Develop Reference

eXist persistentlogin is not persisting

In eXist 4.7 I implemented the persistentlogin in my controller.xql and I have noticed that it does not "persist" very long in my eXist web app ("thema"), whereas the eXide web app in the same eXist instance, using the same login function, persists authenticated status as expected.
Specifically, if I am logged in to both in the evening, the next morning eXide is still logged in (ie. authenticated = true), and my app is not.
I implemented it as follows, with duration set at 30 days ("P30D"):
import module namespace login="http://exist-db.org/xquery/login" at "resource:org/exist/xquery/modules/persistentlogin/login.xql";
let $duration := request:set-attribute("duration", "P30D")
let $set-user := login:set-user("org.exist.thema", (), false())
So I've further tested the persistence in my web app and I find that the login "disappears" (loses authentication?) after about an hour of being non-active on the site.
Is there some other eXist setting I've missed in configuring this?
The only documentation I've been able to find on this is in the notes in the code of login.xql: https://github.com/eXist-db/exist/blob/develop/extensions/modules/persistentlogin/src/main/resources/org/exist/xquery/modules/persistentlogin/login.xql

According to the source code for the login module, there are two ways to designate the duration for the login session:
Via the $maxAge parameter of the login:set-user function
Via a duration request parameter (which overrides the $maxAge parameter when present)
In your code, you are setting a duration request attribute, not a request parameter; for more on the difference, see this answer. This explains why the login module is completely ignoring your attempts to declare a duration.
To fix your problem, you could either (1) change to the first method:
login:set-user("org.exist.thema", xs:dayTimeDuration("P30D"), false())
... or (2) submit the request parameter in your login form, as eXide does in its login form; see https://github.com/eXist-db/eXide/blob/master/index.html.tmpl#L505-L528.

Meteor logout on stale session logout

I am new to meteor.js and I am sorry if my question is not appropriate according to the community standards.
Well, I am trying to create a simple application on it and came across a problem of timing out after the user inactivity.
I am using "stale session meteor package" to automatically timeout the user after some specified time of inactivity. It logs off the user but doesn't unset the "Meteor.user()" by which I could know in meteor that the user has been logged out and call the route for the "Login" page to re-login.
Example, the stale session logs off the user after 30 seconds of inactivity, then I checked the returned value of "Meteor.user()", It should have returned undefined if the stale-session is timed out, instead, it is running the complete user object with id and other details.
I simply want to forcefully logout the user when the stale session times out and show the login screen.
I have been searching on internet for two days but couldn't find any solution on how to do this. Finally, posted the question.

I have found the solution and it is working so posting it here if somebody need.
I dug into the stale package code, and in its client.js I replaced the code with this
Meteor.setInterval(function() {
if (Meteor.userId()) {
if(activityDetected){
Meteor.call('heartbeat');
activityDetected = false;
} else {
//This is the wanted behavior
Meteor.logout();
}
}
}, heartbeatInterval);
If no activity is detected in terms of jquery events, I simply call logout and dont need to worry about Meteor.user() or Meteor.userId() etc. It simply logs out and goes to the Login Screen route which I implemented.

After Wicket session timeout - pageParameters are null

I'm using wicket 6.
My application is based on WebPages created with pageParameters in the constructor. I'm using also a pageParameter country that is a path-parameter defined with:
mountPage("/${country}/pagepath", MyPage.class);
I have many statefull forms in every page.
I'm now trying to handle the case when the session expires (to reproduce this scenario I delete or modify the jsessionid cookie).
After that I click a submit button in a page and I'd expect wicket to understand that the session has expired.
But the behaviour that I have is this:
the current page is reloaded but the pageparameters are 'null'
the url is rewritten using the package notation like:
localhost:8080/wicket/bookmarkable/com.test.pages.MyPage
So it looks like the url mapping is somehow lost.
I need to reload the same page with pageParameters information or show an info page that says something like click here to reload.
I've already tried to use:
getApplicationSettings().setPageExpiredErrorPage(HomePage.class);
but that didn't help.
Any help is appreciated. Thanks.

Looks like there is a bug in Wicket 6 which causes this issue: https://issues.apache.org/jira/browse/WICKET-5068
It is fixed in Wicket 7. For Wicket 6, there is a workaround: disable WICKET-4594 fix.
First add the following mapper:
public class BookmarkableMapperThatSavesPageParametersForListener extends BookmarkableMapper {
#Override
protected PageParameters getPageParametersForListener(PageInfo pageInfo, PageParameters pageParameters) {
return pageParameters;
}
}
Then use it to replace a built-in BookmarkableMapper in your Application#init() (this has to be added before any manipulations with the root mapper):
mount(new BookmarkableMapperThatSavesPageParametersForListener());
This approach works in our application and it does not seem to break anything.
More info: Wicket 6: empty PageParameters when recreating a page after expiration

You could ask your question in the wicket mailing list. What you are observing might be a bug. Please check PageParameters missing from re-created Page
Conceptually, it should be possible to submit the form normally even if you need an authenticated user session.
If the session is expired then you may be able to re-create a user session with a remember-me cookie. Wicket should re-construct the page with parameters, apply the form values and process the submit. In case where the page is stateful, there could be some complications that are possibly resolvable. If you find that your use case is not supported with stateful pages then you could file an issue and meanwhile use StatelessForm.

what happens with session_start in global.asax if session timeouts?

I have multidomain web application which treats users differently based on URL they use.
I am using Session["data"] to keep information about user and starting this session with Session_Start["data"] in Global.asax.
All works fine but I would like to know what happens after inactivity. After certain time session will timeout. If that happens is Global.asax treating this as new user and will again start Session_Start for this user?
And will Session["data"] get updated with every page load/reload? Or because it starts just once and will timeout in some exact time?
I tried to make this question as clear as possible.
Thanks.

Session will renew/keep-alive everytime the server gets hit by that user.You set the timeout in the web config file and it is a sliding value, so it restarts again everytime there is a server request.
something like this:
<configuration>
<sessionstate
mode="inproc"
cookieless="false"
timeout="20" />
</configuration>
When the session times out, the next time there is a request, the Session_Start will execute. If you are accessing Session[data] from anywhere else in the code, you should check to make sure it is not null as it will throw a NullReferenceException if the session has timed out and you are trying to access it.

A new session starts when a user first visits a .NET URL (like an .aspx page, but not a .html or other static file) on your site. That session lasts until it times out or the application is killed (restarted/crashes/recycled). The default .NET timeout is 20 minutes; so a session will last as long as the user keeps hitting .aspx pages with no breaks longer than 20 minutes.
During that time, you can store information in the Session object that relates to that user. It is essentially a hashtable that you can populate with objects for which you define keys. In your case, you are using Session["data"], but you could use any key you want, really.
However a session, and the data you store in the Session hashtable, is very fragile (see all the ways it can die above). You shouldn't rely on it to keep anything important that can't be reconstructed easily (in Session_Start, for example). So it really serves two roles: maintaining state (so you know it is still the same user from page to page); and as a user-specific cache where you can keep data in memory to do things more quickly.
Session_Start just runs once per session--by definition. If you need to identify a single user over multiple sessions, you will need to use something more permanent like setting your own cookie with a far-future expiration. You can put an ID in such a cookie that lets you know this is user 12345 (in fact, Session_Start is just the place to look for your "permanent" cookie and connect your data about that existing user with this new session).
And if you want to store data about a user that survives multiple sessions, you will have to store that somewhere more permanent--a database being the most obvious solution. When they come back, you can cache some of that data in the Session hashtable--and Session_Start is just the place to do that as well. Hope this helps.

protected void Session_Start(object sender, EventArgs e)
{
// Code that runs when a new session is started
string RootURL = Request.ApplicationPath;
if (!RootURL.EndsWith("/"))
RootURL += "/";
Globals._rootURL = RootURL;
}

Destroy CakePHP session when close browser

I need to keep Security.level set on medium for Ajax reason.
But I want that If the user close browser his session will destroy.
How can I do that?
Thanks in advance!

Config/core.php
Configure::write('Session', array(
'defaults' => 'php',
'cookieTimeout' => 0, //Lives until the browser is closed.
'checkAgent' => false //To fix a little the Chrome Frame problem
));

Unless you're persisting session data (ie: storing session data in a cookie with an expiration date in the future), then the session should be destroyed when the user closes the browser.
Unfortunately I'm not familiar with the CakePHP framework so I cannot comment on its API. However, if you want to explicitly end a session you can do so in PHP with session_destroy().
Hope that helps.

You could remove the session cookie with JS when the page is closed (remember: page close is also triggered when the user just navigates away - maybe just to the next page of yours).

i guess you could fire on ajax command on page unload to call session_destroy()

http://book.cakephp.org/view/1317/destroy for CakePHP - but yes, CakePHP does set a proper session cookie which is deleted by the browser when it closes.
What you really are probably concerned about is session hijacking - and so you really want some kind of a logout on site closure. You can't do this - the best alternative method that I know of is:
A short session timeout with an "Are you there?" AJAX refresh - the timeout can be controlled independently of the security level now using Configure::write('Session.timeout', $seconds);, where for medium security level the timeout seconds are multiplied by 100. Banks use this method.