I'm updating a custom TYPO3 plugin from TYPO3 v10 to v11.
When a new user arrives, a record is set in the fe_sessions table, so clearly a new session is being created. In TYPO3 v10, even if the user us not logged in, I could access that session id via:
$sessionId = $GLOBALS['TSFE']->fe_user->user['ses_id'];
Does anyone have any suggestions as to how to do this in v11 please? I've not found anything in the documentation or web searches that quite fits the bill. The TYPO3\CMS\Core\Session\UserSessionManager looks promising, but you need to create a new userSession object with the userSessionManager to be able to access the sessionId. However all of the userSessionManager methods bar one to create the UserSession object require the session id as a parameter (circular trap). The only method that doesn't ask for a sessionId create a new anonymous session, which doesn't match the id in the fe_sessions table.
And since I want to access the sessionId on one page and re-access it on another as part of security check, any method that creates a new sessionId in order to view it won't work.
What am I missing? Many thanks in advance.
The user information has been moved in TYPO3 v11 to the context and can be accessed with $context->getPropertyFromAspect('frontend.user', '...');
see the manual
Sessions have an own UserSessionMangager and API
Related
Passport by default allows the same user to login from multiple browsers and have unique sessions created. How can I configure it to destroy the first session when the user tries to create a second session?
Currently I'm using the 'Sessions' model to add the username to the record and upon subsequent login check by username if the sessions exists. But this increases traffic to the db. I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified. I'd be thankful for ideas around how to achieve tweak with express for this purpose or any other workaround/suggestion.
Much thanks!
I saw that at least 4 users upvote this question, so I decided to create passport-strategy for that. The new strategy called passport-one-session-per-user. It's open source strategy you can access here: https://github.com/AminaG/passport-one-session-per-user
How to use it? add it right after session. For example:
app.use(passport.session())
var passportOneSessionPerUser=require('passport-one-session-per-user')
passport.use(new passportOneSessionPerUser())
app.use(passport.authenticate('passport-one-session-per-user'))
Not need for settings, or configuration.
How it is works?
The strategy, created an array that contain serializaed user objects, and sessionID.
Every time user logged in, the strategy check if the user already logged in. If so, it's flag the other session. The next time the user in the other session make a request, the strategy see the flag, and log the user out.
I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified.
I believe the session model loggs the user in, and saves only that logged-in-ness in the session cookie. The server itself has no clue about who is logged in, but just checks this state in the (signed) session cookie provided by the browser.
You can write your own Passport.js strategy to handle it differently.
The question pretty much says all. I have been looking at the web2py book where it says about session. But I just cant figure out how to use sessions from Auth table. I am trying to make a session for Email ID from the default Auth table where I can register and login.
Any help regarding this is much appreciated.
If the user is logged in, then the db.auth_user record is available in auth.user (assuming you have named your Auth object "auth"). So, in the layout view, you could have something like:
{{if auth.user:}}Welcome {{=auth.user.email}}{{pass}}
Note, the auth.user record is also stored in the session (so it doesn't have to be retrieved from the database on every request). So, auth.user == session.auth.user.
Now the user have many roles in his privilege, I shall allow him click href and play as another role in a new window. each role has its own session.
Since the browser open window can not open with new session, I must find a way in server side.
But request doesn't support request.createSession or request.setSession(new Session()), how can i seprate a new session for this use case?
You can create a new session by HttpSession#invalidate old one but you can not retain the old one. May the following points help you
You've mentioned that each role has its own session
When user clicks a role, invalidate current session (also role) and new session would be created
Provide a link to go back his previous role if necessary
If he go backs to previous role, repeat step 2.
You have no support from tomcat. You have to this yourself.
The next strategy will NOT work on clustered tomcat. No guarantees here.
to change to a new session
Walk the session attributes via getAttributeNames() and getAttribute(String) Adding them all to a HashMap.
Serialize the HashMap into a tempfile or a static concurrent map as something you can access latter. Also store the current HttpServletRequest.getRequestURL() for latter redirection. You have to serialize.
Walk the session attributes again and removeAttribute(String) them all.
Add the key to access the file or concurrent map to the session.
Redirect the user to a login page or add synthetically all authorizations needed to the session.
to revert to old session
Check if the user has a key to access the old session. If he or she does, de-serialize the HashMap.
If the de-serialization works, walk the session and removeAttribute(String) everything
Walk the HashMap and setAttribute(String, Object) on the session.
Redirect the user to the URL stored somehow on step 2.
I'm too lazy to write the code and test it myself but I think this will work.
I'm assisting another developer with adding a link to a page in a product called Lawson that we use in-house. I need to pass the authenticated user's employee ID to an HTML page we're bolting on. I'm still looking at existing pages on the server, but thought I'd ask: does anyone know how the Javascript object that represents the authenticated user works? It looks like something server-side must be dynamically creating a Javascript object that has useful properties. It is usually called 'AuthUser'. I want to add the necessary JS references to my new page to support this object and access its properties. Does anyone have any experience with that? Thanks!
If you are in a portal session, you can access this in javascript through attributes of portalWnd.oUserProfile:
alert(portalWnd.oUserProfile.getAttribute("id"))
This will give you the logged in user's short username. Many other attributes are available. To see a complete list, log into a portal session and then replace the URL with:
http://YOURPORTALSERVER/servlet/Profile
I'm not sure what you mean by "bolting on", but if you want to pass an attribute to an external page launched from a Portal session, you could create a user shortcut via Portal preferences using something like:
javascript:window.open("http://yourserver/yourpage.html?user=" + portalWnd.oUserProfile.getAttribute("id"))
as the target and process in yourpage.html like a normal GET method form.
If you are still puzzling over this all these months later, provide some specifics if you need more guidance.
I just started an MVC 3 project using Forms Authentication. I have a web project (mvc project), and a data project. The data project handles all database interactions.
I need to store the current user id in my database on every insert and update.
Here's what I am doing right now. I feel like this has to be a common scenario. Can anyone shed some light on a better way to do this?
On LogIn or Register, I grab my current user record (by username) from the database and store the user id in session.
When saving a record within my data project, I refer to the httpcontext (if it exists) and use the user id that is stored in session.
This works for all but one scenario. It fails when a user has a valid cookie saved, and so they are allowed to bypass the login/register action. When this happens, obviuosly, my session variable for userId is null. My next step would be to create a base controller and imlement OnAuthorizeStarting to check if my Session variable is null or not. This feels kludgy, and I'm hoping there is a better way.
I do not want to have to pass the user Id to the data project as a parameter on every Save call.
Anyone have some brilliance? thanks.
The UserID is available via membership. So, something like this:
Membership.GetUser(HttpContext.User.Current.UserName).ProviderUserKey
The IPrincipal (HttpContext.user.Current) is created when the user is authenticated against the forms authentication cookie. You just pull up the user id from the Membership whenever you need it.
If you don't like accessing Membership every time then you can always create a static helper class that wraps your UserID session call. If it's null, it goes out to the membership provider, gets it, then stores it in the session.. on later accesses it just retrieves the session variable.