I wish to record the login and the logout timestamp for users.
I understand that as soon as a user hits the login page a new browser specific session is created & sessionCreated(HttpSessionEvent se) is executed. When the session is invalidated that session gets destroyed & the sessionDestroyed(HttpSessionEvent se) is executed. In this scenario recording the login and logout timestamps will work perfectly.
However, say, the user is logged in but closes the browser window. The next time when the browser is opened a new session id will be generated and the user needs to login again. Hence, the previous login-logout record for that user will be incomplete and a new record with the current session id will be inserted in the database.
How do I tackle this design issue? I read some answers where AJAX polling & JS onunload were discussed but those did not seem to be a reliable solution.
Also, on the other hand, is there a way to keep the session alive even on browser close?
Thanks in advance.
Session can be kept recorded on users browser via Cookies.
It basically allow use to re login to the system without having to authenticate itself. In this case you can store the bare minimum state information you need to restore when the client open the browser again.
But the session id's is definitely going to change.
Related
In CakePHP a the Session times out it, not unreasonably, trashes any custom data in the stored Session.
However it also sets up an Auth.redirect so after the user has been forced back to the login screen and completes the login, they are then (by default) redirected back to the page they were on before the session expired. This is problematic if that page relies on some of the custom data that was stored in the Session but is now no longer available.
My simple solution has been to force the user back to the home page for authenticated users by deleting the Auth.session key in the Session. But this isn't a particularly desirable behaviour. It would be preferable if I could return the user to the place they were before the Session timed out.
Nevertheless, I like the idea of a user having to re-authenticate if they abandon their Session for too long.
So, what seems to be needed is for CakePHP to require a re-authentication of the user but to not actually expire the underlying Session and this leads to a couple of questions:
Is there any way to have CakePHP require a re-authentication of the Session, as described, without timing out the session (i.e. setting a long timeout on the Session)?
Is there actually a better way to store the information required for page transitions (e.g. the ID of the parent record for a given model so that saveAssociated can be used) other than to store these in the Session?
Thank you for any guidance.
I am working in ASP.net 3.5 C#. What i am trying to do is when Session_End event gets called, I want to update the logged in User's status in database that the current User has logged out by any means (Logged out manually, Session time out etc. It calls Session_End Event). The problem is i am not bale to maintain the UserID. I can't access Session variable as session has already expired cookies also dint work for me.
Please suggest a solution.
Thanks a lot
Regards
Vivek
Try pushing the UserID to ViewState, if you have a BasePage from which all your pages inherit or if you use MasterPage then it should be quite easy to push the UserID to viewstate on each page. Cookies should be alive beyond session life. Are you setting Expiry time to your cookie?
You should be able to access session variables in Session_End event. All data stored in a session are deleted after the Session_End event finished. But you should be careful, because sessions are created for all visitors. If you store UserID in a session then it can be null inside Session_End if someone viewed the login page, but did not log in. It is not recommended to set the session timeout to days, because these sessions may fill all server memory.
In my grails application using shiro, I'm using cookies to store the session data including authorization.
When a user tries to log in without accepting cookies, the login works, but then (as expected) the session is lost again and the user is logged out.
I don't want to change this behavior in general, I just want to display a notification to the user that his Browser needs to accept cookies.
So is there a way to tell that this user has been the one who TRIED to log in after the session data is lost, so that I can display a respective message?
I think running a test whether cookies are accepted on every page is a bit too much, therefore I'm heading towards the solution at login only.
You could use the grails session to store the current state of the user. Then, on login, check the grails session and determine whether to show your message or not.
I want to handle following scenarios in my new web application.
If multiple users log into the application with same credentials, the application should deny access.
Since I have out of process session store, I would be able to make out when this situation happens. So I can deny all requests after first successful attempt. This will however not work if the user instead of logging out of the application, closes the browser. The session will continue to reflect in the store for the period of timeout value.
If a user attempts to open a new browser windows (Ctrl+N), the application should defeat this attempt. Every new page can potentially fiddle with cookies. I want to therefore deny the users the ability to open new window.
How about?
Having a server timer and then track users session. Reset the timer when you get the request back to the server.
Not possible. Ctrl + N is for opening a new browser window and this does not mean that the user is going to visit your site.
Also check out this question which might be of some interest.
How to differ sessions in browser-tabs?
I am writing my first FireFox extension and I have some questions. Maybe someone can help.
I have a website which requires login. The sign-in is one user per login type. So if I am logged with the username "tom" from one PC and go to other PC and try to login with the same details, it fails. When I click the log-out button from my authenticated page, the new location executes a PHP function to log-out the user (updates the "logged" status of the user in MySQL). The problem is that if a user is logged in from his work desk and surfing the page then suddenly he gets a call by a friend to quickly grab lunch in his break and has to meet him in short time, he just clicks the X (close) button from Firefox, forgetting to press the log-out button so the status of the logged is still 1. Later on, if he wants to access the page again from home, he won't be able to log in.
So, I need to grab the "close" event from firefox somehow. I am thinking about looking for the ones that contain the "website.com" domain only. Then, if a tab is closed or the main window of Firefox is closed, send an unique key, and the username to that URL that logs out the user and the problem may be solved. I don't know if this is possible. Please post any idea (followed by code if you can) for this extension to be built.
Thank you.
By design, this is wrong.
If a user's PC crashes (harddisk failure, power failure) your plugin won't be able to log out the user. And so, the user won't be able to login on any PC.
--
Let's revisit the premise,
a. why does logging in from another PC need to fail?
b. How about invalidating the login from the previous PC (log out) when the user logs in to another PC. THis is kind of like how chat applications like Yahoo! Messenger work.
From your answers, here's what i would suggest: if the user is logged in on another PC, warn and present the user with options:
cancel logging in
forcibly log out the other user and proceed to logging in
Logging the user out after a certain time of inactivity is the (application or web) server's responsibility, not (only) the client-browser's. This is called a session timeout.
You might be able to avoid the timeout by a browser implementation as you describe it, but this should not be the primary solution.
Here's an off hand approach you might take:
In your case I would include a timestamp in the table where the 'locked' state is stored. Every time a user does an action that timestamp is updated. When you try to login again ad the timestamp is older that a certain threshold (e.g. 15min) your login code should silently logout the previous user.
In order to receive a notice about the tab being closed, you'll want to do something like this sample code. However, instead of listening for load, you'll want to listen for unload.
When you do end up getting notified about unload, you'll have to do a request to the logout page just like the web application does. You can figure out what the location of the document that is unloading is by checking aEvent.originalTarget.location.href. Note that aEvent.originalTarget will give you the document object of the tab that is closing. You'll then want to use an XLMHttpRequest for this in your event handler.
You could use ajax that would ping a page on the site - all the session info will be passed and you can verify that the user still has an active browser/page open. If Firefox crashes it won't be able to ping the website anymore and the session could time-out after 15 minutes. I think that allowing a forced logout on another sign-in would be best. Usually when I leave work at the end of the day I wouldn't close all the programs or logout or anything - just lock my computer to prevent anyone from using it. Next morning I come back with all my programs still running so I can continue where I left off.
BTW, Yahoo Web messenger probably uses some form of session-based cookies. That is, cookies are stored in memory and are gone when the tab or browser are closed.
Just enable to the user to re-login from another machine. And if you get a request from the user on first machine, ask him to re-login too. So you get a single logged in user at a time.