XQuery/Login and Logout

Motivation edit

You want to log users into the system and log them out.

Method edit

We will use the following functions to create login and logout forms:

 xmldb:login($collection, $user, $password, true())
 session:create()
 session:invalidate()

Logging In edit

To login we need to first create a new session and then use this session to store our login information:

session:create()
xmldb:login($collection, $user, $password, true())

This changes the effective user executing the current query and stores that user information into the HTTP session, so subsequent queries within the same session will also execute with the same user rights. Note that you must use "true()" as the fourth argument to the login function.


Logging Out edit

To log a user out use:

 session:invalidate()

as well as session:clear will remove the user binding from the session, which means that the next call to the query will run as guest. However, the currently executing query will still use the old non-guest user until it completes.

(: if we are already logged in, are we logging out - i.e. set
permissions back to guest :)
  if(request:get-parameter("logout",()))then
  (
    let $null := xdb:login("/db", "guest", "guest")
    let $inval := session:invalidate()

    return false()
  )
  else
  (
    (: we are already logged in and we are not the guest user :)
    true()
  )

In this example we have both call to xdb:login() as guest and session:invalidate(). We want to do both, clear the session for future queries as well as reset the current user for the rest of the query.

Timeout setting edit

You can also change the default timeout setting by changing the Jetty configuration file here:

 $EXIST_HOME/tools/jetty/etc/webdefault.xml

By default the configuration files sets the session timeout to 30 minutes:

<session-config>
  <session-timeout>30</session-timeout>
</session-config>


Note:

In the future there may be xmldb:logout function which combines both steps. Another approach could be to handle the login/ logout within a controller.xql and thus separate it from the main query.