session + devise authentication - ruby

i want a authentication ,many people to login with a particular username and password at the same time and it is not good , where User A logs in with username = sammy and password = sammy123, User B cannot login with the same username = sammy and in one session password = sammy123 while I am still logged into an application...,i am using ruby 1.8.7 and devise gem for authentication, rails 2

1.add a column(flag) in table mdl_user store a 'false' value when user create new account .
2.Make a function which accept three value table name,flag field and username(which user enter) .this function return the value of flag field (true or false) .This function call if the user exist in database.
2.1 if 'false' returned then allow to login user and insert value into flag field 'true'.
2.2 if 'true'retuned then do not allow to login and print the message below the username and password field "This user already logged".Do not insert any value in database.
2.3 Now when sign out user then insert into flag field value 'flase'.
3.User allow to login only when flag field value 'false'.

better use this link http://www.gotealeaf.com/blog/how-to-use-devise-in-rails-for-authentication and check the version of devise gem you had used in your application.

Related

Laravel 5.6 Auth from two different tables

I would like to ask about logging in to Laravel but in a different way:
User information including the password but not the email will be stored in users table, while email_address will be stored in a email_addresses table with a boolean field called is_default.
So the user can have several emails, but he can log in with only one email that has the is_default is true. and he could change his default email through his profile.
So, how can I make the login process through the Auth::login() facade.
I was able to register the user by storing the information in a users table and store his email_address and is_default = true in the email_addresses table.
It can be a little tricky. Auth::login() just needs to fetch email and password, so if you can trick the model into thinking it has an email field accessible via $user->email, things will work out:
public function getEmailAttribute()
{
return DB::table('email_addresses')->whhere('default', 1)->where('user_id', $this->id)->first()->toArray()['email'];
}

Laravel how to block or secure id in route

i have custom password reset in my project where user can change his password, now how can i secure the route where the user cannot manipulate the id..does laravel has it in the middleware?
Example:http://localhost:8000/changepassword/1/edit if user attempt to changes the id parameter it will redirect to access denied page.. is this possible?
Yes it is possible
In your controller function, you can check the current/login user id and that id which you are going to get from the URL
Also for admin user you can add one condition that
if(ADMINUSER || LOGIN_USER_ID == URL_ID){
}
But I recommend that add an extra column with the random and unique string use that column instead of Id, In that case your URL will be like this
/changepassword/wcdftgHYuj346DERFD/edit
then you need to get the user on the base of random_string 'wcdftgHYuj346DERFD'

Codeigniter remove specific user's session

In Codeigniter, how do I remove specific user's session?
I have set login session like below. And I want to remove specific MemId's LoggedIn(in other words, session for just one user) assuming there are about 1000 users.
$this->session->set_userdata([
'LoggedIn'=>true,'MemId'=>PrimaryKey
]);
When user logged in you are setting two session variables.One is LoggedIn and another 'MemId' which is the primary key of member.So,first retrieve the logged in user member id from database then unset it.Might work properly.
MemId is the member id of user for which you want to remove session.
$this->session->unset_userdata('MemId');

how to match hashed password in laravel4

I am working on change password function in laravel4 . I got stuck into one point that how to match hashed password on database with the new password we enter.
I know this that laravel4 Auth produces new hash value every time for the same input .
Please help me on this .
Thanks.
The question is unclear why do u want match the new password with old ?
But to check the password you can do
Hash:check($entered_old_password, $password_from_db);
*$password_from_db - would be hashed password.
I typically have a form with 3 text inputs, 1 for old password and 1 for new password and the last one for new password confirmation.
On submit check if the old password matchs if so update the user's password with the new one.
You can also use Eloquent Accessor & Mutators to Hash password every time it is set so you don't have to do that in multiple places
[http://laravel.com/docs/eloquent#accessors-and-mutators]
Is that what you are looking for?

Best Practices For Creating A Login Flow?

What is the best way to securely login in a user and keep the user signed in with cookies and sessions?
For example:
Check if password and email are valid for a specific user
Set a cookie with arbitrary string
Create a session with the same arbitrary string
Validate each request by the user by making sure the arbitrary strings of the cookie and session are the same
What is the best way to securly login in a user and keep the user signed in with cookies and sessions?
Using an established library.
It depends on how you define "create a session". For our purposes here let's define this as "create a server-side data store with an id and set a cookie with that id"; i.e. what the default session_start() does. Then:
Ensure the connection is HTTPS.
Check login credentials.
If valid, create a session (see above) with a large, (pseudo-)random id and an expiration time as short as possible but as long as necessary. Security here comes from the fact that it's infeasible to guess suitably random session ids, so the longer they are and the shorter their window of validity is the better.
Store the id of the logged in user in the session.
On each page request, see if the session with the id from the cookie exists; if so, use the user id stored in it to get your logged in user.
Optionally storing and checking the user agent is not a bad idea; you should not check the IP address though, as that may change legitimately.
Apart from storing it in sessions , you can also follow this method for keeping an user logged in , even after he closes the browser ->
1) Create a cookie storing user details and an unique hash
2) Create a sessions table (in a mysql db or any other db of your choice) where the unique hash is stored against the user-id, and the user agent of the browser,and the ip address .
3) Next time when the user logs in check that when the user logs in , is it from the same ip,same user agent .. If not , then delete the database entry , and repeat steps 1 and 2.
Apart from keeping an user logged in , it also gives you better security than just storing in sessions.

Resources