I use .NET MVC3 framework with razor and my question is simple, how to kill a session from another session ?
I would like to make an admin view with the list of users and the user's session ID and from this view i would add a button or a link which allow me to kill the session of a specific users.
It is possible ?
Thanks for your response
You could keep a list of logged in users somewhere on the server. Once a user logs in you could add it to your logged in users list. Then you could write a custom Authorize attribute which upon successful authorization will verify if the user is in the list of logged in users and only then allow access. And when under administrator account you could have some action which removes users from this global users list.
Related
I have to display the buttons in the view based on the roles, let's say I have roles like admin user and default user wherein admin user will be able to see the delete, modify and add buttons but default user can only search. Currently, when a user logs in I am capturing the userid and sending the userid to the database to get the role of a user and I am storing those roles in session. In the view retrieving the role value using below code
#if (Session["UserRole"].ToString() == "Admin")
{
//show delete,modify and create buttons
}
but in my production, the code will be hosted on multiple servers and request can go to any of the servers.
My question is it a good practice to store the roles in the session, is there any better approach to solve my requirement. If I am going with the session in the production environment where there will be multiple servers will the session approach works?
You can have some performance problems with this solution, so I recommend to get the role in the action method and storage this in a ViewData.
But I think that the best solution is to create a partial view with this and in the method an authorize tag.
I'm currently implementing this library ember-simple-auth to manage authentication in the emberjs application (shopping cart) that I am currently building.
The difficulty that I encounter is that the library manages authentication rules after logging in very well but not before logging in.
So here is the scenario:
The application must talk to the backend server to retrieve a session token for every user. This is necessary so that the user can save their items temporarily in the server side using session data. Something that you would expect for a shopping cart.
Then when the user is ready to move forward the application will then display the login screen and the user can authenticate themselves to checkout their items.
However, I can't seems to figure out yet how to do this using simple-auth. If I create a custom authenticator that just fetches token id from the server, it will mark the session as authenticated and will not ask for login on the authenticatedRoute.
In general what I'm trying to do are:
Customer visit the website
The application fetches session token from the server
Customer clicks around and saves item into the shopping cart. The data is synced with the server using the session token
Customer ready to checkout and navigates to checkout page
The application intercepts the route and redirect the customer to login route, where the customer can login and resume checkout.
I hope the above information is clear enough. Any hints and help will be much appreciated. Thanks.
I would probably only use Ember Simple Auth from the point on where the user actually logs in. Before that instead of using a session token to identify the basket, I'd probably explicitly create a basket on the server side (POST /basket) and then add to that via a REST interface (PUT /baskets/:id/items or so). That way you're not sharing state between the client and the server and have a clear interface. You also don't need to "abuse" Ember Simple Auth which probably only leads to other problems later on. When the user logs in then, you simply assign the previously created basket to that user and go on.
An “Add Link” button is added to the page by JavaScript after the user is authenticated (sign in). The user clicks on the “Add Link” button which opens up a form (implementable by JavaScript) for the user to fill out and submit. When the form is submitted an Ajax request is sent to the server, the server stores the newly added link into a database. How are user privileges implemented in multi-user websites securely? Are they implemented on the client side or on the server side, or a combination of both?
A little of both, but generally speaking more on the server side. A user that authenticates might get a session ID key which they can store locally or else they are tracked by the server (presumably by IP address). That user has some permissions associated with their account in a database on the server. Those permissions are then read when the user attempts to perform a restricted action.
I have a CakePHP app where users have pages tied to their accounts. For example, the page ID 123 is tied to user 321.
Whenever the user logs in, all the pages tied to his account are saved in the session.
Admins are the only one who can tie a page to an user. And here is the problem. If an admin adds a new page to an user and if this user is logged, he won't see this new page tied to his account unless he logs out/in. In other words, while his current session is valid.
What would be the best way to deal with this? If there is any way...
Find the user session and... update? delete? Is this even possible and/or "elegant"?
Send a message to this user warning about the new page and tell him to logout/login?
Stop saving this info in the session and rely on database only?
You really should stop saving this info in session.
If one user have login in one computer or a browser,then he login in another computer/browser again,so the former login should be marked as invalid,is there any way to implement this?
One way it to set a cookie with a session id when they log in, and record the latest session id somewhere server-side (like a database) keyed by that user id. On any website access, verify it's the latest session for that user.