I am using Gorilla Sessions for my Go website to manage user logins.
Sometimes when a user leaves their computer for an hour or so the session expires but they have no idea about it. So the user goes on with their work but as soon as they try to save their progress, they get logged out. Is there any way I could detect if a user's session is about to expire, so I can automatically save their work or display a warning message?
Solution:
As soon as the client logs in they receive the session expiration date from the server. Then I set up a timer on client side, which after being idle for X (10 in my case) minutes, calls the API in every minute and checks if the session is still alive and if there is more time left than two minutes. If only two minutes left, I raise a warning message on the client side to inform the user that their session is about to expire (I also used this event to fire the auto save functions).
Related
I have site on Asp.Net Core 2.2 using Sessions.
Is there any way to get all users sessions, and all login users and iterate them?
Also break session for some user, if he is banned.
Simply, no. A user's authenticated state is persisted only via a local cookie on the client. There is no sort of "master list" of logged in users. However, if you like, you can create an additional table or otherwise log user logins and logouts, which you can then refer to for this information. It won't end up being totally accurate, particularly with logouts, because the user's auth could simply timeout, requiring no action that you could tie into to log that that that happened. However, if you have a known auth expiration, say 20 minutes, you can assume any login older than that time frame is no longer valid. That assumes an absolute expiration, which is the default. If there's a sliding expiration, you'll need to do even more work to keep some sort of user activity record.
Long and short, it's not trivial, but can be done if you really need the information.
As far as auto-logouts go, that merely requires invalidating the security stamp. This will effectually invalidate the user's auth cookie, forcing them to have to login again. At that point, you can check their "banned" status, however that would be done, and opt to reject their login attempt.
await _userManager.UpdateSecurityStampAsync(userId);
However, that will not take effect immediately, since the security stamp is not revalidated with each request. You can make that happen by setting the validation interval to zero in Startup.cs:
services.Configure<IdentityOptions>(options =>
{
options.SecurityStampValidationInterval = TimeSpan.FromSeconds(0);
});
However, that has a performance cost, as each request will require hitting the database to check the security stamp. You may want to set a more reasonable interval that balances wanting to logout a banned user as quickly as possible without requiring making excessive database requests.
I wish to record the login and the logout timestamp for users.
I understand that as soon as a user hits the login page a new browser specific session is created & sessionCreated(HttpSessionEvent se) is executed. When the session is invalidated that session gets destroyed & the sessionDestroyed(HttpSessionEvent se) is executed. In this scenario recording the login and logout timestamps will work perfectly.
However, say, the user is logged in but closes the browser window. The next time when the browser is opened a new session id will be generated and the user needs to login again. Hence, the previous login-logout record for that user will be incomplete and a new record with the current session id will be inserted in the database.
How do I tackle this design issue? I read some answers where AJAX polling & JS onunload were discussed but those did not seem to be a reliable solution.
Also, on the other hand, is there a way to keep the session alive even on browser close?
Thanks in advance.
Session can be kept recorded on users browser via Cookies.
It basically allow use to re login to the system without having to authenticate itself. In this case you can store the bare minimum state information you need to restore when the client open the browser again.
But the session id's is definitely going to change.
I’m using file sessions and trying to capture when a user is logged out. Not when they click the button to logout, but when they have left the page still logged in. I have an event listener setup for logout, but that does not seem to fire. Does anyone know how to capture or create an event when the session logout occurs.
Illuminate\Auth\Events\Logout' => ['App\Listeners\LogSuccessfulLogout',],
The session timeout happens on the client side so you won't be able to detect when that happens.
The best you can do is keep an activity log of each user and on each request, store a timestamp for that user. Then you'd be able to determine whose sessions are expiring by adding the lifetime variable in session.php Config::get('session.lifetime') to the latest timestamp in your activity table and comparing that to the current time.
If it's greater than or equal to the current time, you know their session has expired.
You'd likely need to setup a global middleware which updates your activity table which contains at minimum a user_id column and a timestamp column after each request for logged in users.
Then you'd want to setup a job which runs every minute or so which reads from your activity table, grabs the config value in session.php, and fire's the user logout event for each user it determines has the session expiring. When that starts firing, your 'App\Listeners\LogSuccessfulLogout' listener should start picking up that event.
I want to make a login on the frontend of magento, that doesn't depend on a session, because I don't want it to expire, ever.
Probably this will go with cookies, but how?
If I use sessions, it will expire when the browser closes
In PHP sessions are based on cookies. Session identifier is stored in user's cookie. You can't set a session to live forever but you can set it for a very long period (for example for 1 year). You can adjust cookie life time in Magento admin area (System->General->Web->Session Cookie Management->Cookie Lifetime). You should set a value in seconds, so for 1 year it will be 31536000. But you should keep in mind that it will get some amount of space too keep sessions and also if you store session in filesystem you shouldn't delete folder var/session or you'll loose all users sessions.
I am writing my first FireFox extension and I have some questions. Maybe someone can help.
I have a website which requires login. The sign-in is one user per login type. So if I am logged with the username "tom" from one PC and go to other PC and try to login with the same details, it fails. When I click the log-out button from my authenticated page, the new location executes a PHP function to log-out the user (updates the "logged" status of the user in MySQL). The problem is that if a user is logged in from his work desk and surfing the page then suddenly he gets a call by a friend to quickly grab lunch in his break and has to meet him in short time, he just clicks the X (close) button from Firefox, forgetting to press the log-out button so the status of the logged is still 1. Later on, if he wants to access the page again from home, he won't be able to log in.
So, I need to grab the "close" event from firefox somehow. I am thinking about looking for the ones that contain the "website.com" domain only. Then, if a tab is closed or the main window of Firefox is closed, send an unique key, and the username to that URL that logs out the user and the problem may be solved. I don't know if this is possible. Please post any idea (followed by code if you can) for this extension to be built.
Thank you.
By design, this is wrong.
If a user's PC crashes (harddisk failure, power failure) your plugin won't be able to log out the user. And so, the user won't be able to login on any PC.
--
Let's revisit the premise,
a. why does logging in from another PC need to fail?
b. How about invalidating the login from the previous PC (log out) when the user logs in to another PC. THis is kind of like how chat applications like Yahoo! Messenger work.
From your answers, here's what i would suggest: if the user is logged in on another PC, warn and present the user with options:
cancel logging in
forcibly log out the other user and proceed to logging in
Logging the user out after a certain time of inactivity is the (application or web) server's responsibility, not (only) the client-browser's. This is called a session timeout.
You might be able to avoid the timeout by a browser implementation as you describe it, but this should not be the primary solution.
Here's an off hand approach you might take:
In your case I would include a timestamp in the table where the 'locked' state is stored. Every time a user does an action that timestamp is updated. When you try to login again ad the timestamp is older that a certain threshold (e.g. 15min) your login code should silently logout the previous user.
In order to receive a notice about the tab being closed, you'll want to do something like this sample code. However, instead of listening for load, you'll want to listen for unload.
When you do end up getting notified about unload, you'll have to do a request to the logout page just like the web application does. You can figure out what the location of the document that is unloading is by checking aEvent.originalTarget.location.href. Note that aEvent.originalTarget will give you the document object of the tab that is closing. You'll then want to use an XLMHttpRequest for this in your event handler.
You could use ajax that would ping a page on the site - all the session info will be passed and you can verify that the user still has an active browser/page open. If Firefox crashes it won't be able to ping the website anymore and the session could time-out after 15 minutes. I think that allowing a forced logout on another sign-in would be best. Usually when I leave work at the end of the day I wouldn't close all the programs or logout or anything - just lock my computer to prevent anyone from using it. Next morning I come back with all my programs still running so I can continue where I left off.
BTW, Yahoo Web messenger probably uses some form of session-based cookies. That is, cookies are stored in memory and are gone when the tab or browser are closed.
Just enable to the user to re-login from another machine. And if you get a request from the user on first machine, ask him to re-login too. So you get a single logged in user at a time.