Session Management
Session management is an essential part of
Login
During login, a user ID and password are entered. The password is not sent to the system in plain text but as a SHA384 hash. Therefore, the SessionManager never receives the password itself. Before storing the password in the database, it is hashed again using the BCrypt algorithm (with salt, 12 rounds).
Upon successful login, a session token is generated. We call it the "long token" because it is several hundred bytes in length. The long token contains:
- a short session token (16 bytes)
- the user ID
- the list of effective user permissions, derived from assigned roles
- a timestamp
The data is compressed and signed with the SessionManager's private RSA key.
Naturally, the short token contains no data. In some cases, however, a short token is more practical, such as in a URL in the browser. With a message to the SessionManager, the token can be exchanged for the data.
Verification
The kernel provides a service for token verification: ISessionVerifier. The service can easily be retrieved from the ServiceRegistry.
The service verifies the token (short or long) and returns the data. If it does not have the data in the local cache, or if the session is unknown or expired, it returns null. In this case, the message can be passed to the service. If the session is invalid, an error code is added, and the message is automatically sent back.
If the service needs to fetch the data from the SessionManager, it stores the message until the response arrives. If valid data is available, the message is resent to the owner; otherwise, it is returned to the recipient with an error code.
Permission verification
The list of user permissions can be used to verify if the user has the right to perform a specific action. If the required permission is missing, the request can be rejected with an error code and an error message.
Token Signing
The private part of the RSA key pair can be provided to the SessionManager in the configuration. If the key is missing in the configuration, it will be generated.
The public part of the RSA key pair can be stored in the configuration of individual nodes. If the key is missing in the configuration, the node requests it from the SessionManager after startup.
The administration of users, roles and rights
Two applications are provided for managing the data.
The first application uses earth
is running.
The web application for data management is available when the node moon
is running.
You can then use the address “http://localhost:8086/index.html”
with the browser .