I’m using file sessions and trying to capture when a user is logged out. Not when they click the button to logout, but when they have left the page still logged in. I have an event listener setup for logout, but that does not seem to fire. Does anyone know how to capture or create an event when the session logout occurs.
Illuminate\Auth\Events\Logout' => ['App\Listeners\LogSuccessfulLogout',],
The session timeout happens on the client side so you won't be able to detect when that happens.
The best you can do is keep an activity log of each user and on each request, store a timestamp for that user. Then you'd be able to determine whose sessions are expiring by adding the lifetime variable in session.php Config::get('session.lifetime') to the latest timestamp in your activity table and comparing that to the current time.
If it's greater than or equal to the current time, you know their session has expired.
You'd likely need to setup a global middleware which updates your activity table which contains at minimum a user_id column and a timestamp column after each request for logged in users.
Then you'd want to setup a job which runs every minute or so which reads from your activity table, grabs the config value in session.php, and fire's the user logout event for each user it determines has the session expiring. When that starts firing, your 'App\Listeners\LogSuccessfulLogout' listener should start picking up that event.
Related
I am using Gorilla Sessions for my Go website to manage user logins.
Sometimes when a user leaves their computer for an hour or so the session expires but they have no idea about it. So the user goes on with their work but as soon as they try to save their progress, they get logged out. Is there any way I could detect if a user's session is about to expire, so I can automatically save their work or display a warning message?
Solution:
As soon as the client logs in they receive the session expiration date from the server. Then I set up a timer on client side, which after being idle for X (10 in my case) minutes, calls the API in every minute and checks if the session is still alive and if there is more time left than two minutes. If only two minutes left, I raise a warning message on the client side to inform the user that their session is about to expire (I also used this event to fire the auto save functions).
I wish to record the login and the logout timestamp for users.
I understand that as soon as a user hits the login page a new browser specific session is created & sessionCreated(HttpSessionEvent se) is executed. When the session is invalidated that session gets destroyed & the sessionDestroyed(HttpSessionEvent se) is executed. In this scenario recording the login and logout timestamps will work perfectly.
However, say, the user is logged in but closes the browser window. The next time when the browser is opened a new session id will be generated and the user needs to login again. Hence, the previous login-logout record for that user will be incomplete and a new record with the current session id will be inserted in the database.
How do I tackle this design issue? I read some answers where AJAX polling & JS onunload were discussed but those did not seem to be a reliable solution.
Also, on the other hand, is there a way to keep the session alive even on browser close?
Thanks in advance.
Session can be kept recorded on users browser via Cookies.
It basically allow use to re login to the system without having to authenticate itself. In this case you can store the bare minimum state information you need to restore when the client open the browser again.
But the session id's is definitely going to change.
I have auth working fine. Users can log in and out, no problem. The thing is, if users share a login, they can all be logged in at the same time as the one user. Not good.
I need to have CakePHP know when a user is logged in, which I assume is a process started using:
'Session' => [
'defaults' => 'database'
]
As per the Sessions book page.
It's then I get lost. Unless I have missed it there is no reference to limiting users to one active session each. Has anyone come across this before and, if so, how did you work around it?
To clarity:
All sessions deleted from DB & all cookies deleted in browser = nothing set in either when visiting the /users/login page (incidentally, this has been set up as per the tutorials - nothing fancy).
Login = session set in db with id corresponding to cookie in browser. Exactly what you'd expect.
Logout (which then redirects back to login) = old session removed then replaced by another in DB and cookie. Different id. So something is picking up the expired cookie and refreshing it. Hmm.
The information held in the cookie is just the session id. In the DB it's simply:
Session id | a blob | expiry time
I assume you save users and sessions in a database (by default in cakePHP it is named sessions).
Add an active_session field, update it upon login, check it on requests to ensure that current user session id matches the last one stored in the database.
On Login action do:
UPDATE `users` SET `active_session`='$session_id';
When user goes to a page that requires login, you search that value:
SELECT * FROM `users` WHERE `active_session` = '$session_id';
If the user signs in other place, the previous session key gets overwriten, and the SELECT above returns an empty result-set.
It's possible to clean the old session token before the update, so this way old session will be destroyed on per user basis.
Be careful, if you are using AuthComponent, it might rotate sessions itself, for more information you may find in the corresponding section of CakePHP manual.
I'd definitely go AuthComponent-way, and wouldn't re-invent the wheel in CakePHP.
I tie users to their cell phone. Every day they get a new 6 digit code via twilio sms. Makes it hard to share logins, but not impossible. Ultimately, I would like to track how many different machines a users uses per day and establish some fair use limitations. If a user uses three or four machines in a day, that's fine, but when they start using the same user id on twenty or fifty machines a day, that might be a problem.
I want to create an app , which brings a pop-up when the customer session is about to expire.
So for this purpose I will be requiring customer session value .
Please help .
Thanks .
You cant check session remaining time. Because whenever you access the system session will be automatically refreshed. You can check only that session is available or expire. And There is no php function to get it. But We can do it by ajax. For example your session expire time is 30min. Set ajax for every page get refreshed and calculate that time with minus the 30min. And show your pop up message at what time (remaining time ) you want..!!
I have a CakePHP app where users have pages tied to their accounts. For example, the page ID 123 is tied to user 321.
Whenever the user logs in, all the pages tied to his account are saved in the session.
Admins are the only one who can tie a page to an user. And here is the problem. If an admin adds a new page to an user and if this user is logged, he won't see this new page tied to his account unless he logs out/in. In other words, while his current session is valid.
What would be the best way to deal with this? If there is any way...
Find the user session and... update? delete? Is this even possible and/or "elegant"?
Send a message to this user warning about the new page and tell him to logout/login?
Stop saving this info in the session and rely on database only?
You really should stop saving this info in session.