I am trying to show modal after session expired. I am using filters to catch that session has expired:
def filters = {
all(controller:'graphs', action:'*') {
before = {
if (session.expired) {
//some code to invoker modal
return false
}
}
}
}
Modal should notify the user that session has expired and redirect to main page. Any suggestions on how to invoke modal?
What you are proposing is very tricky to implement because you need a client-initiated request or session to transmit anything to the client and any such request will prolong the session. I see two possibilities:
Polling
If you don't mind the session being prolonged and just want to make sure the user is still logged in the simplest way would be to implement Javascript polling using setInterval or similar (but make sure the polling stops on first failure or users are at risk getting redirected to the polling endpoint after logging in again, especially if they have more than one tab open). If you don't want to stretch the session you could try a hacky workaround.
Websockets
You could open a websocket connection using an appropriate plugin and keep it open. You need to make sure no session prolonging heartbeats are being sent. Then when the session ends, send a message back through the connection. Note that this will involve more work than polling.
Related
Good evening,
I'm using Laravel with VueJS and I have a little problem with disconnection.
Example: I open 2 tabs, log out on one, go back to the other, and I can still do what I want, like create a user.
But I can't change route (that's normal, I use a befor each in the router).
How can I do that, to prevent any action being in the same route?
Thank you in advance, don't hesitate to ask me more info if you need more info
Server-side
You need to check for the non-expiration of the session:
if(Auth::check()) {
// Code which should only run if the user has a valid session
} else {
// Code for handling the non-existence of session
}
Client-side
Your client-side should always know if a request has succeeded and handle eventual failures. This is valid for a session which expired for some reason, but other issues as well, like request timeout, or even some errors.
Make sure the logout happened
Something like this
Auth::logout();
should be executed when you log out.
My requirement is, I want to logout the user after 3 minutes of inactivity whether the app is in background or foreground.
In worklight.properties,
mfp.session.independent=false
mfp.attrStore.type=HttpSession
serverSessionTimeout=3
In main.js, for the session timeout when the app is in foreground, I have set
WL.Client.setHeartBeatInterval(-1);
Now, the application perfectly logging out, but once the app is logged out i want to show the user that session is timed out.
Is there any method available in Mobilefirst which will be triggered on session time out?
There is no built-in feature to handle this. You need to write custom logic. For example, have some flag stored in the localstorage of the application and store in it what was the last way the user logged in, due to actively tapping the logout button, and if not... it means it was due to a session timeout.
Lets say, create a variable called activelyLoggedOut. By default false.
The user logs in...
Some time has passed... a request is made. The session expired. When the challenge is received then in the challenge handler you check for the value of activelyLoggedOut, if it's false you know that it's because of session expiration - output the relevant message.
or, the user taps "logout". Before logging out, change the value to "true",
I'm experiencing something a bit odd and I can't make heads or tails of it... I'm using Meteor to send the sessionId to from the client to the server but on every refresh of the page, the sessionId I get is different, which shouldn't be, am I correct?
Client
Meteor.call('logSession', Meteor.default_connection._lastSessionId);
Server
Meteor.methods({
logSession: function(sid) {
console.log(sid);
}
})
Any reason why the sid is always different?
Thanks!
The _lastSessionId is created for each websocket session between the client and server. It represents the websocket's session & state on the server side and not a cookie or something persistent.
When you refresh/open a different tab a new websocket would be created and this is why the session id is different.
Each Session ID represents the state of the data the client has on the server. This means the server 'knows' what data the client has on each session depending on the subscriptions so that it knows what to send down & what to change if something changes, for that particular tab.
When you refresh the page, you're using using a fresh new state so Meteor doesn't attempt to reconnect using a previous session id and restore your previous state, because there isn't a need to resume a previous state in terms of subscriptions since the user would expect the page to be fresh.
If you want to use some form of persistence available along tabs such as cookies use localStorage instead:
localStorage.setItem("foo", "bar");
console.log( localStorage.getItem("foo") );
=> "bar"
In my application I am saving the logout time of the user. This is working fine when the user clicks the login button, but my requirement is to store the logout time even if the user closes the browser. If this is not possible please tell me the way how to destroy the session as soon as user closes the window.
Any help would be appreciated.
It used to be you had to do synchronous Ajax in the event handler. Don't know if that's still true in modern browsers. If you go asynchronous, be sure to test with realistic client load so that you don't run into a race condition that only shows up among your users.
I would suggest some kind of heart beat Ajax call from the client, say every five minutes. If you miss two such calls in a row you kill the session server-side. That will take care of all situations where the user doesn't log out (browser crash, OS crash, network failure etc).
Potential problems with acting on unload events:
What happens if the user has your app/site open i several tabs and closes one of them? You need to inform the user that there will be a cross-tab logout.
Browsers have a history of restrictions on what you can do on unload to prevent ever-popups and infinite loops that prevent the user from closing the browser. You never know what will come in the future. History here: http://www.hunlock.com/blogs/Mastering_The_Back_Button_With_Javascript and via the StackOverflow link in the reply above.
As per this answer, you should be able to handle the beforeunload event and then do an AJAX logout.
Untested, but it should work like this:
Ext.EventManager.on(window, 'beforeunload', function() {
Ext.Ajax.request({
url: 'logout.json',
timeout: 60000
});
});
This answers the last part of the question. Auto close the session with closing the browser. According to Wikipedia: When an expiry date or validity interval is not set at cookie creation time, a session cookie is created. Web browsers normally delete session cookies when the user closes the browser.
The task at hand is to create a cookie without an expiry date using Ext-state-CookieProvider. Leaving out the expires configuration at all, will cause ExtJS to default it to 7 days. Check the source for this. Therefore you need to create the cookie with an explicit expires of null, like so:
var cp = Ext.create('Ext.state.CookieProvider', {
expires: null
});
All cookie values will be deleted when the browser closes.
If I were on a regular JSP application I would simple write a servlet filter that if it detects an expired session redirects you to a page that explains your session has expired.
In GWT are only doing calls in the background so a http response redirect would not reload the page. Other than having all GWT rpc calls inside a base object that returns the session status does anybody have a suggested way to detect an expired session? Perhaps a timer that calls an RPC method every 5 minutes?
Normal way is to throw an error on GWT-RPC call saying that the session is expired. Then you need to handle that exception on the client side (f.e. display login page to the user or something else).