I have tried to use Auth::check() to authenticate if the user is logged in, it works but it still works even when the session has expired which I did not expect it to work.
Please how can i check if the session has expired inside the view file and redirect to login page. It is making some session based items to produce error in my page.
I prefer running the check in the view to execute the redirect command
Thanks
Related
Using Laravel 9 with Breeze(Auth Scaffolding) to make an admin panel. Throughout my views, I have a
auth()->user()->name
call that returns the name of the logged in user and works as it should.
Problem is - If I leave the page sitting for a while and the session expires, it doesn't route me to login, it gives me the following error:
Attempt to read property "username" on null
Error message
Am I missing something? My routes are all wrapped in middleware => auth group.
After this happens, I manually type logout in the url which logs me out and return a login BUT I always have to login twice. The first login does nothing, no error, no message.
I am using Laravel 5.7. For security reasons, I set my laravel application to automatically logout after one hour inactivity. But I want the user log back in the same page before they got kicked out by the system. I try to use Session, but it only store previous url which is the login page url. How can I retrieve that URL before user got automatically logout?
All you need to do is put this in your logout function.
session(['returnUrl' => url()->previous()]);
And then on login function, redirect user to session('returnUrl') and delete session data with session()->forget('returnUrl')
Use this in your login controller
url()->previous()
I need to be able to logout other users. I tried the following:
Yii::$app->getSession()->destroySession($sessionId)
I do this for every sessionId connected to this user.
I tried changing the authKey (with enableAutoLogin set to true).
Setting enableAutoLogin to false doesn't help.
The session is deleted in the database but as soon as that user does a new request his session, with the same sessionId as before, appears in the database again.
I tried using this:
Yii::$app->user->switchIdentity(User::findIdentity($id), 0);
Yii::$app->user->logout(true);
The switchIdentity works but creates a new session in the database (that i destroy with the logout method).
As a test I have downloaded both the basic and advanced template and both have the same problem. What am I missing here ?
I tried doing the same in pure PHP but somehow Yii manages to get the user session back and the user is still logged in.
I am using Yii 2.0.6
I can redirect a user to home page upon session logout.. this was very simple. However, if an user had logged into the app and had the page open, even on session time out, he is able to perform all the functions(this is bad).
The redirect does not happen until the page is refreshed, or submitted to the server... there are some update functions that could be done by the user even if he is not currently logged in... I have done a lot of research but unable to fix this solution. I also found this thread but it seems to have no proper answer:
Spring Security 3.1 - Automatically redirect to login page when session-timeout occurs
For example, most of the banking sites log you out after a time out.. they do not wait until you come back and then submit a request before you are redirected to home page.
HTTP is stateless. To achieve some form of state the server can maintain a session for each user by giving them a session id on their first request. The user would have to resend that session id on each future request to identify that the other requests happen within the same session.
Because the session is maintained by the server, there is no way to notify the client that the session has timed out.
Instead, if the user makes a new request when the session is timed out, their session ID is no longer good and therefore you can take a particular action like redirect them to login page.
Assuming nothing works out. You may want to consider below mentioned approches:
Approach 1:
Create a cookie on browser and have encrypted timestamp in it that will contain last visited/request timestamp from browser, for each request first get get this cookie value and compare with the pre-defined session out time, if session-out time reached then redirect user to error page else serve the request. On logout delete the cookie.
Why encrypted value for timestamp: if somehow user gets to know about cookie used for session timeout then (s)he can change this value in browser and keep on sending this request.
Approach 2:
You can also achieve this by making an entry in your database for every logged-in user and updating timestamp in this database for each request. For each incoming request get this timestamp from database and compare it with pre-defined value for timeout and handle accordingly. On logout delete the entry.
In both the approaches explicitly perform response.redirect("errorPageUrl");
I am using Asp.net MVC 3 in my project. I have a simple login page which takes username and password and after successful login, take me to the required page.
The problem is when I press back button from my browser and then press forward button again and again, it takes me again to the page without getting username and password from the user.
I don't know, may be it is the problem with sessions state. Because I didn't make any sessions and I don't how to make it.
Please anyone out there help me a bit to mitigate this problem.
Your session id is stored in a cookie, on successful authentication, the cookie gets stored on your machine, when you move forward in history, it doesn't get removed.
If you explicitly clear the cookie on each visit to the login page using:
Session.Abandon()
this will kill the authenticated session and create a new anonymous one, which shouldn't have access to the restricted page