We've all heard about cookies. In this chapter I will give an example of how to set a cookie, and how to read one. Using cookies is one way to overcome HTTP's stateless nature, and this property is what we are going to make use of in this login-session example. I'm not going to go into details about cookies, but if you want to, check out: www.cookiecentral.com or www.netscape.com
Well let's start. We are going to use a WebModule with three different actions. The actions will be:
Show login page if user is not logged on, else tell user that he has already access. Default action.
If login was OK then send a cookie to the client and show success message. If login wasn't OK, tell user.
Read cookie and if cookie is OK, show protected page, else tell user that he's not authorized.
Set the project:s output directory to: /cgi-bin and save the project as login.cgi.
What is a cookie ?
Cookies are a list of pair values (Name=Value). In this example we're only going to use one pair, but there could be lot's of them. A cookie could for example hold special user-information used by a Webserver to present a page in a way that's convinient for the user. Or as we will see in this example, identify a user.
To send the cookie to the browser we will use the Response.SetCookiefield method:
procedure SetCookieField(Values: TStrings; const ADomain, APath: string ; AExpires: TDateTime; ASecure: Boolean);
ADomain will be blank, APath='/cgi-bin', AExpires = -1 (The Cookie will be killed when we close the browser-session), ASecure=false (In real life you should use a safe connection when using a cookie for this purpose, or else the cookie could be sniffed.)
To read the cookie we will use the Request.CookieFields.Values property.
Let's start the coding with action 2, where we send the cookie with CookieField1='Authorized', if we find 'Delphi6' in the request contentfield: 'PW'
procedure TWebModule1.WebModule1WebActionItem2Action(Sender: TObject;
Request: TWebRequest; Response: TWebResponse; var Handled: boolean);
var masCookie: TStringList;
begin
masCookie:= TStringList.Create;
try
// If password OK, send cookie to client.
if (Request.ContentFields.Values['PW'] = 'Delphi6') then
begin
with masCookie do begin
Clear;
Append('CookieField1=Authorized');
end;
Response.SetCookieField
(masCookie, '', '/cgi-bin/', -1, false);
Response.Content:=
'' +
'You''re authorized to access the protected page.
' +
'Click button to continue...' +
'';
end
else
// If not, send client to MAS Delphi page
Response.Content:=
'' +
'Incorrect login.
Click button to continue...' +
'';
finally
masCookie.Free;
end;
end;
Let's make a function that returns true if the cookie is present and OK:
function TWebModule1.CheckCookie: boolean;
begin
if Request.CookieFields.Values['CookieField1'] = 'Authorized' then
Result:= true
else
Result:= false;
end;
Continue with action 1, where we show the login page or tell user that he already has access:
procedure TWebModule1.WebModule1WebActionItem1Action(Sender: TObject;
Request: TWebRequest; Response: TWebResponse; var Handled: boolean);
begin
// Ask for password if not already logged in. Should be done with a safe protocol !!!
if CheckCookie then
Response.Content:=
'' +
'You have already access to the protected page.
' +
''
else
Response.Content:=
'' +
'Login for protected page.
' +
'' +
'';
end;
Last we make action 3, where we show the protected page if the cookie is alright:
procedure TWebModule1.WebModule1WebActionItem3Action(Sender: TObject;
Request: TWebRequest; Response: TWebResponse; var Handled: Boolean);
begin
// Show protected page if Cookie is OK
if CheckCookie then
Response.Content:=
'' +
'Welcome to the protected page.'
else
Response.Content:=
'' +
'You''re not authorized to view this page!';
end;
That would be all.
Time to test if it's working. Put http:///cgi-bin/login.cgi/prot into your webbrowser and you should get this response:
You're not authorized to view this page!
Put http:///cgi-bin/login.cgi into the browser. Login with "Delphi6", and you should get this:
You're authorized to access the protected page. Click button to continue...
Clicking the button should bring you to the protected page:
Welcome to the protected page.
You should now be able to reach the protected page as long as you don't exit your browser-session. If you try and exit your browser and start it again, you will find that you have to login again to reach the protected page.