I want to track whether a user is online or offline with session method, but for some reason I'm using the "file" driver and the lifetime value, but I want to create a session that exactly when the user leaves my site, That session remove. (when all the tabs related to my site are closed in the browser) But the configs of other sessions do not change.
I would be grateful if anyone could help me.
Related
In CakePHP a the Session times out it, not unreasonably, trashes any custom data in the stored Session.
However it also sets up an Auth.redirect so after the user has been forced back to the login screen and completes the login, they are then (by default) redirected back to the page they were on before the session expired. This is problematic if that page relies on some of the custom data that was stored in the Session but is now no longer available.
My simple solution has been to force the user back to the home page for authenticated users by deleting the Auth.session key in the Session. But this isn't a particularly desirable behaviour. It would be preferable if I could return the user to the place they were before the Session timed out.
Nevertheless, I like the idea of a user having to re-authenticate if they abandon their Session for too long.
So, what seems to be needed is for CakePHP to require a re-authentication of the user but to not actually expire the underlying Session and this leads to a couple of questions:
Is there any way to have CakePHP require a re-authentication of the Session, as described, without timing out the session (i.e. setting a long timeout on the Session)?
Is there actually a better way to store the information required for page transitions (e.g. the ID of the parent record for a given model so that saveAssociated can be used) other than to store these in the Session?
Thank you for any guidance.
Passport by default allows the same user to login from multiple browsers and have unique sessions created. How can I configure it to destroy the first session when the user tries to create a second session?
Currently I'm using the 'Sessions' model to add the username to the record and upon subsequent login check by username if the sessions exists. But this increases traffic to the db. I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified. I'd be thankful for ideas around how to achieve tweak with express for this purpose or any other workaround/suggestion.
Much thanks!
I saw that at least 4 users upvote this question, so I decided to create passport-strategy for that. The new strategy called passport-one-session-per-user. It's open source strategy you can access here: https://github.com/AminaG/passport-one-session-per-user
How to use it? add it right after session. For example:
app.use(passport.session())
var passportOneSessionPerUser=require('passport-one-session-per-user')
passport.use(new passportOneSessionPerUser())
app.use(passport.authenticate('passport-one-session-per-user'))
Not need for settings, or configuration.
How it is works?
The strategy, created an array that contain serializaed user objects, and sessionID.
Every time user logged in, the strategy check if the user already logged in. If so, it's flag the other session. The next time the user in the other session make a request, the strategy see the flag, and log the user out.
I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified.
I believe the session model loggs the user in, and saves only that logged-in-ness in the session cookie. The server itself has no clue about who is logged in, but just checks this state in the (signed) session cookie provided by the browser.
You can write your own Passport.js strategy to handle it differently.
I am stuck with a session handling problem for past few days.
I am working on an application where an user logs into his account and can register there details or change them. How to manage sessions in this case. I mean how can i access the attribute of a session in different action classes?
Also when i click on log out and after that i press the back button given in the browser it goes back to the previous page and user can change their details which should not happen. Please help !!
The back button "issue" is because you have not disabled page caching.
Sessions data is available in actions via the SessionAware interface.
Sessions are per-user (more or less, actually per-conversation, and how that's implemented varies somewhat across browser versions), not sure what you mean regarding concurrent users.
I was wondering if it ever would make sense to have two concurrent sessions in the same browser? There could be two types of cases with this:
1) A user opens a browser window and logs in as user A, starting session 1. Then he opens another browser window (in the same browser) where he logs in as user A, but starts a different session, session 2.
I know that this is often not possible in many browsers, as one session cookie is set for the entire browser. However, in some browsers, it is possible to have multiple sessions in that manner.
2) This is similar to 1, except that the second time the user logs in, he logs in as user B, starting session 2. So now you have a person logged in as two users in the same browser.
Finally, allowing these things doesn't seem like the best security practice and neither does it seem to be practical. What do others think?
First thing First as the your Assumption is wrong. First of all you have to understand that when Single website is accessed from browser have single session and its not possible to simultaneously run different session of same web Browser.
It seems you have wrongly understand the working of Private Browser. Private Session are not made not to share information cookies and data with other public session and vise versa also. As soon as you close the Private Session all the Cache, Cookie and other things are deleted for forever.
I have not seen any web browser supporting the Multiple session of browser.
But an alternative approach is available i.e you have to create different Web Browser Profiles which can help you as each Profile data is maintained separately and have no conflict with other sessions.
One possible scenario currently I am facing requires allowing multiple user sessions from the same browser and I have not been able to find a proper solution for it yet.
We are using Yii framework. Currently we have two kinds of users i.e customers and admins. Both login from the same login form and use same session name and variables to store session information. Only based on type column in user table(customer or admin), the user is taken to appropriate views. In one of admin views(pages), there is an option for admin to log in as any of the users and propagate through the user's view in an iframe. The problem is that when the admin open two tabs and logs in as two different users, the session information of one overwrites the other and we start getting session related issues.
Can anyone suggest me a proper way to handle these kind of issues. I have searched a lot on trying to handle this with multiple sessions, but have not been able to find a proper solution yet.
There's nothing to "provide support for" here. One browser cannot hold more than one session, since it only holds one unique cookie per site, regardless of window. If a browser actually has a mode in which it supports holding two separate identical cookies per site, then it's the same as if the user logged on from another browser or another machine. That certainly should work; i.e. you should not try to subvert that behavior. A double session inside the same browser is then just a specific instance of this multi-session behavior, nothing special.
I am using joomla 1.5.My login is with standar joomla module , I am having the request to automatically logoff users once thy close their browser, I dont know how Joomla handles the session or if is there any trick I can do to make this.. Thanks in advance
You could turn off cookies, I suppose - Check the Global Configuration.
For anyone else looking at this.
You can't clear a session when somebody closes the browser as the server doesn't know this has happened and the session data is stored on the server.
You can't disable cookies as then no one would be able to log in.
In global configuration you can set the session lifetime value to something like 15 minutes and if there is no activity in that period of time the user is automatically logged out.