In my struts2 application, in the login action I am placing the user and role in the session.
I want to keep track of all the users who logged in so as to do stuff like following :
Avoid multiple login of same user-id.
Check wheather a user is looged in or not ! Or any body with role Admin is logged in or not !
and in some other actions !
How to do it any suggestion!
And also how to maintain the issues like
User close browser without loggin ! etc
Any material with more information of session can also realy help !
You can have a column in you user table called logged_in_time (timestamp type) and update it with the time when user logs in and make it null when user logs out.
Avoid multiple login of same user-id: : check if this columns alreadt has some value or not.
Check whether a user is looged in or not : check if that column is null or not.
User close browser without logging out : A schduler job may be, that runs at fixed interval of time to check the session(using sessionid may be) of the user and update this field accordingly.
Take a look at this discussion for further information. And another one.
Related
Since my 2 post about the LDAP Authentication (first post, second post), we created our own custom authentication scheme and function to connect to the application using our Active Directory credentials.
We can successfully log in the application. However, we have a second function which retrieves the group of the user in the AD. Here's the code when I'm trying to retrieve the group into a Text Field (P1_GROUP) :
ourschema.ldap_get_group_apex_from_user(
p_username => v('APP_USER'),
p_password => 'thepassword')
As you can see, this is working, because the password is in static text. This leads me to my main question :
How to retrieve the user's password in Oracle Apex, and what is the most secure way ?
I tried to set a Branch or a Process in the Log-In page while redirecting the user's the the home page, and Set Value of the :P9999_PASSWORD field to the home page text field P1_PWD.
So, I tried to adapt my code with the text field
ourschema.ldap_get_group_apex_from_user(
p_username => v('APP_USER'),
p_password => :P1_PWD)
Unfortunately, this doesn't seems secure because the password would be visible in the HTML code of the page (right click + inspect and there it is. Moreover, sometimes it gives me an error
Error computing item source value for page item P1_GROUP
It seems like the application cannot execute the function because the password is still not initialized.
Is there a way to retrieve :P9999_PASSWORD or to transfer it from the login page to a global variable/global page or a text field ? Or is there a function to retrieve the current user's password ?
Thank you again for your time, do not hesitate to ask for more details as this is a very specific case,
Thomas
I don't think your approach is correct. Ideally, even an administrator of your system should not be able to decrypt a user's passwords; they should be stored as hashes.
You're trying to look up the user's group memberships? You don't need the user's own credentials to do that. Use a dedicated account that has access to your Active Directory system and store that password encrypted in your database. Use that account to search for and look up the user's group memberships. That way, even if your system is compromised, only that account is exposed.
Thank you all for your answers and your advices on my case, and for taking the time to help.
We found a solution that we think is reliable, here's what we did if that could help other people.
We created a global variable G_GROUP, which will receive the group of the user
On the login page, we created a process before the login process.
Set the Source of the Process to PL/SQL Code :
:G_GROUP := pdbadmin.ldap_get_group_apex_from_user( --our custom function to retrieve groups
p_username => :P9999_USERNAME,
p_password => :P9999_PASSWORD); -- the function get the username and password in the fields
If i want to display the group of the user in the main page, let's create a Text Field P1_GROUP which as for Source the PL/SQL Expression :G_GROUP
Our group is initialized, and the password is not shown in any field.
Let me know what you think about it, and if you guys think this could be improved.
I have a basic laravel project which have login, logout and some others basic public pages.
I would like to count all session for the current time(now time). Any session that should be count login user or visit any public pages.
From this project, I would like to know how many session is running?
What I understand from your question is, you want a feature in your application where you can count number of user that are logged in to the application.
If that's the case then as stated above you can hack a way around by adding a bool column in users table or whatever table you are using to store users, and whenever any user logs in, you change that column value to 1 and when the user logs out you change the column value to 0.
This way you can count the users by using that column where the column value is true or 1.
Hope this solves your problem.
What is the best way to securely login in a user and keep the user signed in with cookies and sessions?
For example:
Check if password and email are valid for a specific user
Set a cookie with arbitrary string
Create a session with the same arbitrary string
Validate each request by the user by making sure the arbitrary strings of the cookie and session are the same
What is the best way to securly login in a user and keep the user signed in with cookies and sessions?
Using an established library.
It depends on how you define "create a session". For our purposes here let's define this as "create a server-side data store with an id and set a cookie with that id"; i.e. what the default session_start() does. Then:
Ensure the connection is HTTPS.
Check login credentials.
If valid, create a session (see above) with a large, (pseudo-)random id and an expiration time as short as possible but as long as necessary. Security here comes from the fact that it's infeasible to guess suitably random session ids, so the longer they are and the shorter their window of validity is the better.
Store the id of the logged in user in the session.
On each page request, see if the session with the id from the cookie exists; if so, use the user id stored in it to get your logged in user.
Optionally storing and checking the user agent is not a bad idea; you should not check the IP address though, as that may change legitimately.
Apart from storing it in sessions , you can also follow this method for keeping an user logged in , even after he closes the browser ->
1) Create a cookie storing user details and an unique hash
2) Create a sessions table (in a mysql db or any other db of your choice) where the unique hash is stored against the user-id, and the user agent of the browser,and the ip address .
3) Next time when the user logs in check that when the user logs in , is it from the same ip,same user agent .. If not , then delete the database entry , and repeat steps 1 and 2.
Apart from keeping an user logged in , it also gives you better security than just storing in sessions.
In my application I have an administrator who can create Tournament objects. When the object is created the service also creates a user (based on the tournament director's info which was entered at creation). The username for the user is the director's e-mail, the password is randomly generated and then mailed to the director.
When the director logs on with his e-mail address and password, I need to be able to link him to his own tournament, in order to only allow him to edit his own tournament's details. I have tried to find a way to store the TournamentId in the default ASP Net Users database, but was unsuccessful.
I had a look at this SO question which would certainly help me, but I can't figure out how it would apply to my problem. When the user logs on, I can't put the TournamentId in the userdata seeing as I don't know it.
Should I then do a lookup in the Tournament table to see which ID corresponds to the email address entered at login and store that in the userData? It seems quite unelegant this way.
I guess you should have a CreatedBy column in your Tournament table where you store the ID of the user who created the tournament. Then when the user logged in, get his id ( may be from session ,if you store it there), Do a select query where CreatedBy=loggedInUserId .That should do the trick.
I have a page for editing product details. I want to restrict that only one user can edit the product page. When a new user opens it while there is a current user editing it, I would like to place some notification then automatically make it available once the current user leaves the page. Any suggestion on how I should approach this?
I would recommend just letting them both edit at the same time.
If you want to notify the last person to save their document, then you can add a "version" column to the database.
Upon saving, you would check the version column, to ensure that the row had not been changed. If it had been changed, you would notify the user at that point.
If i understand you question correctly it sounds like you need to know about database concurrency,
Here are a couple of articles:
MSDN
Ironspeed
Now if you are asking how to authorize only a single user to edit records then you would need to look at roles and aloow say only admins to edit records.
you can have optimistic lock on your record while it is in edit mode , once it is saved make that record avaliable for other user.
Try something like this:
Create a table something like userAccess with IsAccessColumn
if user 1 access edit page set isAccess to True
So the second user will not access the edit page if records is set to true.
Then Set to False if user 1 finally edited the record
After that user 2 can now open edit page.
Regards