Programmer's Guide:
Using Tickets and eRoom Ticket Manager
The eRoom ticket manager allows creation, deletion, and validation of
eRoom authentication tickets. A ticket is a one-time-use mechanism to
grant access to a specified eRoom user, starting at a specified
URL. Tickets are used for eRoom account recovery and to invite users to
set their initial password (split registration). Tickets can also be created
for your own custom purposes. When a user clicks on a ticket URL that
contains a valid ticket eRoom creates a user session without prompting
for loginname and password, then it redirects to the target URL.
Take care when using tickets. Keep in mind that when a user follows
a ticket URL, the user is not restricted to that target URL. The user
is not logged in as the specified ticket user and has full access to everything
that the eRoom user normally has access to. It is advisable to create
tickets using the erUserSiteRestricted user to limit access until the
user has somehow identified himself or herself.
Using Tickets and Ticket URLs
When you create a ticket, you specify the memberid of a user, target
URL, and expiration period. In addition, named values can be added to
a ticket that will be accessible from the user’s session when the
ticket is used.
To build a ticket URL from a custom ticket, simply add the TicketKey
to the URL after the ”r;/eRoomTicket/” URL. For example:
”r;http://myserver.mydomain.com/eRoomTicket/” + ticket.TicketKey
When a user follows a ticket URL the eRoom server will automatically
validate the ticket key, establish a session for the specified user, and
redirect to the ticket’s target URL. The ticket is invalidated so
that it can’t be used again. Values set via IERUTicket::SetValue()
are copied from the ticket to the created session. ERoom uses these values
to store such things as the memberid of the account that is being recovered
or user that is setting their own initial password (split registration).
Note that eRoom automatically validates tickets used through the /eRoomTicket/
virtual root. It is unlikely that you will even need to use the ValidateTicket()
method.
Example
dim ticket, tmgr
dim uc, auth
set uc=Server.CreateObject("eRoom.UserContext")
uc.ImpersonateUser erUserSiteAuthenticator, erParamTypeID
set auth=server.CreateObject("eRoom.Authenticator")
set tmgr=auth.TicketManager
dim memberid, url, expires
’r;member page runs as.
memberid=erUserSiteRestricted
’r;Target URL after following ticket. This could
be any eRoom URL
’r; including a custom commands. If Ctxt context querystring
is
’r; added, the user (memberid) must have access to that
context
’r; and the command must be enabled in that context.
url=”/Extensions/MyCode.Thingy/MainPage.asp”
’expires in 10 minutes till expiration of ticket (in seconds)
expires=10 * 60
set ticket=tmgr.CreateTicket(memberid, url, expires)
Response.Write "TicketKey=" + ticket.TicketKey
set m_app=server.CreateObject("eRoom.Application")
dim ServerURL
ServerURL =m_app.ThiseRoomServer.eRoomServerSettings.URL + "/"
Dim TicketURL
TicketURL= ServerURL + ”r;/eRoomTicket/” + ticket.TicketKey
Response.Write "TicketURL=” + TicketURL
’r;SetValue allows name value pairs to be stored on
the ticket.
’r; These values are copied to the eRoom user’s
session when the ticket
’r; is validated. Use IERUCustomParameters.GetSessionValue()
to get
’r; values from the user session. For example, account recovery
stores
’r; the memberid of the user to be recovered and runs as a
restricted user.
ticket.SetValue "ThingyMemberID", CLNG(12345)
ticket.SetValue "ThingyString", "Some string: " + cstr(RND) |