login:set-user($domain as xs:string, $maxAge as xs:dayTimeDuration?, $asDba as xs:boolean, $onLogin as function(*)) as empty-sequence()Same as login:set-user#4 but $path set to the default (use context path).
| $domain | $domain |
| $maxAge? | $maxAge? |
| $asDba | $asDba |
| $onLogin | $onLogin |
login:set-user($domain as xs:string, $path as xs:string?, $maxAge as xs:dayTimeDuration?, $asDba as xs:boolean, $onLogin as function(*)) as empty-sequence()Main entry point into the login module. Checks request parameters to determine the action to take. If a parameter "user" is given, try to authenticate this user with the password specified in parameter "password". If there's a parameter "logout", clear the current user credentials. Without a parameter: check if a user is registered with the persistent login module. The persistent login module implements a one-time login token approach as described in <a href="http://jaspan.com/improved_persistent_login_cookie_best_practice">Improved Persistent Login Cookie Best Practice</a> and implemented in <a href="https://github.com/SpringSource/spring-security">Spring Security</a>. This approach make it more difficult to attackers to steal a cookie, though users should be aware that persistent logins will never be completely secure. A cookie is generated with a unique token upon successfull login, which can be used for the next login without requiring credentials. The token is only valid for a single login though and is deleted afterwards. This means a new cookie is set by each request. For the next request, the browser has to send the cookie returned by the previous request - if not, we assume the cookie has been stolen and the session is invalidated. Request thus have to be send in sequence, which requires particular attention when using AJAX. An expiration date can be set when the user logs in through request parameter "duration". The specified value has to be a valid instance of xs:dayTimeDuration. If no parameter is present, the method will use the value of $maxAge. If no expiration date was set ($maxAge is empty), the function will fall back to the default session-based logins, which will time out depending on webserver settings. After evaluation of the function, the logged in user name will be available in request attribute $domain.user. If the user could not be logged in, this attribute will be empty. You can use this to check if the function was successful or not.
| $domain | arbitrary string to be used for the name of the cookie |
| $path? | the path for which the cookie will be valid (e.g. /exist by default) |
| $maxAge? | default max duration for the session. User will need to re-login afterwards. Can be overwritten by request parameter "duration". |
| $asDba | if true, require the user to be a member of the dba administrators group |
| $onLogin | $onLogin |