The Session object that you can get from the Request.getSession() provides some additional methods:
| Method | description |
|---|---|
| getID() | the session ID (string). This is a rather long id that is cryptographically (i.e. very) hard to guess (it is constructed from several variables and then fed through SHA-1, a secure hash. The variables are the remote client address, the current time in string format and numerical format, and a random number). |
| isNew() | if the session is brand new (this means that only the server knows about it, it has not been synchronised with the client yet). |
| loginUser(user) | set logged in user object - this must be an instance of snakeserver.user.LoginUser. This class stores userid, password(hash), a user name and a set of privileges. Often this is enough. If you need more, you have to create your own subclass (don't forget to call __init__). For more information about the built-in LoginUser class, see authentication. |
| logoutUser() | Logs out the current user. The session remains alive. Usually you also want to clear the session: see Request.deleteSession() |
| getLoggedInUser() | get logged in user object (an instance of snakeserver.user.LoginUser, or a subclass thereof), or None. For more information about the built-in LoginUser class, see authentication. |
| getContext() | the session context (ContextContainer object). Scope: session (Request.getSessionContext() is a shortcut for this) unique per user, shared for all requests of this user |
For correct session management, the web browser must allow session cookies from the website. If cookies are not allowed, and the web browser accesses a page that uses a session, every request from the browser will cause a new session to be created on the server (to a certain limit that Snakelets enforces).
Test if cookies are enabled: There are various was to test if the web browser accepts cookies. The 'test' webapp that comes with Snakelets contains three examples that show how you can check for correct session-cookie acceptance (in a snakelet, in an Ypage, and using Javascript). The basic trick is to send a http refresh back to the browser, and when the next request comes in, the code checks for the existance of a "valid" session.
The session cookie that is used is called SNSESSID, and has its path set to /webapp/ (the name of the webapp that is accessed) on the server from your URL. In case of shared sessions, the session cookie that is used is called SNSESSIDSHR, and has its path set to / (the root) on the server from your URL. The contents of the cookie is just the session id.