I'm using Symfony 2.1.6 and PdoSessionStorage. I'm trying to add the same functionality that Facebook has to my application where you can show a user all the active sessions they have with the website (showing device type and location based on IP) and allow them to end any session if it looks suspicious.
Deleting the record from the PdoSessionStorage table doesn't work as the record is re-created automatically by Symfony again as soon as I perform activity again in that session (instead of Symfony detecting that the session was already removed and thus forcing the user to re-authenticate).
Is there any option to force a session that used "Remember Me" to re-authenticate with the system?
Thanks for any help.
Related
I wish to record the login and the logout timestamp for users.
I understand that as soon as a user hits the login page a new browser specific session is created & sessionCreated(HttpSessionEvent se) is executed. When the session is invalidated that session gets destroyed & the sessionDestroyed(HttpSessionEvent se) is executed. In this scenario recording the login and logout timestamps will work perfectly.
However, say, the user is logged in but closes the browser window. The next time when the browser is opened a new session id will be generated and the user needs to login again. Hence, the previous login-logout record for that user will be incomplete and a new record with the current session id will be inserted in the database.
How do I tackle this design issue? I read some answers where AJAX polling & JS onunload were discussed but those did not seem to be a reliable solution.
Also, on the other hand, is there a way to keep the session alive even on browser close?
Thanks in advance.
Session can be kept recorded on users browser via Cookies.
It basically allow use to re login to the system without having to authenticate itself. In this case you can store the bare minimum state information you need to restore when the client open the browser again.
But the session id's is definitely going to change.
I'm working on a shopping cart and facing an issue with FOSuserBundle registration flow :
My users can add whatever they want to their cart, being or not logged/registered, but before checking out, i want them to login/register.
The main important thing is that I want after login/registration they can get back the same shopping cart they had before. To achieve it, i'm saving into the user session a random key and i'm saving this random key in the database with all articles data.
I hava no problem with the login flow, the session is kept without any change (symfony preserves all session data), so the user retrieves his session, but my problem is with registration.
When the user wants to checkout and have not an account yet, he needs to register, and when the registration is complete (with FosuserBundle, sending an activation link by mail) the user session is completely resetted so the shopping cart is lost but has not really disappeared : Actually, a weird thing i observed is that the browser seems to deal with 2 different sessions at the same time but in 2 separate tabs, in the old browser tab (before registration), data is still here, but in the new tab the session is cleared
So my question is, is there a way to give back a user his session after a successful registration in Symfony2.1 and while using FosUserBundle?
Thank you in advance
My security config file was the cause
I had to set the option session_fixation_strategy to "migrate", that now works perfectly, thanks
Login/Logout is handled by symfony's 2 security component while registration is handled by FosUserBundle.
You can try to override the registration handler https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Resources/doc/overriding_controllers.md and migrate your old session: http://symfony.com/doc/current/components/http_foundation/sessions.html#session-api
My web application requires a user to be logged in to view any webpage on it.
When a user logs in I store, in sessions, their username and password for retrieval later on. This all works fine but, if I rerun my project it seems to skip past authentication and go straight to the controller for that action.
What I presume is happening is that FormsAuthentication.SetAuthCookie(userName, createPersistentCookie); is remembering that the user is logged in but my sessions aren't updated.
How can I trap this scenario and update my sessions accordingly?
There are many ways of going about it.
First, you can choose, not to persist the cookie. But this will still cause the exception if the session has not expired and you recompile your project. Recompiling the project destroys the session state.
Though putting the password in session state is not the preferred way of going about it, I am sure you would have a valid reason of doing it that way.
However, if you want to do it that way, you can override the Application_AuthenticateRequest event in Global.asax. This event fires every time a request comes in and you can check if the request is authenticated (using HttpContext.Current.User.Identity.IsAuthenticated) and repopulate the session state.
By the way, can you elaborate why you need to store the user password in session state?
If I am correctly understood the issue,you can have base action class so and move the authentication mechanism there.So for every request this base will be invoked so you can make sure that the authentication mechanism is not skipped.
In my grails application using shiro, I'm using cookies to store the session data including authorization.
When a user tries to log in without accepting cookies, the login works, but then (as expected) the session is lost again and the user is logged out.
I don't want to change this behavior in general, I just want to display a notification to the user that his Browser needs to accept cookies.
So is there a way to tell that this user has been the one who TRIED to log in after the session data is lost, so that I can display a respective message?
I think running a test whether cookies are accepted on every page is a bit too much, therefore I'm heading towards the solution at login only.
You could use the grails session to store the current state of the user. Then, on login, check the grails session and determine whether to show your message or not.
If one user have login in one computer or a browser,then he login in another computer/browser again,so the former login should be marked as invalid,is there any way to implement this?
One way it to set a cookie with a session id when they log in, and record the latest session id somewhere server-side (like a database) keyed by that user id. On any website access, verify it's the latest session for that user.