I have a CakePHP app where users have pages tied to their accounts. For example, the page ID 123 is tied to user 321.
Whenever the user logs in, all the pages tied to his account are saved in the session.
Admins are the only one who can tie a page to an user. And here is the problem. If an admin adds a new page to an user and if this user is logged, he won't see this new page tied to his account unless he logs out/in. In other words, while his current session is valid.
What would be the best way to deal with this? If there is any way...
Find the user session and... update? delete? Is this even possible and/or "elegant"?
Send a message to this user warning about the new page and tell him to logout/login?
Stop saving this info in the session and rely on database only?
You really should stop saving this info in session.
Related
I have a external facing website (Back end SQL Server and ASP.NET) where I want a feature that if a user from same id is already logged in, and he tries to login again from some other browser or through some other channel, his previous session should be expired.
So for this in which way should I proceed ?
You can store the sessions in a database, by providing a unique session-id every time a user logs in. By storing the session-id also in a session variable you can see when the user is logged in somewhere else.
For example:
User A logs in in Safari on his laptop
Session id is generated and stored in database and session variable
User A browses to different page
Session id in database is compared with session variable
ids match, user is still logged in
User A logs in using Chrome on his phone
Session id is generated and stored (overwriting the previous) in database and session variable
User A browses on his laptop to a new page
Ids do not match, redirect to login page
You can also make this more general by keeping a session table, in order to allow a maximum number of sessions per user. The key is just to use a global storage like a database in combination with the session information to verify where the user logged in last.
I am saving data in session (correct and wrong answers, i am doing it this way because before i save them to database i have to check some criteria and also user can pause the question to log in and continue later) but i want to save them for each user not global for all users. And because of that i am having problem if i log in with different user the session data from previous user will still be there.
This is how i push to session but this is global (every user can access it)
Session::push('uncorrect', array('exam_id' => $exam, 'question_id' => $question, 'answer_id' => 0));
This is an example of Logged user in session
login_82e5d2c56bdd0811318f0cf078b78bfc": 1,
So my question is how to save Session for current user, not all users?
As discussed in comments, but to explain fully: the Laravel session remains active for the duration of the browser session - that is, as long as the browser retains the session cookie. This is irrespective of different users being logged into your application in the same browser session.
When logging a user out, you would typically want to clear all session values or regenerate the ID. So, in Laravel, you can use Session::flush() to clear values, or Session::regenerate() to get a new ID.
Passport by default allows the same user to login from multiple browsers and have unique sessions created. How can I configure it to destroy the first session when the user tries to create a second session?
Currently I'm using the 'Sessions' model to add the username to the record and upon subsequent login check by username if the sessions exists. But this increases traffic to the db. I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified. I'd be thankful for ideas around how to achieve tweak with express for this purpose or any other workaround/suggestion.
Much thanks!
I saw that at least 4 users upvote this question, so I decided to create passport-strategy for that. The new strategy called passport-one-session-per-user. It's open source strategy you can access here: https://github.com/AminaG/passport-one-session-per-user
How to use it? add it right after session. For example:
app.use(passport.session())
var passportOneSessionPerUser=require('passport-one-session-per-user')
passport.use(new passportOneSessionPerUser())
app.use(passport.authenticate('passport-one-session-per-user'))
Not need for settings, or configuration.
How it is works?
The strategy, created an array that contain serializaed user objects, and sessionID.
Every time user logged in, the strategy check if the user already logged in. If so, it's flag the other session. The next time the user in the other session make a request, the strategy see the flag, and log the user out.
I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified.
I believe the session model loggs the user in, and saves only that logged-in-ness in the session cookie. The server itself has no clue about who is logged in, but just checks this state in the (signed) session cookie provided by the browser.
You can write your own Passport.js strategy to handle it differently.
I use .NET MVC3 framework with razor and my question is simple, how to kill a session from another session ?
I would like to make an admin view with the list of users and the user's session ID and from this view i would add a button or a link which allow me to kill the session of a specific users.
It is possible ?
Thanks for your response
You could keep a list of logged in users somewhere on the server. Once a user logs in you could add it to your logged in users list. Then you could write a custom Authorize attribute which upon successful authorization will verify if the user is in the list of logged in users and only then allow access. And when under administrator account you could have some action which removes users from this global users list.
If one user have login in one computer or a browser,then he login in another computer/browser again,so the former login should be marked as invalid,is there any way to implement this?
One way it to set a cookie with a session id when they log in, and record the latest session id somewhere server-side (like a database) keyed by that user id. On any website access, verify it's the latest session for that user.