UNIBASE

Unibase sessions

Unibase application access

Unibase provides uses a session structure to manage logins and access to all application programs.

There is no direct access to either the application programs or data and these must be accessed through ubpost or ubcgi which use the session id to determine the user, application, and working directory.

In most cases there is no need to call any of the session functions. Unibase automatically uses these as required.

Session files are stored in /usr/local/etc/ub_sessions.

Tcl scripts

Sessions are maintained by the unibase.tcl package.

To access the commands from a Tcl script:

package require unibase 1.0

Available commands:

::unibase::getflagsProcess script flags/options

::unibase::httpd

httpd helper functions
::unibase::httpd::cookiesPut cookies into the environment
::unibase::logSystem log and audit functions
::unibase::sessionSetup and maintain a session
::unibase::users

User details for application security

In this document we will only consider ::unibase::session commands.

Getting a session id from a script

curl(1) can be used in a script to access programs and features in a Unibase application.

curl -s -d username=<user> -d password=<password> -c <Session id file> http://<application site>/cgi-bin/session

eg

curl -s -d username=fred -d password=abc123 -c sessionId http://forum.zenucom.com/cgi-bin/session

Once you have a session you can use that with your curl request to get access to application functions.

eg

shops=`curl -s --form PROC_NAME=getShops -b sessionId http://forum.zenucom.com/cgi-bin/ubpost`

Sessions are automatically timed out based on the varaiable SESSION_IDLE in the session file.

The default value is 120 (120 minuts or two hours). You can change this by setting the variable SESSION_IDLE.

This is checked everytime a session is accessed.

Additionally Unibase runs a process every hour looking for expired sessions and deleting the session file. This is part of /etc/cron.hourly/unibase.

Session functions

Unibase provides the following functions for managing sessions:

  • ::unibase::session::create {USER APPLICATION}
    • Create a new unibase session.
    • Initial variables
      • REMOTE_USER – Identity of user for this session
      • APPLICATION – Unibase application name
      • USER – User name
      • DIRECTORY – Run application in this directory
      • EMAIL_USER – Email address of REMOTE_USER
      • SESSION_START – Date and time session started
      • SESSION_IDLE – Maximum idle time for this session
      • RANDOM – A random number that can be used by the application
      • CSRF – Used for bot control. reCaptcha3 CSRF
      • REMOTE_ADDR – Remote address of user
      • KEY – Pseudo random key for file
      • USER_AGENT – Browser used to access application
    • Note that SESSION_IDLE is 120 minutes by default but this will be overridden by an environment variable called SESSION_IDLE when the session is created
    • The session id is an openSSL value for the session file and is returned in the cookies.
  • ::unibase::session::destroy
    • Destroy the current session. This is done by removing the session file.
  • ::unibase::session::env
    • Add all the session variables to the environmant variables
  • ::unibase::session::json
    • Return all the session variables as a JSON object
  • ::unibase::session::sessionid
    • Used internally
    • Sets the session id
  • ::unibase::session::valid
    • Checks that the current session is valid. ie the session file exists and has been accessed in the last SESSION_IDLE minutes.
  • ::unibase::session::var {VARIABLE VALUE}
    • Set a session variable value