0

I have a desktop app (developed with Delphi XE2) that login & interacts with a PHP 5 web application (I use CodeIgniter 2.1 along with TankAuth - both latest version)

It seems that TankAuth has a session expire feature (that kicks in every 5 minutes) to prevent session hijacking. It's a good security measure, but...

This also invalidate the Delphi application login. More specifically, I need to update cookies (I use Indy 10.4861), which means I have to re-login every 5 minutes

My Delphi XE2 application uses multi-threading. I use a global cookie (to avoid logging in every thread!), so I have to resolve to lock every 5 minutes to re-login.

My profiler clearly says I need to do something about it!

My code looks like this:

TheResponse   := TStringStream.Create;
try
   IdHttp.Get(TheURL, TheResponse);

   if (TheResponse <> nil) And (Pos('login', TheResponse.DataString) <> 0) then
   begin
        OmniLock.Acquire;
        try
           LoginToServer(ServerLogin, UserPassword);
        finally
               OmniLock.Release;
        end;    // try/finally

        // Reload local copie of the cookies manager
        OmniLock.Acquire;
        try
           TheCookieManager.AddCookies(GlobalCookieManager);
        finally
               OmniLock.Release;
        end;    // try/finally
except
      // ...
end;    // try/except

My question is: Is there a way to keep the session expire, but somehow capture the changed session expire and update the cookie manager without having to re-login?

EDIT

The global cookie manager gets updated whenever there's a new cookie:

idHTTP.OnNewCookie := SyncNewCookie;

// ------------------------------------------------------------------------------ //
procedure TMainForm.SyncNewCookie(ASender : TObject; ACookie : TIdCookie; var VAccept : Boolean);
begin
     VAccept := True;

     OmniLock.Acquire;
     try
        GlobalCookieManager.CookieCollection.AddServerCookie(ACookie.ServerCookie, TIdHTTP(TIdCookieManager(ASender).Owner).URL);
     finally
            OmniLock.Release;
     end;    // try/finally
end;
TheDude
  • 3,045
  • 4
  • 46
  • 95
  • Profilers do not pass judgment. They do not say you need to do anything about anything. They merely report where your program spent its time. Have you observed that your program runs slowly? And during those slow times, have you determined that the code shown here is currently running? If not, then this code is not the problem. – Rob Kennedy Jan 09 '13 at 16:49
  • @RobKennedy : I was just trying to say that I'm neither happy with the speed (yes I did measure it) nor with the lock itself. I have (what I consider to be) an issue. Having to re-login does slow me down, it's **in itself** a problem. A browser does happily deal with the session expiration, so should my delphi application, thus my question. – TheDude Jan 09 '13 at 17:09
  • 3
    possible duplicate of [CodeIgniter "sess\_time\_to\_update" and Indy Cookies](http://stackoverflow.com/questions/9830746/codeigniter-sess-time-to-update-and-indy-cookies). It's not Tank-Auth that has a session expiration; it's Code Igniter. Instead of re-logging in, just keep track of each session cookie you receive from all your *other* transactions. Then your session won't expire. – Rob Kennedy Jan 09 '13 at 17:26
  • No, that not it. I *already* sync the global cookie manager, so it must be something else. – TheDude Jan 09 '13 at 18:08
  • You sync to the global cookie manager *when you log in*. You need to use the global cookie manager for *every* operation, not just logins. Every time you hit the server, the server either extends the life of the session ID you passed in, or replaces it with a new session ID. Either way, you need to take the session cookie you receive from that operation and share it so that all subsequent trips to the server use the updated session ID. You shouldn't have to *log in* more than once. – Rob Kennedy Jan 09 '13 at 18:12
  • My apologies, I forgot to post the `update cookie` code. I actually do update the global cookie manager whenever there's a new cookie. – TheDude Jan 09 '13 at 18:58
  • In fact, according to my tests, the SyncNewCookie() seems to be much more *dangerous* than the `re-login locking` – TheDude Jan 09 '13 at 19:01
  • @TheDude - are you sure `OnNewCookie` is being triggered on every request? If not, what's in the raw headers? – Leonardo Herrera Jan 09 '13 at 20:12

0 Answers0