Check out the LimeSurvey source code on GitHub!

LSRC2: Session Key Validity

3 years 4 months ago #99885 by Anurag01
While calling any method from the RemoteControl 2 API, a session key is required. get_session_key method returns such a key, given appropriate Limesurvey credentials are passed.

My question is -- for how long is this session key valid? Is it safe to store the retrieved session key in a static variable (in, say, an ASP.NET app) for the life of the application/website? If not, what's the recommended usage of session keys, and how frequently should be they retrieved again?

Please Log in to join the conversation.

3 years 4 months ago #99889 by kobaltz
I had a similar issue on my Ruby on Rails application.

Initially, I created the session key at the beginning of the web application start. Whenever the web application was restarted, it would naturally generate a new session key.

However, I found that anywhere between 12 and 24 hours, the session key would expire and no longer pull from the RC2 API.

My work around for this was a blend of self caching and expiring of the session key. I made a application helper method called lime_survey_session_key. Whenever I called the LimeSurvey API, I would reference this helper method as my Session Key. I let Ruby on Rails handle the expiration of the session key. So, whenever the lime_survey_session_key is called, it will first try to pull from the linux memcache. If Ruby on Rails sees that the cache was stale (meaning greater than 2 hours), it would reset the cache and generate a new session key. This way, I'm not calling the session key api every request to LimeSurvey. All in all, this method works great for me since the amount of memory required to store a session key on the server side is extremely small.

helper_method :lime_survey_session_key

def lime_survey_session_key
Rails.cache.fetch('lime_survey_session_key', expires_in: 2.hours) { LIMESURVEY_API.get_session_key(LIMESURVEY_USERNAME,LIMESURVEY_PASSWORD) }

Please Log in to join the conversation.

Imprint                   Privacy policy         General Terms & Conditions         Revocation information and revocation form