Now the user have many roles in his privilege, I shall allow him click href and play as another role in a new window. each role has its own session.
Since the browser open window can not open with new session, I must find a way in server side.
But request doesn't support request.createSession or request.setSession(new Session()), how can i seprate a new session for this use case?
You can create a new session by HttpSession#invalidate old one but you can not retain the old one. May the following points help you
You've mentioned that each role has its own session
When user clicks a role, invalidate current session (also role) and new session would be created
Provide a link to go back his previous role if necessary
If he go backs to previous role, repeat step 2.
You have no support from tomcat. You have to this yourself.
The next strategy will NOT work on clustered tomcat. No guarantees here.
to change to a new session
Walk the session attributes via getAttributeNames() and getAttribute(String) Adding them all to a HashMap.
Serialize the HashMap into a tempfile or a static concurrent map as something you can access latter. Also store the current HttpServletRequest.getRequestURL() for latter redirection. You have to serialize.
Walk the session attributes again and removeAttribute(String) them all.
Add the key to access the file or concurrent map to the session.
Redirect the user to a login page or add synthetically all authorizations needed to the session.
to revert to old session
Check if the user has a key to access the old session. If he or she does, de-serialize the HashMap.
If the de-serialization works, walk the session and removeAttribute(String) everything
Walk the HashMap and setAttribute(String, Object) on the session.
Redirect the user to the URL stored somehow on step 2.
I'm too lazy to write the code and test it myself but I think this will work.
Related
I'm using the Unity API. I let a user delete their own account. It's accomplished via ParseUser.CurrentUser.DeleteAsync()
I then call ParseUser.CurrentUser.LogoutAsync(); to delete the local ParseUser object on their device.
This works, but afterwards, the now-deleted user's session is still up, buty the associated user field is now a broken link.
How can I end this session? I tried to get a reference to the session before deleting the user via ParseSession session = ParseSession.GetCurrentSessionAsyn(), deleting the user, and then the session, but the session.DeleteAsync() fails.
Edit (clarification):
I check all Tasks that return from my various function calls. I detect when things fail, and that's how I know my ParseSessions aren't being deleted (plus, they're showing up in Parse's CORE session list).
I just can't find a way to make sure the session is ended from the client's side.
DeleteAsync returns a Task Object. Try using that object to ensure that the deletion has completed prior to calling LogoutAsync()
In CakePHP a the Session times out it, not unreasonably, trashes any custom data in the stored Session.
However it also sets up an Auth.redirect so after the user has been forced back to the login screen and completes the login, they are then (by default) redirected back to the page they were on before the session expired. This is problematic if that page relies on some of the custom data that was stored in the Session but is now no longer available.
My simple solution has been to force the user back to the home page for authenticated users by deleting the Auth.session key in the Session. But this isn't a particularly desirable behaviour. It would be preferable if I could return the user to the place they were before the Session timed out.
Nevertheless, I like the idea of a user having to re-authenticate if they abandon their Session for too long.
So, what seems to be needed is for CakePHP to require a re-authentication of the user but to not actually expire the underlying Session and this leads to a couple of questions:
Is there any way to have CakePHP require a re-authentication of the Session, as described, without timing out the session (i.e. setting a long timeout on the Session)?
Is there actually a better way to store the information required for page transitions (e.g. the ID of the parent record for a given model so that saveAssociated can be used) other than to store these in the Session?
Thank you for any guidance.
Passport by default allows the same user to login from multiple browsers and have unique sessions created. How can I configure it to destroy the first session when the user tries to create a second session?
Currently I'm using the 'Sessions' model to add the username to the record and upon subsequent login check by username if the sessions exists. But this increases traffic to the db. I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified. I'd be thankful for ideas around how to achieve tweak with express for this purpose or any other workaround/suggestion.
Much thanks!
I saw that at least 4 users upvote this question, so I decided to create passport-strategy for that. The new strategy called passport-one-session-per-user. It's open source strategy you can access here: https://github.com/AminaG/passport-one-session-per-user
How to use it? add it right after session. For example:
app.use(passport.session())
var passportOneSessionPerUser=require('passport-one-session-per-user')
passport.use(new passportOneSessionPerUser())
app.use(passport.authenticate('passport-one-session-per-user'))
Not need for settings, or configuration.
How it is works?
The strategy, created an array that contain serializaed user objects, and sessionID.
Every time user logged in, the strategy check if the user already logged in. If so, it's flag the other session. The next time the user in the other session make a request, the strategy see the flag, and log the user out.
I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified.
I believe the session model loggs the user in, and saves only that logged-in-ness in the session cookie. The server itself has no clue about who is logged in, but just checks this state in the (signed) session cookie provided by the browser.
You can write your own Passport.js strategy to handle it differently.
I just started an MVC 3 project using Forms Authentication. I have a web project (mvc project), and a data project. The data project handles all database interactions.
I need to store the current user id in my database on every insert and update.
Here's what I am doing right now. I feel like this has to be a common scenario. Can anyone shed some light on a better way to do this?
On LogIn or Register, I grab my current user record (by username) from the database and store the user id in session.
When saving a record within my data project, I refer to the httpcontext (if it exists) and use the user id that is stored in session.
This works for all but one scenario. It fails when a user has a valid cookie saved, and so they are allowed to bypass the login/register action. When this happens, obviuosly, my session variable for userId is null. My next step would be to create a base controller and imlement OnAuthorizeStarting to check if my Session variable is null or not. This feels kludgy, and I'm hoping there is a better way.
I do not want to have to pass the user Id to the data project as a parameter on every Save call.
Anyone have some brilliance? thanks.
The UserID is available via membership. So, something like this:
Membership.GetUser(HttpContext.User.Current.UserName).ProviderUserKey
The IPrincipal (HttpContext.user.Current) is created when the user is authenticated against the forms authentication cookie. You just pull up the user id from the Membership whenever you need it.
If you don't like accessing Membership every time then you can always create a static helper class that wraps your UserID session call. If it's null, it goes out to the membership provider, gets it, then stores it in the session.. on later accesses it just retrieves the session variable.
If one user have login in one computer or a browser,then he login in another computer/browser again,so the former login should be marked as invalid,is there any way to implement this?
One way it to set a cookie with a session id when they log in, and record the latest session id somewhere server-side (like a database) keyed by that user id. On any website access, verify it's the latest session for that user.