The question pretty much says all. I have been looking at the web2py book where it says about session. But I just cant figure out how to use sessions from Auth table. I am trying to make a session for Email ID from the default Auth table where I can register and login.
Any help regarding this is much appreciated.
If the user is logged in, then the db.auth_user record is available in auth.user (assuming you have named your Auth object "auth"). So, in the layout view, you could have something like:
{{if auth.user:}}Welcome {{=auth.user.email}}{{pass}}
Note, the auth.user record is also stored in the session (so it doesn't have to be retrieved from the database on every request). So, auth.user == session.auth.user.
Related
Passport by default allows the same user to login from multiple browsers and have unique sessions created. How can I configure it to destroy the first session when the user tries to create a second session?
Currently I'm using the 'Sessions' model to add the username to the record and upon subsequent login check by username if the sessions exists. But this increases traffic to the db. I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified. I'd be thankful for ideas around how to achieve tweak with express for this purpose or any other workaround/suggestion.
Much thanks!
I saw that at least 4 users upvote this question, so I decided to create passport-strategy for that. The new strategy called passport-one-session-per-user. It's open source strategy you can access here: https://github.com/AminaG/passport-one-session-per-user
How to use it? add it right after session. For example:
app.use(passport.session())
var passportOneSessionPerUser=require('passport-one-session-per-user')
passport.use(new passportOneSessionPerUser())
app.use(passport.authenticate('passport-one-session-per-user'))
Not need for settings, or configuration.
How it is works?
The strategy, created an array that contain serializaed user objects, and sessionID.
Every time user logged in, the strategy check if the user already logged in. If so, it's flag the other session. The next time the user in the other session make a request, the strategy see the flag, and log the user out.
I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified.
I believe the session model loggs the user in, and saves only that logged-in-ness in the session cookie. The server itself has no clue about who is logged in, but just checks this state in the (signed) session cookie provided by the browser.
You can write your own Passport.js strategy to handle it differently.
Experts,
what's the recommended way to pass the user id (system internal id of the user used to query for the user info) between controllers in a codeigniter app?
I'm considering the following options:
1. Use the CI session id to query the database for the user id in every controller. That way I don't have to place the user id in the session which is a security concern. But this option means an extra db query in every controller
2. Store the user id directly in the session so I have it readily available to query for user info.
What do you think?
From my understanding of MVC you're not normally supposed to talk directly between two controllers. However in this case I would use the session. As far as security goes there are plenty of extensions to codeigniter dealing with authentication such as TankAuth and WolfAuth including many others that you might look into if that is your concern. In this case however I'd say using the session to store a user id is perfectly fine as long as you're not storing sensitive data along with it.
You can read up on CodeIgniter sessions here: http://ellislab.com/codeigniter/user_guide/libraries/sessions.html
There is a great authentication library Ion Auth. Check it out
http://benedmunds.com/ion_auth/
I just started an MVC 3 project using Forms Authentication. I have a web project (mvc project), and a data project. The data project handles all database interactions.
I need to store the current user id in my database on every insert and update.
Here's what I am doing right now. I feel like this has to be a common scenario. Can anyone shed some light on a better way to do this?
On LogIn or Register, I grab my current user record (by username) from the database and store the user id in session.
When saving a record within my data project, I refer to the httpcontext (if it exists) and use the user id that is stored in session.
This works for all but one scenario. It fails when a user has a valid cookie saved, and so they are allowed to bypass the login/register action. When this happens, obviuosly, my session variable for userId is null. My next step would be to create a base controller and imlement OnAuthorizeStarting to check if my Session variable is null or not. This feels kludgy, and I'm hoping there is a better way.
I do not want to have to pass the user Id to the data project as a parameter on every Save call.
Anyone have some brilliance? thanks.
The UserID is available via membership. So, something like this:
Membership.GetUser(HttpContext.User.Current.UserName).ProviderUserKey
The IPrincipal (HttpContext.user.Current) is created when the user is authenticated against the forms authentication cookie. You just pull up the user id from the Membership whenever you need it.
If you don't like accessing Membership every time then you can always create a static helper class that wraps your UserID session call. If it's null, it goes out to the membership provider, gets it, then stores it in the session.. on later accesses it just retrieves the session variable.
My website has no user registration (members are pulled through from an offline db) and the area that you can login to doesn't hold very sensitive information.
So I want a basic login with a remember me function.
• After checking input against the DB, I plan to store their user_id, name, email in a session.
• For the remember me, I'd store a cookie with value = user_id:randomcode. The random code is generated at login and stored in a field on their user record.
Is this secure enough? or how could it be improved without getting too complex.
You should use the user_id:randomcode only once and generate a new one when the old is used. Read Persistent Login Cookie Best Practice.
I just started looking into OAuth and it looks really nice. I have oauth with twitter working in ruby right now.
Now I'm wondering, what is the recommended safe way to store the responses in my local database and session?
What should I store?
Where should I store it?
This example twitter-oauth-with-rails app stores a user.id in the session, and the user table has the token and secret. But that seems like it'd be really easy to hack and get the secret by just passing in a slew of test user ids, no?
The tokens are useless without the consumer key/secret of your twitter app as they're not the same for every app but depend on the consumer key/secret.
To get a session variable you would have to guess the session id which is not that easy to accomplish.
If you want you can store those tokens in the session but I would suggest storing the user tokens in your database with all the other user data so your session contains only the data to identify the user in your system.
Update: I'm not sure if I understand correctly what you mean by accessing the tokens from the database by guessing an ID.
Do you have any authentication in place so that the users have to enter some credentials to access their data? You should store the tokens the same way you store the users email address or password and only authenticated users should be able to access it.
If you're developing a web application you can add a hidden field to the form the user submits, with some hash-like value calculated with the user.id so evil guys cannot change that value and just "guess" for an access token