Generate a WorldClient SessionID

If you run an intranet and want to integrate WorldClient, if you have access to your user’s email addresses and passwords, then this post is for you.

What you’ll need to do is create an web server script (ASP, JSP, Perl or PHP, or other language of your choice) that gathers the user’s username and password from the Database and then posts them to the WorldClient server as if it were ComAgent. The URL to do this is:

http://www.example.com/WorldClient.dll?View=StatusCheck&GetSession=Yes&user=Username&Password=password

This will put the username and password in the log, so if you don’t want to have that liability, you’ll need to create some sort of ASP (or your scripting language) function that POSTs the Username and Password rather then using GET.

The result will return an XML file that will have the SessionID. Parse the XML file for the SessionID, then use that in a URL that looks like this for the redirect:

http://www.example.com/WorldClient.dll?Session=SessionID&View=Main&Frames=Yes

Hope this helps!

CC BY-NC-ND 4.0 Generate a WorldClient SessionID by Dave Warren (everything-mdaemon.com) is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

14 thoughts on “Generate a WorldClient SessionID

  1. I believe that the password should be replaced with XXXXXXX in the log file. If not, its a bug and should be fixed.

  2. True — If you use WorldClient’s web server, the password is not logged.

    However, if you use IIS/Apache, or there are proxy servers involved, the password still may get logged.

  3. >>The result will return an XML file that will have >>the SessionID. Parse the XML file for the >>SessionID.

    how can I read the resulting XML? is it located in some folder on server??

  4. When you POST the request to Worldclient via HTTP (or HTTPS), the resulting XML is returned in the HTTP request.

    It is not saved to disk anywhere, your script will have to capture the results.

  5. I’m looking at using the POST method, or GET as a second resort. Does anyone know if you attempt to login via GET/POST and fail, does that count as a strike against the user in terms of login attempts and lockouts? So after say three logins they would be locked out of worldclient/mdaemon. This might be an issue if there is a possibility of outdated passwords or passwords that are not centralized in a single sign-on. I want to log them in to their mail automatically from a separate program with a browser.

  6. It looks like MDaemon 10.0.4 Pro is not returning well-formed XML. Here is a sample of what I’m getting returned (edited to protect the innocent):
    ============================================================
    <caversion>10.0.4 Pro</caversion>
    <session-info>
    <session>ABCDEFG</session>
    <email>username@mail.example.com</email>
    <name>User Name</name>
    <instantmessaging>enabled</instantmessaging>
    <modifyglobalcontacts>disabled</modifyglobalcontacts>
    <calendar>enabled</calendar>
    <groupwareenabled>enabled</groupwareenabled>
    <groupwareuser>disabled</groupwareuser>
    </session-info>
    ============================================================

    I got around the problem by wrapping the returned XML in a root element which I named MDaemon but that’s klutzy. It would be better if MDaemon itself returned well-formed XML.

  7. I am able to do all this and login. However when I try to hit the logout page with a GET like I see in their HTML logout button http:/yourserver/WorldClient.dll?Session=XXXXXXX&View=Logout I get the correct page, but the session is staying active, I can refresh an open page such as the inbox for that session and it is still live. I need to be able to ensure a logout. Does anyone have a clue what could be happening?
    I am using WebRequest and WebResponse in ASP.net.

    thanks in advance

  8. I have noticed that once this is done and you obtain a session. The session will time out and end the session. Is there a way to keep the session alive in the background if the user does not visit the worldclient page with that sessionid. Must we imitate the occasional visit or is there a simple post to do this?

  9. I’m wondering if there’s a way to retrieve the unread message count via this, or any other method. Is there a documented API for WorldClient?

  10. I would like to ask is there a best way to “store” user passwords: flat file, LDAP database or maybe AD? witch of these you use.

    maybe some example of working solution… I would like to run “SS-O” with WorldClient on Windows clients.

  11. Hi, is there a way to bind this to the clients ip address? I am running a server side script to fetch a new sessionID, but it is bound to the servers ip and the client is denied when they try to use it.

    I prefer not to use a client side script to fetch the sessionID since it will expose passwords.

  12. Dear Team,
    I am a PHP developer and want to know how to import outlook contacts from database using PHP .

    Regards
    Ashutosh Rawat

  13. Your best bet would be to use the CalDAV, or look at MDaemon’s own API to see if it meets your needs. I haven’t kept up on the latest API to know if it has the right data-level access you’ll need.

    Also, why did you make up a URL? Why not just leave it blank?

Leave a Reply

Your email address will not be published. Required fields are marked *

*