Security and Session Handling
Session Handling
This lesson is part of the Developing OutSystems Web Applications course.

Hello and welcome to Session Handling in the OutSystems platform. Now, whenever
you're using a desktop application, your computer has the full focus on you.
There is no need for your desktop application to handle multiple users at
the same time. This is patently not the case when you're dealing with a web
server. Initially web servers would service pages without any regard to the
concept of a session. So it would just send you a page and then send you the
next page without chaining any of this context together. As the Internet moved
to web applications, it was important to start keeping this context and the
concept of a session was born.
Regardless of what technology you're using, web sessions are handled pretty much the
same way. The server will add some form of identifier. When you start navigating
on every browser request it uses the identifier to fetch the context, load it
up in the memory and proceed with your interaction and after a while of you
stopping using your application, your web application, it will discard your current
session. This is common to all web technologies. As soon as you bring in
this concept of a continuous experience, you get the concept of having global
variables that are maintained throughout the several requests. Now these variables
can have two forms in the OutSystems platform: you have session variables and
you have cross-session site properties. Now session variables exist per-user so
this means that user A and user B have potentially different values for the
same session variable, so they are global in the sense that they're available in
every scope but not global in the sense that they have the same value for every
user. For that second intention you have the site properties. They are global in
both senses.
This means that they're available in all the scopes and there is a unified value
that is seen by all the users. It goes without saying that unlike the
session variables,
these site properties never expire, their value is never reset upon a
session terminating. So when is it that we can say that the session starts and
ends? The session starts automatically upon first access to your application. If
you're not logged in, this will be an anonymous session, but a session in any
case. You also can programmatically log in a user via the user login function. As
for a session end, it can happen automatically after a timeout which is
normally of 20 minutes or programmatically by using the user
logout function. Both of these functions are available in the Users application.
You can create and manage your session variables in the Data tab and these
variables can be of basic types, entity identifiers... and all other types
including record, but you should avoid these because of performance
considerations. As mentioned, a session variable can be assigned anywhere
because it's globally visible, it persists across requests from that same
user but you have to be careful that upon a session end these variables will
reset their value to the default value. The OutSystems platform already provides
a few built in session variables that you can see on the screen shot as grayed
out. As for the site properties, they can only be of basic types and entity
identifiers. So you cannot have for example record site properties. Their
value can be changed programmatically from anywhere in your module but they
actually have the capability of having their value changed from Service Center.
This is very, very handy and it highlights the fact that site properties
are not meant to be global variables that change very often, but rather
configuration variables. In fact you should not change these site properties
very frequently, because this will have very dire impact on the performance of the
applications. Again, the platform provides a few built in site properties for you as
you can see on the right-hand screen, and you can see the
nature that these site properties normally have: it's configurations that
don't change very often. And these are the basics on the way that the
OutSystems platform handles sessions. See you guys in the next lesson.