Using Session State

ATL Server gives you more control over how you use session state in your application than most Web application programming frameworks. With ATL Server, you can choose the way session names are generated, where session state is stored, and how session IDs are sent to the user . ValidateAndExchange is typically the method where you initialize your session state. Listing 8-2 shows a sample ATL Server request handler class and its ValidateAndExchange method.

Listing 8.2: ValidateAndExchange Implementation

 1 CComPtr<ISessionStateService> m_spSessionSvc;  2 CComPtr<ISession> m_spSession;  3  4 HTTP_CODE ValidateAndExchange()  5 {  6    if (FAILED(m_spServiceProvider->QueryService(  7                    __uuidof(ISessionStateService),  8                    &m_spSessionSvc)))  9    {  10        return HTTP_FAIL;  11   }  12  13   const CCookie& sessionCookie = m_HttpRequest.Cookies("session");  14  15   if (sessionCookie.IsEmpty())  16   {  17       CHAR  sessionName[CSessionNameGenerator::MIN_SESSION_KEY_LEN + 1];  18       DWORD sessionLen = 0;  19  20       if (FAILED(m_spSessionSvc->CreateNewSession(sessionName,  21                                                   &sessionLen,  22                                                   &m_spSession)))  23       {  24           return HTTP_S_FALSE;  25       }  26       sessionName[sessionLen - 1] = 0;  27  28       m_HttpResponse.AppendCookie("session", sessionName);  29  }  30  else  31  {  32       CString sessionName;  33  34       if (!sessionCookie.GetValue(sessionName))  35       {  36           return HTTP_S_FALSE;  37       }  38  39       if (FAILED(m_spSessionSvc->GetSession(sessionName,  40                                             &m_spSession)))  41       {  42           return HTTP_S_FALSE;  43       }  44  }  45  46  return HTTP_SUCCESS;  47 } 

 

This code may look unwieldy at first. Let s have a look at it line-by-line :

• Lines 1 and 2: Declare these as member variables in your request handler class.

• Lines 6 through 8: Get ISessionStateService from the ISAPI extension.

• Line 13: This example is sending the session ID as a cookie for the client to store. This is just one way of sending the session ID back to your user. If you re concerned that your user might not support cookies, you could store the session ID in your HTML form and have it sent back in a hidden input field.

• Lines 17 through 28: If there s no session cookie, then you have to create a new session. Calling CreateSession will create a newly named session for you. The name of the session is unique and will be generated by using the Microsoft Windows Crypto API. If the Crypto API isn t available, then rand will be used. You can also call CreateSessionByName to generate a session with a name of your choosing. You should, however, choose a name for your session wisely. It s a security risk if it s predictable how your session names are generated. If this is the case, hackers can create their own session names and trick your application into thinking that they re valid sessions. If you re generating your own session names or if you re using a platform that doesn t support the Crypto API ( rand generates random, but predictable values) then you should exercise extreme caution to make sure your session names aren t predictable.

• Lines 39 through 43: Get your current session from the session state service. When you want to close this session, you should call m_spSessionSvc- > CloseSession .

You get and set values in session state by calling ISession::GetVariable() and ISession::SetVariable() . All session values are set and retrieved as variants. The ISession interface also contains methods for enumerating the values in session state.