I have a role base Laravel app. I have admin role and trying to block a specific user , then immediately log the user out of app.
so using Auth::logout()
is not the case as it log myself out not the intended user!
Everyone here suggest you to just delete user session, but I think it's a bad advice, because session can have information which you do not want to delete. Deleting a session just to logout a user is like killing a fly with a bazooka.
More elegant solution is to mark user for logout and check if user is marked on every request. If he's marked, just logout him immediately with simple Auth::logout()
You can find code example by clicking the link to my answer to similar question.
Update - The test
Ok, guys, you downvoted me and made me feel like a fool, so I've decided to test things out.
I've switched session driver to a DB.
Then I've made a route with session->put('mes', 'I\'m here!'); and ran it. After that I've ran action with echo session->get('mes');, so I saw the message.
After that I've tried to close browser and open it again. I've logged out with Auth::logout(); and then logged in. I still saw the message. Session was kept.
Now, when I've deleted session manually with #Ben Swinburne method, the message was gone. Whole session was destroyed.
So, I guess it proves my answer is correct.
Also, look at this answer by lukasgeiter.
Related
My purpose is not to logout a user from the old device, but to prevent them to login if already logged.
I could use a flag in a column of the user table, but it doesn't seem an elegant and modular way. What if for some reason the user is logged out without calling the normal method in the controller so the flag is not set to false and they can't login anymore?
Sure, I could track whether some time passed, but it doesn't seem an elegant way.
I'm sure there is a simpler solution. For example, is there a way to check if a session id is still valid (so if the user is logged in somewhere)? Thanks.
EDIT: I mean that I don't want the user to login from a different device if already logged, not from the same one!
I think it would be complicated to check user's all session ids you can have a column of current_login_at which you will need to set on login and set it null on logout.
Also you know that Default session last 2 hours and you can make a check before login.
I have this website that I developed. It is acting weird. I logged onto it and now it seems that I can't logout of it. It has session which I don't know how it can still maintain after logging out and also in different browsers and even in incognito.
The weirdest thing is that if you open it in your browser you get same session state. You can't do anything with it. But it is jut there.
What is going on?
Go to this page, it shows some user logged in. click Add and it asks for credentials again. Like an endless loop.
http://krninstitute.com/krnitech/Forms
Then go to this page, it shows other user logged in. Go to the end of the page.
http://krninstitute.com/krnitech/Gallery
This question requires these external links.
But here are images just in case:
Edit 1:
What is causing every request to end up with session cookie? I don't have any cache implemented. Does it have something to do with recent GoDaddy crash?
Edit 2:
Questions are 1. how can you see who is logged in on the application? I haven't implemented such functionality. And 2. how there are two people logged on from same browser window?
Session and Authentication are two different things. When you use FormsAuthentication to login and logout, it does not change the session. You must abandon the session in addition to logging out to do that.
Session.Abandon();
Be aware that the session will still be there until the end of the request, so you should probably immediately redirect to a default page afterwards.
I'm trying to understand if this makes sense:
1. User logs in, checks "remember me" checkbox.
2. User logs out.
3. User comes back and is automatically logged in.
Basically, that's exactly what you'd expect to happen. This means it's working. Here's where it gets a little weird:
1. User logs in, checks "remember me" checkbox. (Or logs in using remember me.)
2. User is inactive for over 20 minutes, so the session times out.
3. User clicks a link and is sent to the sign in page.
4. User closes browser, then opens again. They are taken to the sign in page.
It would seem that "Remember Me" is turned off for this user when their session expires due to inactivity. I've tried to find something about this in the documentation, but to no avail. If this is expected behavior then that's cool, but I'd like to confirm.
We're using the Sitecore.Security.Authentication manager to set the cookie in the first place.
In my experience, the "remember me" function has never worked properly..
Seems to be a bug that has been there forever.
I usually just let my browser store the login information for Sitecore if it's too difficult to remember.
First of all, it is important to know that even the "remember-me" token has validation: the "cookie" expires after some time, and it is configurable, even though it has a default value. You need to check the default value.
Secondly, due to Single-Sign-Out, the "remember-me" cookie suppose to be removed after signing-out (just as #adam said in his comment). Remember me remembers the user across sessions, but not if he logged out. Think of it this way: if you have your Facebook or Google account, and you signed in after clicking the "remember-me". Then you log off, and come back again. You will be asked for your credentials again! (If it is not you who tries to log-in? do you want Facebook to remember you even after you have signed out?)
The practical use of remember me is this: you log-in to a web-site, then close your browser (without logging-out!), and by closing the browser you "lose" the session. When you reopen the browser, you get a new session. Then the remember-me comes into work: you will have access to the website without the need to enter credentials again.
My web application requires a user to be logged in to view any webpage on it.
When a user logs in I store, in sessions, their username and password for retrieval later on. This all works fine but, if I rerun my project it seems to skip past authentication and go straight to the controller for that action.
What I presume is happening is that FormsAuthentication.SetAuthCookie(userName, createPersistentCookie); is remembering that the user is logged in but my sessions aren't updated.
How can I trap this scenario and update my sessions accordingly?
There are many ways of going about it.
First, you can choose, not to persist the cookie. But this will still cause the exception if the session has not expired and you recompile your project. Recompiling the project destroys the session state.
Though putting the password in session state is not the preferred way of going about it, I am sure you would have a valid reason of doing it that way.
However, if you want to do it that way, you can override the Application_AuthenticateRequest event in Global.asax. This event fires every time a request comes in and you can check if the request is authenticated (using HttpContext.Current.User.Identity.IsAuthenticated) and repopulate the session state.
By the way, can you elaborate why you need to store the user password in session state?
If I am correctly understood the issue,you can have base action class so and move the authentication mechanism there.So for every request this base will be invoked so you can make sure that the authentication mechanism is not skipped.
I am writing my first FireFox extension and I have some questions. Maybe someone can help.
I have a website which requires login. The sign-in is one user per login type. So if I am logged with the username "tom" from one PC and go to other PC and try to login with the same details, it fails. When I click the log-out button from my authenticated page, the new location executes a PHP function to log-out the user (updates the "logged" status of the user in MySQL). The problem is that if a user is logged in from his work desk and surfing the page then suddenly he gets a call by a friend to quickly grab lunch in his break and has to meet him in short time, he just clicks the X (close) button from Firefox, forgetting to press the log-out button so the status of the logged is still 1. Later on, if he wants to access the page again from home, he won't be able to log in.
So, I need to grab the "close" event from firefox somehow. I am thinking about looking for the ones that contain the "website.com" domain only. Then, if a tab is closed or the main window of Firefox is closed, send an unique key, and the username to that URL that logs out the user and the problem may be solved. I don't know if this is possible. Please post any idea (followed by code if you can) for this extension to be built.
Thank you.
By design, this is wrong.
If a user's PC crashes (harddisk failure, power failure) your plugin won't be able to log out the user. And so, the user won't be able to login on any PC.
--
Let's revisit the premise,
a. why does logging in from another PC need to fail?
b. How about invalidating the login from the previous PC (log out) when the user logs in to another PC. THis is kind of like how chat applications like Yahoo! Messenger work.
From your answers, here's what i would suggest: if the user is logged in on another PC, warn and present the user with options:
cancel logging in
forcibly log out the other user and proceed to logging in
Logging the user out after a certain time of inactivity is the (application or web) server's responsibility, not (only) the client-browser's. This is called a session timeout.
You might be able to avoid the timeout by a browser implementation as you describe it, but this should not be the primary solution.
Here's an off hand approach you might take:
In your case I would include a timestamp in the table where the 'locked' state is stored. Every time a user does an action that timestamp is updated. When you try to login again ad the timestamp is older that a certain threshold (e.g. 15min) your login code should silently logout the previous user.
In order to receive a notice about the tab being closed, you'll want to do something like this sample code. However, instead of listening for load, you'll want to listen for unload.
When you do end up getting notified about unload, you'll have to do a request to the logout page just like the web application does. You can figure out what the location of the document that is unloading is by checking aEvent.originalTarget.location.href. Note that aEvent.originalTarget will give you the document object of the tab that is closing. You'll then want to use an XLMHttpRequest for this in your event handler.
You could use ajax that would ping a page on the site - all the session info will be passed and you can verify that the user still has an active browser/page open. If Firefox crashes it won't be able to ping the website anymore and the session could time-out after 15 minutes. I think that allowing a forced logout on another sign-in would be best. Usually when I leave work at the end of the day I wouldn't close all the programs or logout or anything - just lock my computer to prevent anyone from using it. Next morning I come back with all my programs still running so I can continue where I left off.
BTW, Yahoo Web messenger probably uses some form of session-based cookies. That is, cookies are stored in memory and are gone when the tab or browser are closed.
Just enable to the user to re-login from another machine. And if you get a request from the user on first machine, ask him to re-login too. So you get a single logged in user at a time.