laravel 5 - when is a new session created? - session

I have changed the session driver of my app from file to database and found, that lots of sessions are inside app/storage/framework/sessions (~900) and now, in the mysql database.
When is a session created in laravel 5 ?
I thought when a new session cookie is set. Just wondering, because I think that ~200 sessions in ~ 30 min is too much . I don't have so many visitors. It almost looks as if every request makes a new session into the sessions table. I only changed the session driver. Did not change some other session option.
edit: This all is, because I wanted to build a 'n user online function' based on sessions. But with so many sessions, this would show too many users.

Laravel will create a session record for anything that hits your site. This includes automated requests like bots, uptime monitors, or other pings to your site.
It's possible to turn this off for certain page requests.

Related

Google Analytics - PageView vs Sessions

I have simple question for my case. I have one HTML page on router witch serve as hotspot page. Also I have setup Analytics on that HTML page.
Question is when I want to deliver to a client number of users that visited that hotspot page, what should I use - PageViews or Sessions.
I notice that I have big difference between those two options.
example:
Sessions for 3 months: 1,050
PageViews for 3 moths: 15,501
Note: I only have one page on that hotspot..its not multi page its only one. Thanks
In GA, there's Users, Sessions, and Pageviews.
1 A user can have many sessions, 1 session can have many pageviews.
Out of the box, a user is defined by the cookie that's stored in the browser. If the cookie is deleted or of this physical user uses another browser, from GA's perspective it is a different user.
Sessions are started when a user visits your site and if their last "hit" sent to GA hasn't been over 30mins. The same thing with the cookie applies here. New session if the cookie is deleted (there are other cases where a new session will start, but for basics, you don't need to worry about them).
Pageviews are just that, every time someone views a page on your site, this count will increase. This will count refreshes, revisits, etc. There is also "unique pageviews" which only increment once per session.
Now, going back to which one you should use. Sessions or Pageviews won't tell you about users. Sessions will tell you how often people visit your site. Pageviews will tell you how often the page is loaded. If you want to tell users, you need to look at the users metric. Though do note the thing about cookies and cross devices.
If your site is authenticated, it is much easier to track individual accounts by utilizing the userID feature in GA.

How to limit users to one session with CakePHP 3?

I have auth working fine. Users can log in and out, no problem. The thing is, if users share a login, they can all be logged in at the same time as the one user. Not good.
I need to have CakePHP know when a user is logged in, which I assume is a process started using:
'Session' => [
'defaults' => 'database'
]
As per the Sessions book page.
It's then I get lost. Unless I have missed it there is no reference to limiting users to one active session each. Has anyone come across this before and, if so, how did you work around it?
To clarity:
All sessions deleted from DB & all cookies deleted in browser = nothing set in either when visiting the /users/login page (incidentally, this has been set up as per the tutorials - nothing fancy).
Login = session set in db with id corresponding to cookie in browser. Exactly what you'd expect.
Logout (which then redirects back to login) = old session removed then replaced by another in DB and cookie. Different id. So something is picking up the expired cookie and refreshing it. Hmm.
The information held in the cookie is just the session id. In the DB it's simply:
Session id | a blob | expiry time
I assume you save users and sessions in a database (by default in cakePHP it is named sessions).
Add an active_session field, update it upon login, check it on requests to ensure that current user session id matches the last one stored in the database.
On Login action do:
UPDATE `users` SET `active_session`='$session_id';
When user goes to a page that requires login, you search that value:
SELECT * FROM `users` WHERE `active_session` = '$session_id';
If the user signs in other place, the previous session key gets overwriten, and the SELECT above returns an empty result-set.
It's possible to clean the old session token before the update, so this way old session will be destroyed on per user basis.
Be careful, if you are using AuthComponent, it might rotate sessions itself, for more information you may find in the corresponding section of CakePHP manual.
I'd definitely go AuthComponent-way, and wouldn't re-invent the wheel in CakePHP.
I tie users to their cell phone. Every day they get a new 6 digit code via twilio sms. Makes it hard to share logins, but not impossible. Ultimately, I would like to track how many different machines a users uses per day and establish some fair use limitations. If a user uses three or four machines in a day, that's fine, but when they start using the same user id on twenty or fifty machines a day, that might be a problem.

How does sessions work together in PassportJS

I am having troubles to understand the login flow and signup flow in PassportJS and ExpressJS.What I really wanted to do is test if different sessions are being created. So I opened up a server and open two windows both at login pages. and then I log in and a session is created, but it is created for only person i.e. one who enters last, in my sessions table there is always one entry. Is this the expected behavior or is this wrong? How can I test this behavior in real time i.e. logging in 20 users and see 20 entries in my sessions table?
it depends on how you are handling sessions, most likely cookie, in which case you may need to refresh the browser, if that doesn't work. You're cookie expire date may not be set properly or you may not be deserializing properly. Read this for reference: https://scotch.io/tutorials/easy-node-authentication-setup-and-local

Zend Framework 2 session container lifetime

I'm a nowise in ZF2 and need an advise from more experienced users.
I'm developing a small shop I want to make different lifetime for session storage and cookies.
For example when user logins server sends a cookie with 3 months lifetime and creates session storage record (for user data) with lifetime 30 minutes. Having cookie and unique session record user can buy goods, comment, and view their profile with secure data (e.g. credit card number, phone, etc).
After 30 minutes of no activity session record must be deleted but cookie must be left (cookies lifetime must be 3 months). Having only cookie user can make comments but can not buy anything or view his/her profile.
So my I'm interesting how can I realize it with ZF2 ? - As I understood "remember_me_time" must be equal to "cookie_lifetime" or they can be changed to different values ?
Does ZF2 have any standard mechanism to delete a session storage after some time for single user or I have to create such mechanism by myself ?
If you're using ZfcUser (and if you're doing user authentication on ZF2 you should be) check out the GoalioRememberMe(https://github.com/goalio/GoalioRememberMe) module, it does exactly what you're looking for (Caveat: I've never actually used it myself so I can't vouch for it's efficacy or security)
I also suggest reading this response by Anthony Ferrara (#ircmaxell) to a somewhat similar question. It contains some background information on what you should and shouldn't do, and the gist of it is: don't try to keep the PHP session open that long, use a "remember me" cookie instead and build a new session from the remember-me cookie for visitors that don't have an active session.

CodeIgniter Session Expires on Page Refresh

We have a CodeIgniter based SAAS application. Sessions are stored in the database.
We use this class as a replacement for CI sessions
With one specific customer ( same office, multiple users, same IP ), the session is getting reset or destroyed on a page refresh.
This has never happened before with any other users or from other location. I am not able to reproduce this issue.
Steps:
User Logs in & sees home Page.
User begins navigation by clicking some link
Session times out and they are prompted to login again
And this continues after each login.
Session expiration is set to 3000 s and time_reference is GMT and sess_time_to_update = 300 s.
Any help on how to go about investigating this issue will help.
This happens in IE , Chrome and therefore does not seem to be a browser issue.
This same set of users have never had this issue before.
check the size of the session cookie. maybe it is larger than the allowed size > 4096. I know it's a long shot, but try it out nevertheless.

Resources