Sentinel Package: Getting all logged in Users - laravel

I'm using Sentinel in Laravel for user management. I logged in 2 users and I try to get a list of all logged in users but this only returns the very last user to log in.
The code below is one of my attempts. I know im doing it wrong pls help.
public function getLoggedInUsers(Request $request,User $user)
{
$loggedinUser ="";
foreach($user as $loggedinUser){
return Sentinel::getUser($loggedinUser);
}
}
It returns only the last logged in User instead of a list of all logged in users

The return key will exit the function getLoggedInUsers() the first time it is hit. This means your foreach loop is only executing one time and immediately returning the first user. Additionally, your $user variable is a single user, meaning there is nothing to loop over, it will only execute one time regardless.
I could not find in the documentation if Sentinel has a function for getting all active users.
I'm not sure if Sentinel supports it, but if the User sessions can be saved to the database instead of the filesystem, then you should be able to check to the sessions table for active users. In basic Laravel authentication, you can change where the user sessions are stored. Sentinel might have something similar or might use config/session.php as well. (https://laravel.com/docs/5.8/session)

Related

I want to lock account not using IP Address. Laravel

Laravel has an account lock function.
But it is based on IP address.
It can also be disguised.
Therefore, I want to lock the account itself regardless of the difference in IP address
How can I do?
I made a package for this :)
You can block users, emails, ip addresses, domain names, cities, states, countries, continents, and regions from using your application, logging in, or registering.
https://github.com/jeremykenedy/laravel-blocker
Throttling is not locking so even if you changed it to not be bound to the IP the account will be able to log in again after waiting for some time.
If this is what you want to do then you can override the throttleKey function to use a key not based on IP. If you want to completely ban someone then you can also probably override the decayMinutes to a value of say 100 years.
For example in your normal auth controller:
class class LoginController extends Controller {
use AuthenticatesUsers;
// ...
public $decayMinutes = 52560000; // 100 years
protected function throttleKey(Request $request)
{
return Str::lower($request->input($this->username())); // No IP here now
}
}
Note: Since the rate limiter stores the values in the cache, then clearing the cache will also clear the blocked users. If you want a more permanent solution you can probably add a flag on the user entry in the database indicating that the user is blocked. This is just a quick and dirty solution to get things working for you quickly.
As another note: Not blocking by IP means you're locking someone out if someone else tries to hack into their account. This might be a bit infuriating for your users, which is also something to consider.

Logout Session with sess_destroy() not working

Currently I have an issue with CodeIgniter and sess_destroy, I want to have a user to have only one session, so I'm validating if the user have a previous session and he/she want to continue on this second session, we call an exit function to kill the first session so the user can keep the second session he/she starts.
This is my function to destroy the session:
public function salteya(){
$this->session->set_userdata(array());
$this->session->sess_destroy();
log_message('error', "salteya");
//redirect(base_url("Administrador/gotohome"));
}
The behavior is that when the user starts the second session and I try to destroy the first session need to refresh two times the pages or change the page two times to destroy the session.
Anyone had this issue before? Undecided
Best regards,
try this
public function salteya(){
$this->session->unset_userdata();
$this->session->sess_destroy();
log_message('error', "salteya");
//redirect(base_url("Administrador/gotohome"));
}

keeping laravel session variable till user logs out

I have a simple authentications for user,In UserController I have a fuction called postLogin().
public function postLogin()
{
if(Auth::user()->attempt($credentials))
{
return Redirect::intended('desk')->with('stream',"SomeData");;
}
}
with above code I am able to log in successfullt with the "SomeData" variable which I am retrieving it by
<?php
$class = Session::get('stream');
var_dump($class);
?>
First time when it goes to "/desk" url it dumps the value perfectly fine that is "SomeData" but once I refresh the page it resets the session and the value turns to null.
How do I keep this value till the user logs out.
From the laravel official documentation :
Flash Data
Sometimes you may wish to store items in the session only for the next
request. You may do so using the flash method. Data stored in the
session using this method will only be available during the subsequent
HTTP request, and then will be deleted. Flash data is primarily useful
for short-lived status messages:
$request->session()->flash('status', 'Task was successful!');
If you need to keep your flash data around for even more requests, you
may use the reflash method, which will keep all of the flash data
around for an additional request. If you only need to keep specific
flash data around, you may use the keep method:
$request->session()->reflash();
$request->session()->keep(['username', 'email']);

Trigger function after session timeout or expire in laravel

Hello i'm kinda new to laravel and i have a question concerning authentication. I have the following function in my authentication controller:
public function signout()
{
// set logged in status to zero in database
$l = Login::where('user_id', Session::get('user')->user_id)
->where('logged_in', 1)->first();
$l->logged_in = 0;
if ($l->save())
{
// log user out
Auth::logout();
// Forget user session data
Session::forget('user');
// redirect user to login page
return Redirect::to('/account/signin');
}
}
Now in my session config, i have set sessions to expire after 60mins after which the user will obviously be logged out of the system. However that will occur without my other functions executing like setting user logged in status to zero in database or forgetting the user session array. Is there a way i can trigger those functions to execute after login session expire? Thank you in advance.
Update: I've been looking around again ever since i got a down vote for my question to see if there was already a solution to this, from reading the docs i got excited when i came to the "Events" section because i thought i had found a solution however i found out later on that there was no such thing as a "Session::expire" event in laravel, neither is there a function to check whether another user is logged in or not.
Your whole premise is wrong: sessions should have an expiry timestamp that's set when user logs in, and updated on every request if you want to have something like "session times out after 1h of inactivity".
Then you can basically:
Check if session is still valid when user performs a request, by checking the timestamp
Delete expired sessions using a scheduled task, so you keep things clean and tidy in the background
Anyway, if for some reason you end up needing to trigger some actions to happen when a user signs out Laravel actually has an Event that's triggered on user logout: 'auth.logout'

Most efficient way of authorizing users over different pages on my site?

I have only ever made single page webapps in the past; with these, as soon as a user connected, I would read the password hash stored in their cookies and match it to the value stored in my database to determine if the user was already logged in.
I am now wanting to make a site with multiple web pages though, and I have just realized that it would required querying the database every time a user goes to a new page; this seems extremely inefficient to me. Is there any better way to maintain an ongoing session with a client without straining my database/server in the process?
Take a look at using a session object Eg HttpContext.Session["UserAuth"] = true;
When you authenticate the user on your first page Eg Login, you can then create a session like in the example above. Then once you redirect to the next page, just check to see if the session does indeed exists and is valid.
Checking session:
if(HttpContext.Session["UserAuth"] != null)
{
if(HttpContxt.Session["UserAuth"].toString() == "true")
{
//Session is valid and user is logged in.
}
else{
//Session is invalid and user is not logged in.
}
}
So each page you want to check if the user is valid you can do the above check. As long as you have created the session on the first page at time of database authentication.
Please note the above code is just to give you an idea of how you can do this.
"UserAuth" is simply a the name you give to the Session that you are storing. It can be absolutely anything. The value you are storing in the Session in this case is 'true'.
So when you retrieve the value of the Session you simply get 'true', meaning the user is logged in.
When you log the user out for example you can change the value of the session "UserAuth" to false in the same manner in which you originally created it.
Eg
HttpContext.Session["UserAuth"] = false;

Resources