here */

    var session_data init tup { username model.login_name };
    http.session(req, resp, session_data);
end operator;

Template login.thtml for the response page:

<head>
<title>Welcome</title>
<body>
<p>Welcome, {$ m.login_name $}
</html>

After the login operator has been invoked successfully, Dreisam will keep track of the username attribute. If an action operator is invoked with this attribute in its model argument, the attribute will be set to the value stored in the session and written back afterwards.

Let's create a settings page that shows the user name.

Creating the operator:

insert http_actions tup { path '/settings', opname 'settings', method 'GET' };

operator settings (model tup { username string }, view string) updates { model, view };
    ; /* Do nothing */
end operator;

The template settings.thtml looks like this:

<html>
<head>
<title>Settings</title>
<body>

<p>Username: {$ m.username $}

</html>

Invoking the action settings will display the username stored in the session.

Configuration

The following configuration variables can be set in config.td:
NameDescriptionDefault value
http_session_cookie_lifetime The lifetime of the session cookie, in seconds. 0 means "until the browser is closed". 0
http_session_timeout The number of seconds after which session data is no longer considered valid. 7200

Cleaning up the sessions table

The session data is stored in the table http_session.

After http_session_timeout of inactivity a session is no longer valid. Sessions are deleted if destroy_session() is called, or if a cookie is sent from a session which is no longer valid. However, if the user does nothing, the session is not deleted automatically.

The operator http.delete_expired_sessions() deletes expired sessions.

It is advisable to call this operator on a regular basis, for example from a daily cron job.