Session time out on Liferay with multiple spring MVC portlet - session

Our application has been developed on Liferay with multiple Spring MVC portlets on the page. Its a single page application, and the navigation only happens inside the portlets. Now sometimes when Liferay session times out and I send a request to the control for a new view, the liferay login page is being shown inside the portlet. But the expected behaviour is if the liferay session is timed out, then the whole page should have redirected to Login page.
I have specified following properties in the portal-ext.properties
session.timeout.warning=1
session.timeout.auto.extend=false
session.timeout.redirect.on.expire=true
browser.cache.signed.in.disabled=true
Any suggestions?

If you're just doing Ajax navigation in the portlets, you might want to hook into Liferay's session-extension way (you'd have to look it up - there's a client side timer that counts down and displays the "session.timeout.warning" - I can't give pointers right now)
Alternatively, if a session extension is acceptable as long as a browser window is open, you can use the same mechanism to show an alternative behaviour: Instead of willingly timing out a session, it can extend the session. See portal(-ext).properties:
#
# Set the auto-extend mode to true to avoid having to ask the user whether
# to extend the session or not. Instead it will be automatically extended.
# The purpose of this mode is to keep the session open as long as the user
# browser is open and with a portal page loaded. It is recommended to use
# this setting along with a smaller "session.timeout", such as 5 minutes for
# better performance.
#
session.timeout.auto.extend=true

Does this happen in all your pages or only on specific pages. ?
Does this happen on click of any button?
If so , do the following in the method that you are calling on the click of the button,
function onClickFunction(){
var liferaySession = Liferay.Session._currentTime;
if(liferaySession == '0'){
//reload page
}
else{
//proceed
}
}

Related

How to Close/Exit current instance of Xamarin.Forms app while loading a new one

We are facing a strange issue. Not sure if it is design flaw of the existing application. Your help/suggestion is appreciated.
We have a Xamarin.forms app. Targeted both for iOS and Android.
Problem is coming mainly in Android app.
Application flow:
once we logout from the application, app opens an logout activity and delete user info and other data.
opens a new activity for login which contains client SSO implementation
on successful login, app is setting user info and fetch data from web service.
then it calls LoadApplication method so that flow comes back in main application
Now if user perform logout/login several times, its opening a new application instance by calling LoadApplication method and then displaying home screen
So when user is tapping back button in home page, app is not closing and displays previous instance of same application.
User need to press back button several times (depending how many time user perform logout-login).
Is there any goodway to stop this?
Can we close current instance of the application before LoadApplication being called?
Stuck for a long time.
I'd try to avoid to call LoadApplication more then once. You should control the navigation stack.
Given you are on the LogoutPage
remove all views via PopToRootAsync
show the LoginPage
await Navigation.PopToRootAsync(false);
await Navigation.PushAsync(new LoginPage(), true);
This blog post may be worth a reading: https://jfarrell.net/2015/01/22/understanding-xamarin-forms-navigation/
Kindly try this.
https://stackoverflow.com/a/36885388/1941942
[Activity (NoHistory = true)]
public class LoginActivity : Activity { }
The saving instance error has gone a while after I implement it on MainActivity.

How to access session from a view in ASP .NET Core MVC 1.0

I am trying to access session data from inside a view.
Use Case: I'm storing status messages in the session that will be displayed at the top of the page. Currently I implemented this by using a DisplayMessages() function that sets some ViewData[....] properties and calling it at the beginning of every controller action.
Goal: I want to only set the status message once without needing additional code in the controller to display the messages on the next page load.
So I'm trying to access the messages that are stored in the session directly from the view.
So far I have tried the following:
Dependency Injection of an IHttpContextAccessor (doesn't seem to work anymore with ASP .NET Core MVC 1.0.0
Creating a static class to access the session, including the change from next() to next.invoke() suggested in the comment
This didn't work. I could access the HttpContext and Session.IsAvailable was true, but there was no data in the session.
The following should work in the view: Context.Session.TryGetValue
If you are using the SessionExtensions then Context.Session.GetString will work.
Injecting IHttpContextAccessor does work, but starting with ASP.NET Core 1.0.0 RC2, the IHttpContextAcessor is not registered by default, because it has significant performance overhead per request. See this GitHub announcement for more information.
Tratcher posted:
IHttpContextAccessor can be used to access the HttpContext for the current thread. However, maintaining this state has non-trivial performance costs so it has been removed from the default set of services.
Developers that depend on it can add it back as needed:
services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
But in your use case, I would suggest using a ViewComponent, which is a reusable piece of View with logic, that do not depend on a controller.
The documentation can be found here.
In your Views you would simply embed it with
#await Component.InvokeAsync("PriorityList", new { maxPriority = 2, isDone = false })
or
#Component.Invoke("PriorityList", new { maxPriority = 2, isDone = false })
for synchronous calls.

mvc3 detect website (application) is closing

I'm building a website with mvc3 and I need to delete a data in my database only when the application is closing. (The user click on the red x).
I tried with javascript using the onbeforeunload event, but this event happens everytime I go into a new page in my application.
Is it possible to detect when the user closes the window?
It's not possible. But, what you can do is have a small javascript block that will make an ajax call every n minutes/seconds to tell the server that the user still has the browser open.
This way, you can set a timeout that says if after 5 minutes we haven't heard from the user we can delete the data in the database (or whatever action you need to do).
To implement the timeout logic there are 2 options:
You have a separate service (console app or windows service) running on some interval that checks if any user's timeout is greater than some value. If it is then perform whatever action you need.
If any user performs an action that would have been blocked, you first check if any user still has it active (the timeout value is greater than current time). If there is, you block the user, if there isn't, you can remove that old timeout value since it's expired.
Use a synchronous ajax request in the window.unload event.
When the user goes to a different page, or closes, or refreshes then this event will fire. You could call a service on your web app to notify it that the user is no longer editing the document
After a very quick google, I saw this snippet here
$(window).unload(function() {
$.ajax({
url: 'resetTheDocument?id=whatever',
async: false,
cache: false,
type: "POST",
data: "My work here is done"
});
});
Good morning you could try adding your logic to the global.asax file in the Session_End method to delete the record in your database.

How to support user session to Vaadin project

I want to add user session support to my application. Since reloading the page will restart the application and even opening another browser tab will cause the original one 'out of sync' problem.
Do I need to create an independent window for each login, or is there any plugin I can use, or if I make it a Spring + Vaadin application, will it solve this problem?
Applications created with Vaadin Framework are automatically statefull, so your application should keep its state unless you have the ?restartApplication parameter in the URL.
To support multible browser tabs / windows in the same session, the getWindow(String name) must be overriden in the Application class to return a new Window instance for each browser tab / window:
#Override
public Window getWindow(String name) {
// If the window is identified by name, we are good to go
Window w = super.getWindow(name);
// If not, we must create a new window for this new browser window/tab
if (w == null) {
w = new CalcWindow();
// Use the random name given by the framework to identify this
// window in future
w.setName(name);
addWindow(w);
// Move to the url to remember the name in the future
w.open(new ExternalResource(w.getURL()));
}
return w;
}
For more information about Vaadin's multi window support, see this wiki page.
Reloading the page should not restart the application, unless your url ends with ?restartApplication=true.
The Application object is stored in the HTTP Session, therefore everything you want to store per user can be associated with the application.
Typically, each browser process can only support one HTTP Session, hence you will only be able to support one user per browser (unless you make significant efforts, and store per-user state on each application level Window. I recommend you don't do this unless you know what you are doing : one user-per-http-session is the norm in web applications)
Spring+Vaadin are a good combination - I am using this pairing to great effect in our projects - but are not particularly useful in this context.
Vaadin does not support multiple-windows/tabs in it's default configuration (hence your out-of-sync errors). However, it is trivial to write the code to do so : here's a simple explanation, and some code

If I Rapidly Click the Browser Back Button Twice, The User is Logged Out in Our Cake App

This is a weird bug, and I'm not even sure how to begin figuring out what's going on.
We are using Cake 1.3.8 with our sessions in the database. I am not using ACL or any other access control. If we navigate into the application and click around a bit, and then rapidly click the browser back button twice (I've tried in Firefox and Chrome) the user is logged out more often than not and receives the error message 'You are not authorized to access that location'.
All of my searches thus far have involved people wanting to make the page inaccessible if a user logged out and then used the back button. I'm not seeing anything reported with regards to the issue I'm seeing.
Does anybody know if this is a Cake issue or have any thoughts on debugging what is going wrong?
Update: I found where the problem is. I have the security set to high, because we need the session to be closed whenever somebody closes the browser. I also have the timeout set very high because we do large binary uploads to S3, and don't want the user logged out while it's uploading or downloading. The specific block of code in cake_sessions.php that's causing the problem is:
$time = $this->read('Config.time');
$this->write('Config.time', $this->sessionTime);
if (Configure::read('Security.level') === 'high') {
$check = $this->read('Config.timeout');
$check -= 1;
$this->write('Config.timeout', $check);
if (time() > ($time - (Security::inactiveMins() * Configure::read('Session.timeout')) + 2) || $check < 1) {
$this->renew();
$this->write('Config.timeout', 10);
}
}
$this->valid = true;
I would guess this is because session IDs are regenerated between requests when security = high. Source:
http://book.cakephp.org/compare/44/CakePHP-Core-Configuration-Variables/cakephp/cakephp1x
You only need one out of sync request, say for a missing image and you will lose the session. I've generally found it unworkable because it's not possible to prevent users double-clicking on links and buttons and invalidating their session.
I would think about using medium security, setting the session timeout fairly short and using an AJAX script to refresh the session at regular intervals (eg every 60s). That way the user will be logged out quickly if the tab/window is closed.
If security is a priority I would suggest hacking the core to make sure the session cookies are set to http_only to help guard against session hijacking by XSS attacks. Cakephp 1.x supports PHP4 so probably isn't setting this by default.
http://php.net/manual/en/function.setcookie.php
It's possible that the session is erased and before it can be written again, the back button is clicked removing the auth from the session variables.
Page loads -> Back Button Clicks -> sessions is erased (but before session is rewritten) -> Back button clicks -> Session checks no existing session.
The only thing that I can think is happening is that when you're going back a page too quickly your code can't validate the person quickly enough (round trip from checking credentials) and throws an error that gets displayed on the next page that is loaded (second backed-to page).
Are you sure the person is actually logged out, or is it just the error being thrown?
Without seeing any code, it will be difficult to nail it down any further.

Resources