Imagine you are Admin, now you decide to disable or remove a user.
If that user is logged in and is working with system, must be return to login page in soon (while he send first next request after kick by admin).
What should i do?
In the auth filter, if the user is not a guest - check if he is disabled; if so, log him out.
This will not log him out if he requests a public (non-auth protected) route.. but what would be the point anyway, since it doesnt matter if the user is logged in or not.
http://laravel.com/docs/4.2/routing#route-filters
Related
In our usecase, we need to login the user automatically soon after successful registration for enabling, rather forcing the user to:
Change password.
Upload a file.
How to achieve this programmatically, in AccountController's register method?
Ideally, it should be a seamless registration process that ends with the login state in the user dashboard.
Request valuable help / hint / pointers...
Thanks!
The best way to approach this is to take a cue from the password reset controller, which already does this (in this case, it automatically logs the user in after they've selected a new password).
So, add this to the bottom of the register method in AccountController:
// Log out any existing user, and create a new session
if (!$this->_app->user->isGuest()) {
$this->_app->logout(true);
// Restart session
$this->_app->startSession();
}
// Auto-login the user
$this->_app->login($user);
$ms = $this->_app->alerts;
$ms->addMessageTranslated("success", "ACCOUNT_WELCOME", $this->_app->user->export());
You will also need to modify the AJAX callback in register.twig to redirect the user to the home page, instead of the login page:
window.location.replace(site['uri']['public']);
The user will then be automatically redirected to the landing page for their primary group after being logged in.
my problem is with laravel auth::logout functionality,
Imagine a user is jept logged in, in different browsers and when I call Auth::logout in one of the browser, it logges out from the other browsers out too,
Is there anyway tosolve this problem in laravel itself?
Edit: this is real problem, when a user is kept logged in in his pc and logs out from another computer, which causes to be logged out from his own pc too.
This functionality was a specific feature added to Laravel 4.1.26 as a security measure.
The reason is the exact scenario you provide - if you leave yourself logged in on Computer A, and log yourself out of Computer B - this ensures you are fully logged out of all computers.
It is a security measure. Before this update, if a remember cookie was hijacked by another malicious user, the cookie would remain valid for a long period of time, even after the true owner of the account reset their password, logged out, etc
I am overriding sessionscontroller because I need a special behavior.
When the user signs up, he will be inactive and won't be able to login. I want to add that login to the login process.
The user will become active after an administrator authorizes him, changing one field in the CMS. How can I manage the login process so it doesnt allow inactive users to login?
You can simply add a "active" column to your user table and devise does the magic for you :).
Take a look at the link below to see how it works:
http://pivotallabs.com/users/carl/blog/articles/1619-standup-3-21-2011-deactivating-users-in-devise
I have a CakePHP app where users have pages tied to their accounts. For example, the page ID 123 is tied to user 321.
Whenever the user logs in, all the pages tied to his account are saved in the session.
Admins are the only one who can tie a page to an user. And here is the problem. If an admin adds a new page to an user and if this user is logged, he won't see this new page tied to his account unless he logs out/in. In other words, while his current session is valid.
What would be the best way to deal with this? If there is any way...
Find the user session and... update? delete? Is this even possible and/or "elegant"?
Send a message to this user warning about the new page and tell him to logout/login?
Stop saving this info in the session and rely on database only?
You really should stop saving this info in session.
If one user have login in one computer or a browser,then he login in another computer/browser again,so the former login should be marked as invalid,is there any way to implement this?
One way it to set a cookie with a session id when they log in, and record the latest session id somewhere server-side (like a database) keyed by that user id. On any website access, verify it's the latest session for that user.