[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: UU code
Alexey Parshin wrote:
> Why do you think user2 may share a connection with user1?? If we use
> the same connection for different users - then we must provide the
> connection pool that only gives the new connections. Otherwise - that
> situation is possible, and it only depends on the user1 calling stored
> proc logoff().
This is where pool comes in. Properly implemented, connections will be
auto-released
at the end of request processing back to the pool, and pool will call
logoff() itself.
> If something happens (like exception) and logoff isn't called, AND the
> next user doesn't call login() - then it's possible. I suggest we
> implement the connection pool so it simply generates new connections
> in a thread, in advance. It's also better from the point of releasing
> server resources - any temp tables created by user are released upon
> connection close.
First implementation will most likely just open and close connections as
they are requested/released, for simplicity sake. We just have to use an
interface that will allow us to get more complex implementation in later.
Or we could see if we can find an existing generic one (even better).
>
> 2007/3/16, Ilya A. Volynets-Evenbakh <ilya@total-knowledge.com
> <mailto:ilya@total-knowledge.com>>:
>
> That's not good enough. Here is a scenario:
> 1. User one sends a request that performs a login.
> 2. User 2 sends another request, that does not perform a login
> (due to bug or just the fact that no login is needed)
> 3. There is an SQL injection bug in page2. Thus User2
> has full rights of user1 while doing his nasty stuff.
>
>
>
> Alexey Parshin wrote:
> > Actually, the login procedure takes care of user records in
> > session_info. It always be zero or one record there.
> >
> > 2007/3/16, Ilya A. Volynets-Evenbakh < ilya@total-knowledge.com
> <mailto:ilya@total-knowledge.com>
> > <mailto: ilya@total-knowledge.com
> <mailto:ilya@total-knowledge.com>>>:
> >
> > sergey@total-knowledge.com
> <mailto:sergey@total-knowledge.com>
> <mailto:sergey@total-knowledge.com
> <mailto:sergey@total-knowledge.com>> wrote:
> > > In this case, I guess the solution is:
> > >
> > > In Header.csp
> > >
> > > <% if(request.hasAttribute("UserId")) { %>
> > > <input type="hidden" name="userid" value="<%=
> > > request.getAttribute<std::string>("UserId") %>"
> > > <% } %>
> > >
> > This isn't going to do you any good. You will not always
> have single
> > form to submit. This info should be kept inside of session.
> > > In UUServlet new operation
> > >
> > > void UUServlet::setEnvironment(HttpServletRequest& req){
> > > string userid = req.getParameter("userid");
> > > if(userid)
> > > req.setAttribute("UserId", setattr_t(new string(userid)));
> > > }
> > >
> > No. User ID should be dealt with at login time, and saved in
> session.
> > Do not pass it around the network all the time - it's waste of
> > resources.
> > > setEnvironment() can be used for setting other global
> parameters
> > and will
> > > be called in each servlet service() function.
> > >
> > That might be good idea. Needs more detailed thinking. One thing
> > is that you don't really want to rely on every service function
> > calling
> > this explicitly (you'll forget to call it at some point in
> time, I
> > can
> > guarantee you that ;-)
> > > <snip getSessionInfo stuff>
> > >
> > You may want to change all that to key the temp login table
> > off of session ID rather then user ID. This way you don't
> need to
> > save any extra info in session itself.
> >
> > BTW, the alternative path (clearing the temp table after
> processing
> > every request) is also implementable - if we make our DB
> > connection pool
> > take care of that.
> >
> > >> Guys, don't forget that database connections will be
> > >> pooled. That means there will be different requests
> > >> from _different_ users handled by the same connection.
> > >> This, in turn, means that unless someone takes care
> > >> of cleaning up the table after each request, there could
> > >> be more then one record in there.
> > >>
> > >>
> > >> sergey@total-knowledge.com
> <mailto:sergey@total-knowledge.com>
> <mailto:sergey@total-knowledge.com
> <mailto:sergey@total-knowledge.com>>
> > wrote:
> > >>
> > >>> Understood.
> > >>> Here is my version:
> > >>>
> > >>> bool isValid = false;
> > >>> try {
> > >>> CQuery qrySelect(&db,"select si_person from
> session_info");
> > >>> qrySelect.open();
> > >>> while ( ! qrySelect.eof() ) {
> > >>> isValid = true;
> > >>> qrySelect.fetch();
> > >>> }
> > >>> qrySelect.close();
> > >>> }
> > >>> catch (exception& e) {
> > >>> cout<<"\nError: " <<e.what();
> > >>> }
> > >>> return isValid;
> > >>>
> > >>>
> > >>> I know it's supposed to be only one record in session_info
> > table, but
> > >>> still prefer to loop since it's a select query.
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>> Actually, the "no record test" is better to do not as:
> > >>>>
> > >>>> if (!user_id)
> > >>>>
> > >>>> but as (right after query_open()):
> > >>>>
> > >>>> if ( query.eof())
> > >>>>
> > >>>> 2007/3/15, Alexey Parshin < alexeyp@gmail.com
> <mailto:alexeyp@gmail.com>
> > <mailto:alexeyp@gmail.com <mailto:alexeyp@gmail.com>>>:
> > >>>>
> > >>>>
> > >>>>> int user_id = 0;
> > >>>>> string user_name;
> > >>>>> try {
> > >>>>> Query query(&db,"select si_person, si_person_name from
> > >>>>> session_info");
> > >>>>> query.open();
> > >>>>> user_id = query[0];
> > >>>>> user_name = query[1];
> > >>>>> query.close ();
> > >>>>> if (!user_id)
> > >>>>> throw CException("User not logged in");
> > >>>>> }
> > >>>>> catch (exception& e) {
> > >>>>> cout << "OOPS, " << e.what() << endl;
> > >>>>> }
> > >>>>>
> > >>>>> 2007/3/15, sergey@total-knowledge.com
> <mailto:sergey@total-knowledge.com>
> > <mailto:sergey@total-knowledge.com
> <mailto:sergey@total-knowledge.com>> < sergey@total-knowledge.com
> <mailto:sergey@total-knowledge.com>
> > <mailto:sergey@total-knowledge.com
> <mailto:sergey@total-knowledge.com>>>:
> > >>>>>
> > >>>>>
> > >>>>>> In order to perform authentication on each
> application page
> > I need to
> > >>>>>> find
> > >>>>>> out if user with certain ID exist in session_info table.
> > >>>>>> I want to make sure that I understand how it will
> work, so the
> > >>>>>>
> > >>>>>>
> > >>>>> question
> > >>>>>
> > >>>>>
> > >>>>>> is:
> > >>>>>>
> > >>>>>> 1. If session_info table exist.
> > >>>>>> AND
> > >>>>>> 2. There is a one entry there (doesn't matter what the
> > value is).
> > >>>>>>
> > >>>>>> it means that current user is logged in.
> > >>>>>>
> > >>>>>> Is it true?
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>> --
> > >>>>> Alexey Parshin,
> > >>>>> http://www.sptk.net
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>> --
> > >>>> Alexey Parshin,
> > >>>> http://www.sptk.net <http://www.sptk.net>
> > >>>>
> > >>>>
> > >>>>
> > >>>
> > >>>
> > >> --
> > >> Ilya A. Volynets-Evenbakh
> > >> Total Knowledge. CTO
> > >> http://www.total-knowledge.com
> <http://www.total-knowledge.com>
> > >>
> > >>
> > >>
> > >
> > >
> > >
> >
> > --
> > Ilya A. Volynets-Evenbakh
> > Total Knowledge. CTO
> > http://www.total-knowledge.com <http://www.total-knowledge.com>
> >
> >
> >
> >
> > --
> > Alexey Parshin,
> > http://www.sptk.net
>
> --
> Ilya A. Volynets-Evenbakh
> Total Knowledge. CTO
> http://www.total-knowledge.com
>
>
>
>
> --
> Alexey Parshin,
> http://www.sptk.net
--
Ilya A. Volynets-Evenbakh
Total Knowledge. CTO
http://www.total-knowledge.com
- References:
- UU code
- From: sergey@total-knowledge.com
- Re: UU code
- From: sergey@total-knowledge.com
- Re: UU code
- From: "Alexey Parshin" <alexeyp@gmail.com>
- Re: UU code
- From: "Alexey Parshin" <alexeyp@gmail.com>
- Re: UU code
- From: sergey@total-knowledge.com
- Re: UU code
- From: "Ilya A. Volynets-Evenbakh" <ilya@total-knowledge.com>
- Re: UU code
- From: sergey@total-knowledge.com
- Re: UU code
- From: "Ilya A. Volynets-Evenbakh" <ilya@total-knowledge.com>
- Re: UU code
- From: "Alexey Parshin" <alexeyp@gmail.com>
- Re: UU code
- From: "Ilya A. Volynets-Evenbakh" <ilya@total-knowledge.com>
- Re: UU code
- From: "Alexey Parshin" <alexeyp@gmail.com>