Logging out user at session expiry with tank auth & Codeigniter - codeigniter-2

I use tank_auth to authenticate and log users in to my application developed using Codeigniter. I noticed that when the session expires after the default period, the user remains logged in. In tank_auth's login() function,
if ($this->tank_auth->is_logged_in())
check at the very beginning always returns true.
I'd like to log the user out when the session expires. Please could you point me in the right direction to implement this?
Thanks!
Mmiz

Related

Check if session has expired in Laravel 5.4

How do I check if the session has expired in laravel 5.4.
If the session has expired I want to show a message.
You can use the following
if(Auth::check()) {
}
Laravel will Create Session For every user no matter the User is Logged in or not. It will create Token for Specific Session. You can check if the Token Exist or not.
You can check if the token is there or not by the function Session::get('_token');.
But if you are asking if You want to check if User's Session is Expired, You can use Auth::check(). It will return if the Session is Expired or not for the specific user.
For example, If the user is Logged in, It will return True or False. But you can't check if overall Session is Expired or not Because Laravel will create and Store Session For every Single Visit No Matter if the user is Authenticated or not.
Let me know if you have any More Questions or Queries regarding Laravel Sessions. Let me know if it Helps!

Nancy & forms authentication: How to invalidate all sessions of a logged in authenticated user?

I am using Nancy Web Framework and forms authentication.
How do I programmatically invalidate all sessions of a logged in authenticated user?
Logging out the
Context.CurrentUser
with
MyNancyModule.Logout()
just invalidates one session,
if the user is logged in from (e.g.) another browser,
this session is still valid.
That is a good thing, but I want to invalidate all sessions after the user changed her/his password.
Thanks in advance!
The easiest way to do this is change the GUID identifier on the user record that your UserMapper maps to from the session cookie - that will automatically invalidate every single session out there for that user, forcing them to log back in and get a new cookie.

Spring Security removing session cookie on timeout in addition to logout

Spring makes removing cookies on logout entirely painless, you just add
<security:logout logout-url="/j_acegi_logout" logout-success-url="${server.environment.baseUrl}j_spring_security_logout" delete-cookies="USERPREFS"/>
Now, USERPREFS is the name of the cookie in the app that stores information for a specific user, and is set to be a session cookie only. When the user logs out, that cookie is removed, so other users won't have someone else's preferences applied. However, I noticed that in the case of a session timeout, a user could come along to the computer terminal, try to refresh the page, get redirected to the login screen, and now they're back in the app with the previous user's cookie!
Obviously when there is no cookie, the values are being supplied dynamically by the app, but to avoid a few extra db calls, I check to see if the cookie already exists in the request, and use it if it does. I can stop doing this, but it would be nice to just be able to set that cookie to also get removed when the application has to reestablish a new session, especially when the user switches
I believe USERPREFS is logged-in user's preferences. In that case you cannot use the value set in USERPREFS until the user logs-in. If that is the case, you should set the values from user's preferences saved on the server side when the user logs in. That way, though you have USERPREFS cookie, you don't use the value until the user logs in. When the user logs in you set the logged-in user's preferences in the cookie so that currently logged in user's preferences are used.

spring security session timeout

I use Spring Security 3 in my JSF2 webapp.
I have a security rule to provide session timeouts:
<session-management invalid-session-url="/faces/paginas/autenticacion/login.xhtml?error=1" />
So that when the session has expired and the user clicks on any link, he is redirected to the login page. In this page I check for the error param, and show a message to the user saying the session has expired.
But I have 2 problems:
(1) When I startup the app the first time (it tries to show the home page), I'm redirected to the login page saying session has expired. I think that this may be happening because the 1st time you run the app, the session is a new one, and Spring Security perhaps "thinks" he has expired (doesn't distinguish betwen a new session and a timeout).
(2) If the session has expired for anonymous users (not yet authenticated), I'm redirected to the login page timeout too. I don't want this behaviour for non-authenticated users, I just want to check the timeouts for authenticated users.
How can I solve both of these problems?
Thank you in advance.
You want to use the expired-session-url property for expired sessions, not the invalid-session-url. They are for two different things.

How are sessions maintained after login authentication?

After the username password login form is submitted (presumably with some kind of encryption through https) how does the server maintain the information that the user is logged in?
The user submits the login form and the server authenticates the user and returns a page. But when the user clicks on a link on that page how does the server know the request it is receiving is coming from someone who is authenticated and therefore the server knows its safe to send the html for that new page.
The act of logging on will usually result in the browser getting a session cookie passed back. It's this cookie that the server uses to identify which session (if any) belongs to the user.
If cookies are disabled on the clients browser, most web programming frameworks will cope by sticking a session ID onto the URL.
the username and some flag like is_logged are stored in the session.
on any page you should check those variables from the current session.
on logout you clean the session or destroy it, thus your protected page is in accessible.
good luck
Arman

Resources