TIWSecurityOptions

Option class owned by ServerController. Contains several options that allows user to turn on/off IntraWeb security features

Unit

IWServerControllerBase

Class hierarchy

TPersistent -> TIWSecurityOptions

Methods

Create

   [Public]

Declaration:

constructor Create; 

Description: Constructs an instance of the class TIWSecurityOptions and initializes its data. Users should seldom need to create other instances of TIWSecurityOptions


Assign

   [Public]

Declaration:

procedure Assign(ASource: TPersistent); override; 

Description: Copies properties values from another TIWSecurityOptions instance.

Parameters:

  • ASource (TPersistent): Source TIWSecurityOptions instance

Properties

CheckSameIP: Boolean

   [Public, Read/Write]

When True, IntraWeb will check if all requests addressed to a single session originated from the same IP. If a different IP is detected, the request will be blocked and IntraWeb will respond with an error message. In general you should consider leaving this unchecked (False). Some routers and even ISP can forward two different requests originating from the same origin and addressed to the same target, from two different routes or IPs. You should only set this to True when you are absolutely sure that this won’t affect your users (e.g. Intranets).

CheckSameUA: Boolean

   [Public, Read/Write]

When True, IntraWeb will check if all requests addressed to a single session originated from the same browser, i.e. they both have the same user agent string. If a different UA is detected, the request will be blocked and IntraWeb will respond with an error message. In general you should consider leaving this checked (True).

CheckFormId: Boolean

   [Public, Read/Write]

When True, IntraWeb will add an additional hidden field (FormId) which is a random 128-bit value. Each form instance has its unique Id (i.e. two instances of the same form class have different id’s). IntraWeb will check this value before rendering (GET) or executing any action/updating any content during a POST request. This prevents several different potential attacks like Cross Site Request Forgery, or CSRF.

RandomTempFileNames: Boolean

   [Public, Read/Write]

When True (Default), IntraWeb will generate truly random temp file names. When false, IntraWeb uses a sequential numbered file names.

PreventDoubleSubmission: Boolean

   [Public, Read/Write]

When True (Default), IntraWeb will check the contents of POST request and it will prevent double submission, i.e. a successive POST request containing the exact same values will be ignored. Please note that only two consecutive requests can be considered for this analysis. When a double submission is detected, IntraWeb will ignore the content and will just render the page again.

ShowSecurityErrorDetails: Boolean

   [Public, Read/Write]

When True (Default), all error messages will contain error details. Please note that sensitive content (like local paths) will never be shown to the end user when IntraWeb detects that the user is using a remote address, regardless of this option.