I am saving data in session (correct and wrong answers, i am doing it this way because before i save them to database i have to check some criteria and also user can pause the question to log in and continue later) but i want to save them for each user not global for all users. And because of that i am having problem if i log in with different user the session data from previous user will still be there.
This is how i push to session but this is global (every user can access it)
Session::push('uncorrect', array('exam_id' => $exam, 'question_id' => $question, 'answer_id' => 0));
This is an example of Logged user in session
login_82e5d2c56bdd0811318f0cf078b78bfc": 1,
So my question is how to save Session for current user, not all users?
As discussed in comments, but to explain fully: the Laravel session remains active for the duration of the browser session - that is, as long as the browser retains the session cookie. This is irrespective of different users being logged into your application in the same browser session.
When logging a user out, you would typically want to clear all session values or regenerate the ID. So, in Laravel, you can use Session::flush() to clear values, or Session::regenerate() to get a new ID.
Related
I have auth working fine. Users can log in and out, no problem. The thing is, if users share a login, they can all be logged in at the same time as the one user. Not good.
I need to have CakePHP know when a user is logged in, which I assume is a process started using:
'Session' => [
'defaults' => 'database'
]
As per the Sessions book page.
It's then I get lost. Unless I have missed it there is no reference to limiting users to one active session each. Has anyone come across this before and, if so, how did you work around it?
To clarity:
All sessions deleted from DB & all cookies deleted in browser = nothing set in either when visiting the /users/login page (incidentally, this has been set up as per the tutorials - nothing fancy).
Login = session set in db with id corresponding to cookie in browser. Exactly what you'd expect.
Logout (which then redirects back to login) = old session removed then replaced by another in DB and cookie. Different id. So something is picking up the expired cookie and refreshing it. Hmm.
The information held in the cookie is just the session id. In the DB it's simply:
Session id | a blob | expiry time
I assume you save users and sessions in a database (by default in cakePHP it is named sessions).
Add an active_session field, update it upon login, check it on requests to ensure that current user session id matches the last one stored in the database.
On Login action do:
UPDATE `users` SET `active_session`='$session_id';
When user goes to a page that requires login, you search that value:
SELECT * FROM `users` WHERE `active_session` = '$session_id';
If the user signs in other place, the previous session key gets overwriten, and the SELECT above returns an empty result-set.
It's possible to clean the old session token before the update, so this way old session will be destroyed on per user basis.
Be careful, if you are using AuthComponent, it might rotate sessions itself, for more information you may find in the corresponding section of CakePHP manual.
I'd definitely go AuthComponent-way, and wouldn't re-invent the wheel in CakePHP.
I tie users to their cell phone. Every day they get a new 6 digit code via twilio sms. Makes it hard to share logins, but not impossible. Ultimately, I would like to track how many different machines a users uses per day and establish some fair use limitations. If a user uses three or four machines in a day, that's fine, but when they start using the same user id on twenty or fifty machines a day, that might be a problem.
I have a external facing website (Back end SQL Server and ASP.NET) where I want a feature that if a user from same id is already logged in, and he tries to login again from some other browser or through some other channel, his previous session should be expired.
So for this in which way should I proceed ?
You can store the sessions in a database, by providing a unique session-id every time a user logs in. By storing the session-id also in a session variable you can see when the user is logged in somewhere else.
For example:
User A logs in in Safari on his laptop
Session id is generated and stored in database and session variable
User A browses to different page
Session id in database is compared with session variable
ids match, user is still logged in
User A logs in using Chrome on his phone
Session id is generated and stored (overwriting the previous) in database and session variable
User A browses on his laptop to a new page
Ids do not match, redirect to login page
You can also make this more general by keeping a session table, in order to allow a maximum number of sessions per user. The key is just to use a global storage like a database in combination with the session information to verify where the user logged in last.
In CakePHP a the Session times out it, not unreasonably, trashes any custom data in the stored Session.
However it also sets up an Auth.redirect so after the user has been forced back to the login screen and completes the login, they are then (by default) redirected back to the page they were on before the session expired. This is problematic if that page relies on some of the custom data that was stored in the Session but is now no longer available.
My simple solution has been to force the user back to the home page for authenticated users by deleting the Auth.session key in the Session. But this isn't a particularly desirable behaviour. It would be preferable if I could return the user to the place they were before the Session timed out.
Nevertheless, I like the idea of a user having to re-authenticate if they abandon their Session for too long.
So, what seems to be needed is for CakePHP to require a re-authentication of the user but to not actually expire the underlying Session and this leads to a couple of questions:
Is there any way to have CakePHP require a re-authentication of the Session, as described, without timing out the session (i.e. setting a long timeout on the Session)?
Is there actually a better way to store the information required for page transitions (e.g. the ID of the parent record for a given model so that saveAssociated can be used) other than to store these in the Session?
Thank you for any guidance.
Passport by default allows the same user to login from multiple browsers and have unique sessions created. How can I configure it to destroy the first session when the user tries to create a second session?
Currently I'm using the 'Sessions' model to add the username to the record and upon subsequent login check by username if the sessions exists. But this increases traffic to the db. I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified. I'd be thankful for ideas around how to achieve tweak with express for this purpose or any other workaround/suggestion.
Much thanks!
I saw that at least 4 users upvote this question, so I decided to create passport-strategy for that. The new strategy called passport-one-session-per-user. It's open source strategy you can access here: https://github.com/AminaG/passport-one-session-per-user
How to use it? add it right after session. For example:
app.use(passport.session())
var passportOneSessionPerUser=require('passport-one-session-per-user')
passport.use(new passportOneSessionPerUser())
app.use(passport.authenticate('passport-one-session-per-user'))
Not need for settings, or configuration.
How it is works?
The strategy, created an array that contain serializaed user objects, and sessionID.
Every time user logged in, the strategy check if the user already logged in. If so, it's flag the other session. The next time the user in the other session make a request, the strategy see the flag, and log the user out.
I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified.
I believe the session model loggs the user in, and saves only that logged-in-ness in the session cookie. The server itself has no clue about who is logged in, but just checks this state in the (signed) session cookie provided by the browser.
You can write your own Passport.js strategy to handle it differently.
I have a CakePHP app where users have pages tied to their accounts. For example, the page ID 123 is tied to user 321.
Whenever the user logs in, all the pages tied to his account are saved in the session.
Admins are the only one who can tie a page to an user. And here is the problem. If an admin adds a new page to an user and if this user is logged, he won't see this new page tied to his account unless he logs out/in. In other words, while his current session is valid.
What would be the best way to deal with this? If there is any way...
Find the user session and... update? delete? Is this even possible and/or "elegant"?
Send a message to this user warning about the new page and tell him to logout/login?
Stop saving this info in the session and rely on database only?
You really should stop saving this info in session.