Run Without Creating Sessions
LogicNets creates a new session each time a user starts a package and assigns a unique identifier to each session. The session ID is visible in the URL. You can use this unique identifier in multiple ways, including when storing and retrieving session data. However, you can also run an application without creating a session.
General Session Options
Session Timeout
LogicNets protects every session with a session expiry timeout. The default session timeout is 240 minutes, but you can configure the amount of time using the System Configuration module or configure the timeout per project in the project settings. The system resets the session timeout timer each time the user accesses the session, when the system sends data to the server. Once the session times out, the system displays an error message to the user.
Close Session
Using the Close Session part, you can explicitly close a session; for example, when a user clicks an exit button in your application. However, if your user closes the browser tab in which the session is running, the system does not close the session. The server does not get a signal when the browser tab closes.
This part is located in process nodes in the Misc dropdown menu.
Session Options
On each project, the Details tab contains a Security section that has an option called Run without creating sessions. This has a dropdown menu with the following three options:
- SessionID in URL
- SessionID in cookie
- No session
SessionID in URL
When you select this option LogicNets displays the session ID in the URL, but a user cannot copy the session into a new browser or share it with another user. This prevents session stealing. When a user attempts to copy the URL and paste it in a new browser, the system displays an error that says "You do not have permission to access this session." to the user.
This mode supports starting the same package (but different sessions) multiple times in different tabs.
SessionID in Cookie
When you select this option the URL does not contain the Session ID, but it contains the package start code; e.g. KC in https://yourhost.com/logicnets/logicnets.lns?_=KC. The advantage of using this mode is that the URL can be bookmarked and copied between browsers and shared between users, as it does not contain a session ID.
In this mode the system stores the session ID in a cookie, with one cookie per company and start code combination. The system creates a new session when the session cookie does not exist or when it points to a closed or expired session. This mode does not support starting the same package – even with different sessions – multiple times in different tabs, since the session cookie is shared across all browser tabs.
If you add "_force_new_session=1" to the URL (e.g. https://yourhost.com/logicnets/logicnets.lns?_=KC&_force_new_session=1) the system creates a new session even when an existing session is available.
No Session
If your application is 100% state-less, it does not require session data creation and you can use this mode. Typical stateless applications are web services where the system processes the input and generates the output directly. The system does not use the previous session when it calls the same web service from the same client for the second time.
You can also store the state in persistent storage, such as a database, if the web service needs to know the state of a previous call. In such cases, your web service implements must include the logic for loading and saving the state data.
When using this mode, your application can still be protected using authentication. However, the authentication details must be included in the initial request header.