Recently, I have noticed a very disturbing situation with my laravel 5 app which I can't seem to figure out. During login, I set the user_type variable in session like so
Session::put('is_supervisor', $user->is_supervisor);
In my config/session.php file, I have the following configuration:
'lifetime' => 120,
'expire_on_close' => false,
I have also implemented the remember me functionality.
I logged in as a supervisor user with remember me checked. After a few hours, I close the browser without logging out and launch again which logged into the user profile as expected since expire_on_close was set to false and remember me was checked. But, I notice that the is_supervisor variable didn't exist any more in session so I had to logout and login again to have the variable back in session. What could be the problem? I am using file as my session driver.
You need to understand what happened: You've set the lifetime of the sessions to 120 minutes, which means after 120 minutes the session is flushed.
The remember_me feature is using cookies. If there is no user session Laravel checks the cookies and recreates the session if the session cookie is still valid.
My question for you is: Why do you store this data in a session? If you want to check if a user is a supervisor just do if ($user->is_supervisor).
If there is some db query that happens inside the is_supervisor function then use some caching mechanism.
Related
I am developing a web application using laravel.
In session config file the values are lifetime=2880 and expire_on_close=false,
but when the browser is closed, the login is expired but the session doesn't expire.
It still exists. Please guide me to solve this issue.
Well, in that case, you will need to check the value of "expire_on_close" in config/session.php file.
'expire_on_close' => true,
The value is self-explanatory.
My requirement is, I want to logout the user after 3 minutes of inactivity whether the app is in background or foreground.
In worklight.properties,
mfp.session.independent=false
mfp.attrStore.type=HttpSession
serverSessionTimeout=3
In main.js, for the session timeout when the app is in foreground, I have set
WL.Client.setHeartBeatInterval(-1);
Now, the application perfectly logging out, but once the app is logged out i want to show the user that session is timed out.
Is there any method available in Mobilefirst which will be triggered on session time out?
There is no built-in feature to handle this. You need to write custom logic. For example, have some flag stored in the localstorage of the application and store in it what was the last way the user logged in, due to actively tapping the logout button, and if not... it means it was due to a session timeout.
Lets say, create a variable called activelyLoggedOut. By default false.
The user logs in...
Some time has passed... a request is made. The session expired. When the challenge is received then in the challenge handler you check for the value of activelyLoggedOut, if it's false you know that it's because of session expiration - output the relevant message.
or, the user taps "logout". Before logging out, change the value to "true",
I have done some very basic authentication work in PHP. In PHP you can start a session and create a unique session ID to be stored in the cookies.
How does this work in ColdFusion? How can I start a session and assign a unique ID to it?
The backstory: I am trying to a create a log in page, I can create users and authenticate their login attempts but I need to know how to give them a unique session once they have logged in.
I've taken a look at the ColdFusion documentation. The only methods I could find for sessions seemed to be for browsers that don't use cookies for whatever reason. Am I missing something?
Yup, if in your application.cfm or application.cfc you set SessionManagement to 'true' then CF automatically creates a session for each new user. You can then set a property of the session (perhaps called 'loggedin') to be true or false to manage login state. Session duration is managed through the SessionTimeout property in application.cfc
You can also use the <cfloginuser> tag to manage whether a user is logged in, although some people avoid it
Take a look at this article for an overview of application.cfc
For example, if a user just closes the browser window without logging out (the PHP script unsetting and destroying the session and expiring the session cookie), by default the cookie used to store the session ID will have expired the next time the user opens the browser so s/he won't have access to the same session.
But what happens with the file on the server side that was used to save the session data and what happens with the session data itself?
Will it still be available?
There are parameters called session.gc_divisor and session.gc_probability that you can configure in php.ini or in the .htaccess.
These parameters give the probability (gc_probabiltiy/gc_divisor) to execute the garbage collection of the sessions at every request.
The garbage collection is a process whick check if the last modification of the session file is older than session.gc_maxlifetime and remove it if it is !
So yes, the data are still available for a while on your server.
I have this problem. There is a site with a codeigniter session time set to 7200 and there are some users logged in.
I suppose some of them will do nothing for over 7200 seconds. If now I change time session to zero (no expiration) the existing logged users will be logged out if they do nothing or not?
Thanks to all.
If you set $config['sess_expiration'] to 0 it means sessions won't expire.
On the next request after you edit the configuration, the session class will look at this setting before cleaning up old sessions, see it is set at "0", and do nothing. All active sessions will remain active, they won't be discarded. There will be no "memory" of the old setting.