based on the following question/answer
CodeIgniter session class not working in Chrome
I had the problem where people are unable to login to my website from another country which is far from the US server. After searching online I've stumbled upon a suggestion which describes how the the problem is based on the difference between the server's timezone and the user's timezone. So, by extending the session_expiration I've managed to get around the problem and people are able to log in successfully.
My questions is whether the sess_time_to_update creates a new timestamp and it will logout the user because the new timestamp is in the wrong timezone? Do I have to make the new sess_time_to_update 17+ hours so that it covers the broadest range of timezones as explained in the question that I've linked. Is there some other way of storing the session at the user's browser based on their localtime (without asking them to choose timezones in the profiles and other sorts of user unfriendly schemes). I would like to have a 2h default session expiration time + the 800sec. update time. I'm not using the database to store the session and I would rather not use it.
The sess_time_to_update setting is how often the session details (such as last activity) are updated. The default is every 5 minutes (300 seconds) and a new session ID will be generated. This would reset the expiration date based on the sess_expiration setting.
I would suggest keeping the sess_time_to_update at the default (or lower) as that would keep the user session alive longer since the session expiration would keep getting reset. The only setting that may need to remain high would be sess_expiration, that is unless you can determine the users timezone.
There are a couple of ways you could try to determine the users timezone. One would be Javascript (Example: Client Side Timezone Offsetting) or you could try using PHP's GEOIP Methods.
Related
I have auth working fine. Users can log in and out, no problem. The thing is, if users share a login, they can all be logged in at the same time as the one user. Not good.
I need to have CakePHP know when a user is logged in, which I assume is a process started using:
'Session' => [
'defaults' => 'database'
]
As per the Sessions book page.
It's then I get lost. Unless I have missed it there is no reference to limiting users to one active session each. Has anyone come across this before and, if so, how did you work around it?
To clarity:
All sessions deleted from DB & all cookies deleted in browser = nothing set in either when visiting the /users/login page (incidentally, this has been set up as per the tutorials - nothing fancy).
Login = session set in db with id corresponding to cookie in browser. Exactly what you'd expect.
Logout (which then redirects back to login) = old session removed then replaced by another in DB and cookie. Different id. So something is picking up the expired cookie and refreshing it. Hmm.
The information held in the cookie is just the session id. In the DB it's simply:
Session id | a blob | expiry time
I assume you save users and sessions in a database (by default in cakePHP it is named sessions).
Add an active_session field, update it upon login, check it on requests to ensure that current user session id matches the last one stored in the database.
On Login action do:
UPDATE `users` SET `active_session`='$session_id';
When user goes to a page that requires login, you search that value:
SELECT * FROM `users` WHERE `active_session` = '$session_id';
If the user signs in other place, the previous session key gets overwriten, and the SELECT above returns an empty result-set.
It's possible to clean the old session token before the update, so this way old session will be destroyed on per user basis.
Be careful, if you are using AuthComponent, it might rotate sessions itself, for more information you may find in the corresponding section of CakePHP manual.
I'd definitely go AuthComponent-way, and wouldn't re-invent the wheel in CakePHP.
I tie users to their cell phone. Every day they get a new 6 digit code via twilio sms. Makes it hard to share logins, but not impossible. Ultimately, I would like to track how many different machines a users uses per day and establish some fair use limitations. If a user uses three or four machines in a day, that's fine, but when they start using the same user id on twenty or fifty machines a day, that might be a problem.
I am having troubles to understand the login flow and signup flow in PassportJS and ExpressJS.What I really wanted to do is test if different sessions are being created. So I opened up a server and open two windows both at login pages. and then I log in and a session is created, but it is created for only person i.e. one who enters last, in my sessions table there is always one entry. Is this the expected behavior or is this wrong? How can I test this behavior in real time i.e. logging in 20 users and see 20 entries in my sessions table?
it depends on how you are handling sessions, most likely cookie, in which case you may need to refresh the browser, if that doesn't work. You're cookie expire date may not be set properly or you may not be deserializing properly. Read this for reference: https://scotch.io/tutorials/easy-node-authentication-setup-and-local
I'm a nowise in ZF2 and need an advise from more experienced users.
I'm developing a small shop I want to make different lifetime for session storage and cookies.
For example when user logins server sends a cookie with 3 months lifetime and creates session storage record (for user data) with lifetime 30 minutes. Having cookie and unique session record user can buy goods, comment, and view their profile with secure data (e.g. credit card number, phone, etc).
After 30 minutes of no activity session record must be deleted but cookie must be left (cookies lifetime must be 3 months). Having only cookie user can make comments but can not buy anything or view his/her profile.
So my I'm interesting how can I realize it with ZF2 ? - As I understood "remember_me_time" must be equal to "cookie_lifetime" or they can be changed to different values ?
Does ZF2 have any standard mechanism to delete a session storage after some time for single user or I have to create such mechanism by myself ?
If you're using ZfcUser (and if you're doing user authentication on ZF2 you should be) check out the GoalioRememberMe(https://github.com/goalio/GoalioRememberMe) module, it does exactly what you're looking for (Caveat: I've never actually used it myself so I can't vouch for it's efficacy or security)
I also suggest reading this response by Anthony Ferrara (#ircmaxell) to a somewhat similar question. It contains some background information on what you should and shouldn't do, and the gist of it is: don't try to keep the PHP session open that long, use a "remember me" cookie instead and build a new session from the remember-me cookie for visitors that don't have an active session.
I am playing with a timezones and I have a simple registration form. after user's registration, I would like to user display his current time, how to do that?
You can not do it only with Ruby, because such information isn't available on the server side.
1) If you know the user's location, you can do geo locating and determine the timezone. But it could be a problem if ip range you got from geo database has a few timezones.
2) Another solution, you can use javascript to help. So, with javascript you can calculate timezone and set it as cookie, and then access with Ruby from the request object. (How to get timezone with Javascript)
You could ask the user for their current timezone during registration and persist it with their user details.
ActiveSupport (included as part of the Rails API) has a great way to deal with timezones, you can convert the current time to a time in a different timezone using *in_time_zone*.
As an example
Time.now.in_time_zone("America/Guyana")
Time.now.in_time_zone(8)
Where the time_zone key can be found via this API document: http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html
See TimeWithZone for more info, http://api.rubyonrails.org/classes/ActiveSupport/TimeWithZone.html#method-i-in_time_zone.
I have implemented custom membership provider in my project. i kept one flag on database to get the users online. i want to reset this flag on the log out, i can do this if the user log out properly . I have to reset the flag on database even if the the browser closed directly or on any machine failure or normal time out, any tricks on membership provider to solve this. experts am waiting for your answers!!!!!!!
Thanks.
just put a field for users like IS_LOGOUT_BUTTON_PRESSED typeof(bool) default false
if the user click LogOut set it TRUE.
if the user closes browser, it will stay false. Then you can see what user did.
I am afraid that you are tilting against windmills.
You will notice that the sql providers implement the 'users online' by simply updating last activity in most all provider methods (and subsequently the stored procedures) and then using a predefined 'online time window' to determine if the user may still be online.
To implement an authoritative 'is_online' flag would require that you have complete control over the user's means of starting a session and ending a session, which you do not and can not do due to both the nature of the browser ui and the way that sessions and ticket expirations are bumped.
So you can never really be sure whether a user is online or not, rendering any efforts you have made to track this metric unreliable.
And unreliable data is often of less value than no data at all.
I am quite certain that you will find nothing but frustration in attempting to apply an absolute, as described in your question, to the stateless and freeform nature of sessions and tickets.
Sorry I have not better news.