Session Manager is one of the Pending Microapps.
(Note: the Session Manager was developed before I'd gained much of an understanding of REST architectural style or formalized any of the microapp stuff. So it's interface is a little crusty looking. It will probably be redesigned/reimplemented soon.)
handles the binding of a user_id to a session_id. that is all. it is up to another component to authenticate/authorize the user and to handle any time-based expiration of sessions (probably just by setting the session_id in a cookie with an expiration time).
there is no real security model. if we wanted to make it more secure, we could put it on an https server and password protect it or restrict it to ccnmtl server IP addresses. for now, we're not going to worry about it.
there are three "methods", which are just cgi scripts: add_session.cgi, validate.cgi, and expire_session.cgi
add_session.cgi
creates and returns a new session_id. call it like:
add_session.cgi?user_id=username;service=servicename
user_id is the user_id to create a session for service is a name for the application (this is so multiple applications could use the same Session Manager at the same time without conflict) additionally, you may also add the session_name field. the idea behind this one is that if you want to allow the same user to have multiple sessions active at the same time for the same service, you need a way of distinguishing them. eg, if you want a user to be able to be logged into your application from two different machines at the same time, you could set the service_name to the IP address of each machine, and they would not interfere with each other.
if all the fields are in order, it will create a new session_id (an alphanumeric string 14 to 16 digits long) and return it. otherwise, it will return 'ERROR: ' and an error message saying what went wrong (most likely one of the required fields not specified).
validate.cgi
call it like validate.cgi?user_id=username;service=servicename;session_id=4ppajt6zqjyhoidg
returns 'ok' if the session_id matches the one in the database for that user_id,service(,session_name). otherwise returns 'invalid: ' and an error message.
expire_session.cgi
call it like expire_session.cgi?user_id=username;service=servicename
expires the session for that user_id,service(,session_name)