How to know which "remote port" from server routine?

This Q&A forum allows users to post and respond to "How Do I Do ....." questions. Please do not use to report (suspected) errors - you must use your regional help desk for this. The information contained in this forum has not been validated by LANSA and, as such, LANSA cannot guarantee the accuracy of the information.
Post Reply
User avatar
Dino
Posts: 133
Joined: Fri Jul 19, 2019 7:49 am
Location: Robbinsville, NC
Contact:

How to know which "remote port" from server routine?

Post by Dino » Wed Jun 23, 2021 7:16 am

Is there any way to know which "remote port", as seen on netstat -cnn , are we using in our server routine?

If I start a web page that calls a server routine several times, each one creates a separated connection, with the same IP, been the difference the remote port. I would like to capture that. I can see that the job related to that is one of the instance jobs for apache with the name of the LANSA installation, but by the user QTMHHTTP , not the LWEB_JOB.

The goal is to use that as part of the security measures to confirm we still talking with the same user.

Image

In the same line... can we recover the unique session number generated in the server routine here:

Code: Select all

#COM_OWNER.StartSession Timeout(3600)

BrendanB
Posts: 57
Joined: Tue Nov 24, 2015 10:29 am

Re: How to know which "remote port" from server routine?

Post by BrendanB » Wed Jun 23, 2021 12:25 pm

Dino,

There is no guarantee that each invokation of a ServerRoutine will use the same connection.

HTTP (and HTTPS) are STATELESS Protocols, so the Webserver effectively considers the connection DEAD once the server routine ends.
In certain situations, it may well appear that the same connection gets re-used, but as i said, there is no guarantee, so i would avoid it if you can.

if you are using HTTPS, then you can set the SessionMethod to 'SecureCookie', this will be a SECURE cookie that gets set when you do #com_owner.StartSession.

you can capture the cookie using the webserver (and even try get_cookie).

If you are a LANSA employee -- please PM me and i can take you through how we secure a website using Portalize.

If you are not, perhaps speak to your LANSA rep about seeing a demo of portalize.

Portalize has been penetration tested, and is robustly secure (even to the point of being able to BAN IPs that make repeated incorrect attempts).

There is a lot you can do, and some bits that are difficult to do... :)

I would also suggest, that where possible, using oAuth2 for your user validation can be beneficial (essentially you are handing off the user validation to a third party that does security well (eg. Microsoft AzureAD or Google are ones that i have used). A side-benefit is that users that are already logged in to the Microsoft AzureAD will be able to get a token without re-entering their passwords. Typically oAuth2 'setup' requires that you specify to the provider how long a token is valid for... meaning that you can always check if the token is still valid before carrying out a server routine.

Brendan.

User avatar
Dino
Posts: 133
Joined: Fri Jul 19, 2019 7:49 am
Location: Robbinsville, NC
Contact:

Re: How to know which "remote port" from server routine?

Post by Dino » Sat Jun 26, 2021 3:49 am

Thank you Brendan!

Post Reply