Skip to content

Session & Authentication

Jump to bottom Edit New page
liseli edited this page Feb 19, 2026 · 1 revision

Session & Authentication

Session Lifecycle

  1. Session Creation:

    • User visits site
    • No cookie exists
    • DSession::__construct() generates UUID
    • Session record created in MySQL
    • Cookie set: htcatalog=UUID.TIMESTAMP.HASH

  2. Session Persistence:

    • User makes subsequent requests
    • Cookie sent with request
    • DSession::__construct() reads cookie
    • Session data loaded from MySQL
    • Session extended (expires updated)

  3. Session Data Storage:

    $session->set('country', 'US');      // Store
$country = $session->get('country'); // Retrieve
$session->delete('country');         // Remove

  4. Session Destruction:

    $session->kill(); // Deletes cookie and DB record

Authentication System

Two-Level Authentication:

  1. Application-Level (VFSession)

    • Managed by catalog application
    • Stores preferences, search history
    • Cookie: htcatalog

  2. HathiTrust-Level (HTStatus)

    • Managed by Shibboleth SSO
    • Stores institutional affiliation, access rights
    • Cookie: HTstatus
    • Separate authentication system (not managed by catalog)
Add a custom footer

Catalog documentation

  1. Architecture Overview
  2. Application Lifecycle
  3. Request & Data Flow and Integrations
  4. Business Rules & Logic
  5. Core Components
  6. Session & Authentication
  7. Module & Action Routing
  8. Template
  9. Volume API

Clone this wiki locally