Cookies improve the way our website works, by using this website you are agreeing to our use of cookies. For more information see our privacy policy. OK

Session Management

Session management is an essential part of nyssr.net. Many services only work with the appropriate user rights. Session management includes the database for users, roles and rights, login/logout and session management.

Login

During login, a user ID and password are entered. The password is not sent to the system in plain text but as a SHA384 hash. Therefore, the SessionManager never receives the password itself. Before storing the password in the database, it is hashed again using the BCrypt algorithm (with salt, 12 rounds).

Upon successful login, a session token is generated. We call it the "long token" because it is several hundred bytes in length. The long token contains:

  • a short session token (16 bytes)
  • the user ID
  • the list of effective user permissions, derived from assigned roles
  • a timestamp

The data is compressed and signed with the SessionManager's private RSA key.

Naturally, the short token contains no data. In some cases, however, a short token is more practical, such as in a URL in the browser. With a message to the SessionManager, the token can be exchanged for the data.

Verification

The kernel provides a service for token verification: ISessionVerifier. The service can easily be retrieved from the ServiceRegistry.

The service verifies the token (short or long) and returns the data. If it does not have the data in the local cache, or if the session is unknown or expired, it returns null. In this case, the message can be passed to the service. If the session is invalid, an error code is added, and the message is automatically sent back.

If the service needs to fetch the data from the SessionManager, it stores the message until the response arrives. If valid data is available, the message is resent to the owner; otherwise, it is returned to the recipient with an error code.

Permission verification

The list of user permissions can be used to verify if the user has the right to perform a specific action. If the required permission is missing, the request can be rejected with an error code and an error message.

Token Signing

The private part of the RSA key pair can be provided to the SessionManager in the configuration. If the key is missing in the configuration, it will be generated.

The public part of the RSA key pair can be stored in the configuration of individual nodes. If the key is missing in the configuration, the node requests it from the SessionManager after startup.

The administration of users, roles and rights

Two applications are provided for managing the data.

The first application uses RemoteSkin for Swing. In the delivered Software, it can be started when the node earth is running.

The web application for data management is available when the node moon is running. You can then use the address “http://localhost:8086/index.html”with the browser .