XRX/Login and Session Management

Motivation
You want to use an XForms application to get login information and set server session variables.

Method
The XForms standard has a "secret" attribute for collecting a password. After the user fills out the login form, it is POSTed to the server.

Note that you should not use HTTP GET for passwords since the passwords will appear in the web log files as a URL parameter.

The eXist system has several functions for setting session variables. After a user logs in these session variables should be set and all subsequent XQueries can use these session variables when accessing secure resources.

Note that setting session variables is out-of-scope of the W3C XQuery 1.0 standard and each server may use slight variations of these functions. But the concepts should be very similar.

Most commonly, a session variable is used to associate the user to one or more roles. This is known as role-based access control (RBAC). This allows your XQueries to set conditional behavior based on the user's role, and avoids having to hard-code XQueries based on usernames that may change frequently. A typical role is the "admin" role or the "document-approver" role. eXist uses a UNIX style group that can be associated with a collection or a file. You can use these groups for security if you note that a collection or file can be associated with one-and-only-one group at any time. Users are frequently associated with multiple roles during a session, just as in UNIX a user can be in many groups.

Sample XForms Login Screen
A sample login XForms application is provided here:

XForms Login Screen

This form may be customized to put in any legal disclaimers about the use of unauthorized systems. It can then be wrapped in an XQuery function such as local:display-login and invoked if the user is accessing a page that they do not have authorization to access.

XQuery Function to display session information
Once the user is logged in, the following function can be used to display session information in the upper-right corder of the screen.

Back: Save File Dialog • Next: File Locking