TM1Web logout

[iansdigby]

Morning all. Or evening/afternoon.

Am having great fun exploring the TM1Web URL API and have been able to create some excellent results. One thing is scuppering me though and that is logging out of browser sessions with the 'logout' Action parameter.

Here's the scenario (I know a similar one has cropped up at least once before on the Forum but there was no resolution to it): http://www.tm1forum.com/viewtopic.php?f ... web+logout

I have a series of hyperlinks in an Excel workbook that call Cube Viewer sessions using the API. I send their login credentials via the 'login' parameter. This logs users in seamlessly without them having to supply their logins/passwords. However, I now have sessions that need to be logged out of. The API provides for this with a 'logout' parameter but I am struggling as to how to invoke this. If I manually type the API call into the address bar of the session, nothing happens, i.e. the user is not logged out. I understand that TM1Web uses cookies to monitor who owns what session so I have left cookies enables in the web.config file.

Does anyone have any insight/wisdom/knowledge they would care to impart on this issue? I would be most grateful for anything.

Regards, Ian Digby

[rmackenzie]

The following solution is similar to the one I proposed on the other thread except its based on trapping an Excel event rather than a browser event. When the user goes to close the workbook it will search for Internet Explorer pages that have TM1 Web content for a particular server (that you specify) and then logs out those pages. Just paste the code into the ThisWorkbook VBA module and off you go.

Some testing notes -
* it uses IE automation so I've no idea if this works in Chrome, Firefox, etc. It worked for me on IE8 where I called the test page from a hyperlink
* sometimes an error is thrown on retrieving the inner HTML so I've coded around that with the On Error Resume Next, there maybe some other errors I've not encountered that may hinder you

So, no warranty is expressed or implied

HTH
Robin

PS I'd be very interested to hear from any other VBA hackers as to whether this could be achieved by using a HTTP request, rather than IE automation...

Code: Select all

Private Sub Workbook_BeforeClose(Cancel As Boolean)
    LogOffTM1Web "YOUR_TM1_WEB_SERVER_NAME_GOES_HERE"
End Sub

Sub LogOffTM1Web(ByRef strServerName As String)

    Dim strLogoutUrl As String, strHtml As String
    Dim blnMatch1 As Boolean, blnMatch2 As Boolean
    Dim objShell As Object, objInternetExplorer As Object
    
    strLogoutUrl = "http://" & strServerName & "/tm1web/tm1webmain.aspx?action=logout"
    
    'get reference to all IE windows
    'and send logout where a match exists on servername and tm1webmain.aspx
    Set objShell = CreateObject("Shell.Application")
    For Each objInternetExplorer In objShell.Windows
        On Error Resume Next
        strHtml = objInternetExplorer.Document.Body.InnerHtml
        blnMatch1 = InStr(1, strHtml, strServerName, vbBinaryCompare) > 0
        blnMatch2 = InStr(1, strHtml, "TM1WebMain.aspx", vbBinaryCompare) > 0
        If blnMatch1 And blnMatch2 Then
            objInternetExplorer.Navigate strLogoutUrl
        End If
    Next
    
    Set objInternetExplorer = Nothing
    Set objShell = Nothing
    
End Sub


Sub Test()
    LogOffTM1Web "YOUR_TM1_WEB_SERVER_NAME_GOES_HERE"
End Sub

[iansdigby]

rmackenzie,

This is really helpful and inventive, using the IE document properties to locate TM1-related info and then logging out of those browser sessions. However it didn't work for me, perhaps because of a bug in TM1Web.

One of the IE document properties is 'cookie'. TM1 apparently dumps a cookie on the client PC to identify the user session. Bafflingly, however, TM1 appears to have stamped this cookie with a different username than the one I supplied in the querystring that launched the web page. So I wonder if there is a 'latent' cookie on my system that TM1 has inadvertently picked up; or maybe there is something in my system that prevents the username being over-written in the cookie...

Anyway this cookie bug prevents your VBA from logging out of the session, because it incorrectly identifies the session user. I still end up with multiple sessions open. We are working around it by setting a 5-minute session timeout in web.config. This gets rid of user sessions under all usernames.

I feel some studying of web programming coming on.

Regards, Ian

[rmackenzie]

That's a pity. It was working for me logging in as 'Admin' although I wasn't passing the credentials through the URL. I was clicking the hyperlink to call the test page and allowing TM1 Web to show the pop-up login box and capture the login details that way. I'm not sure if that would make a difference in your system? I am not keen on using the login method of the URL API because you are required to supply the password as cleartext which would seem to me to be a gaping hole in the system security.

[iansdigby]

Yes, you are right of course that it's a security issue. I thought that since it's all happening within our intranet with its good firewall systems (we do supply the military among others and have to meet very stringent requirements), that the risk was not so great.

Anyway, I did wonder if it would be better to do what you suggest and use the TM1 login pop-up. That way the session ID might get registered correctly in the cookie at least.

Thanks for your ongoing interest in this. Out of interest I have been in touch with one Harvey Withington of Flow OLAP who apparently was involved in writing TM1Web and if he is able to shed any light on this I will post it here.