Very weird issue.
Im logged into Laravel app with 2 different users in Chrome and Chrome Incognito.
When I submit {any} update form it logs the other user out when I refresh.
The user that I submitted the form with is still logged in.
When simply browsing around both users remain logged in.
Environment
Windows XAMP
session drive = redis (I have tried changing this to see if it helps)
UPDATE:
Same thing happens when logged in from 2 seperate browsers - Chrome / IE
I presume something in the Illuminate\Http\Request class causes this behavior.
UPDATE 2
Keeps both users logged in when I select the "Remember Me" option.
similar issue: https://laracasts.com/discuss/channels/laravel/laravel-not-reading-session-cookie-on-form-post-in-chrome-when-logged-in-with-remember-me
Hints to being XAMP bug - using different dev environment solved it.
I think with it being such a weird issue - and not many people experiencing it must be a issue with my specific environment.
The sessions in PHP use a cookie (created automatically) that is stored by your browser, is very posible that the mode igcognito that you are using delete this cookie whe you refresh the page.
When starting the first Incognito window, it uses a completely brand new and blank internal profile that has no cookies nor session data. Any cookies or session info are set immediately during that session. Further Incognito windows opened all share that same session, so they share the cookies/session data.
Related
I have a question about the default Laravel Remember Me option below the login form. I use the default built-in LoginController.
When I read the Laravel documentation, then I read about the Remember option:
"which will keep the user authenticated indefinitely, or until they
manually logout"
Ok. Now I do a test:
I uncheck the Remember Me checkbox, and I login. Then I close the browser. I open my browser and goto my app: I am still logged-in.
Then I select the checkbox Remember Me, log in, close browser, open browser: exactly the same result: I am still logged-in....
How is that possible? What is the difference?
If you use remember me, Laravel puts cookie with token that is used to log you in next time you visit the page (in case you are somehow logged out I will explain later).
Laravel by default uses session that is valid for 2 hours (you can set this up in config), so if you close your browser while logged in and then attempt to open same browser again in window of 2 hours server will not notice the change.
"Log out somehow"
well obviously by clicking logout in application
clearing up browser cache by browser itself or by 3rd party program
using different browser (this is just for clarification)
using incognito mode (this is just for clarification)
using different computer and browser without sync feature (this is for clarification)
To answer your question "whats the difference?":
If you use remember me, Laravel will set cookie with token that is used instead of credentials (name:password combination) while logging in, and the process is invisible for user.
If you do not use remember me, you can be signed in only for 2 hours (or whatever is set in config file) without action. The fact that browser keeps session information even after its closed is considered as feature of the browser).
Let's suppose I'd opened two or more user sessions on two or more devices (same user with not admin privileges).
At the current session, if I log out, it means all others sessions will also close? If not, is there a way to do this by an URL request?
something like this:
User call a method, ex: [plone-site]/close-all-sessions-except-this;
Results on: all user sessions, opened on the others devices are closed.
Would be better if this method were native in plone.
gmail has this feature. I think it's an important security and privacy issue.
Not really sure what you are asking, but if you want to automatically logout all authenticated users (not only one user) you can:
Go to ZMI
Enter inside acl_users
Select the session plugin
In the "Invalidate all session identifiers" section click the "Clear secrets" button.
As you can read there:
By clicking the button below you clear all secrets used to validate
sessions. This will immediately log out all users who use session
authentication and require them to log in again.
That's a nice feature request, would you mind opening an issue? AFAIK Plone doesn't include that by default.
When you log out of one session Plone will close all sessions for that browser AND site URL, because the session is stored in a cookie set to site's domain. However Plone won't log you out from other browsers/devices, nor in the edge case you're accessing the site by IP, if that's available.
I have this website that I developed. It is acting weird. I logged onto it and now it seems that I can't logout of it. It has session which I don't know how it can still maintain after logging out and also in different browsers and even in incognito.
The weirdest thing is that if you open it in your browser you get same session state. You can't do anything with it. But it is jut there.
What is going on?
Go to this page, it shows some user logged in. click Add and it asks for credentials again. Like an endless loop.
http://krninstitute.com/krnitech/Forms
Then go to this page, it shows other user logged in. Go to the end of the page.
http://krninstitute.com/krnitech/Gallery
This question requires these external links.
But here are images just in case:
Edit 1:
What is causing every request to end up with session cookie? I don't have any cache implemented. Does it have something to do with recent GoDaddy crash?
Edit 2:
Questions are 1. how can you see who is logged in on the application? I haven't implemented such functionality. And 2. how there are two people logged on from same browser window?
Session and Authentication are two different things. When you use FormsAuthentication to login and logout, it does not change the session. You must abandon the session in addition to logging out to do that.
Session.Abandon();
Be aware that the session will still be there until the end of the request, so you should probably immediately redirect to a default page afterwards.
I'm developing my web app with Spring MVC 2.5.6 and I need some help for multiple user sessions in it. The header of my app shows the logged user.
In my computer, I open two browsers (no tabs):
In the first one, I log in my app with user1 and get into. In the header, user1 appears.
In the second, I log in with user2 and go on. In the header, user2 appears.
Then, I switch to the first browser, submit an operation to the controller and when the app is showed again, in the header user2 appears, and it's wrong because I logged in with user1.
So, my questions are:
SecurityContextHolder.getContext().getAuthentication().getName() may not be the right way to get the logged user with many users, because it's singleton (isn't it?). How could I do this?
This wrong situation is also happening with session object, so user1 data stored in the session object (managed with request.getSession().setAttribute(...) and request.getSession.getAttribute(...)) is override with user2 data.
In this StackOverflow question, Handling Session ID with Spring, it's suggested that session ID would be managed to separate data. Should I manage manually each user data with session ID internally in my application? How could I get the session ID?
In general terms, my problem is with dealing with multiple users/sessions.
Any help would be very appreciated. Thanks in advance.
Best regards
In my computer, I open two browsers (no tabs):
In the first one, I log in my app with user1 and get into. In the header, user1 appears.
In the second, I log in with user2 and go on. In the header, user2 appears.
Then, I switch to the first browser, submit an operation to the controller and when the app is showed again, in the header user2 appears, and it's wrong because I logged in with user1.
With session as normally implemented, this is normal behavior if the client is running two windows or tabs of the same browser on the same machine, as they share the session.
If you open the app in IE and Firefox, they will not share a session, and things will work properly.
I don't believe there's a way to get the browser to stop sharing session among windows, so if you need them to act independently, you'll need to essentially create your own session mechanism, likely by using hidden fields or some such hack rather than the cookies or url-rewriting the normal mechanism uses.
It would be better to just accept the situation. Let the user know when they open the second window and connect to your app that they are already logged in, and don't allow another login.
We have a CodeIgniter based SAAS application. Sessions are stored in the database.
We use this class as a replacement for CI sessions
With one specific customer ( same office, multiple users, same IP ), the session is getting reset or destroyed on a page refresh.
This has never happened before with any other users or from other location. I am not able to reproduce this issue.
Steps:
User Logs in & sees home Page.
User begins navigation by clicking some link
Session times out and they are prompted to login again
And this continues after each login.
Session expiration is set to 3000 s and time_reference is GMT and sess_time_to_update = 300 s.
Any help on how to go about investigating this issue will help.
This happens in IE , Chrome and therefore does not seem to be a browser issue.
This same set of users have never had this issue before.
check the size of the session cookie. maybe it is larger than the allowed size > 4096. I know it's a long shot, but try it out nevertheless.