dynamic session timeout - session

Can I change the session timeout dynamically? The timeout must be set according to the user role. I tried to use configure::write to change the timeout dynamically but it doesn't work. it seems that for the new session timeout to take efect, you have to reset the session, but resetting the session will loss the login info.

I think using something like the following after you check role membership will get you what you want.
HttpContext.Current.Session.Timeout = 1200;

I think you are right when saying you can't change the session timeout after it has been created, maybe you could look at regenerating one with a new timeout.
But maybe a more easy solution would be to use javascript, you could set a timeout value and when it runs out send an ajax request logging the user out.
This obviously won't work if a user disables javascript but it depends on how secure you want this to be.

Rather than changing the session timeout, have you considered using a variable in the session to store the date/time of the last pageload, so that you can check it on the next pageload?
You could add some code to the beforeFilter() method in AppController to calculate the amount of time elapsed between the last pageload (stored in the session) and now, and if this is greater than the session length for your specified user role, destroy the session. If not, store the current date/time in the session, so that it can be used next time.

Related

gorilla/sessions persistent between server restarts?

I have a general question about sessions. I am not very seasoned when it comes to this subject. I've tried with:
NewRediStore (gopkg.in/boj/redistore.v1)
NewCookieStore
NewFileSystemStore
I was under the impression that sessions could last between server restarts, hence the need for a 'store'. While my golang backend is running, I am able to set new sessions and retrieve them for multiple users/browsers. No problems there.
When I restart my server, I notice that all session access results in session.IsNew == true.
In Redis, I can see all the session keys after the restart, and even verified that .Getting the session results in the right ID retrieved, but IsNew is still set.
I guess intuitively, this makes sense because there must be some map in memory that leads to the setting of IsNew but I would think that if there was any hit for the cookie key in the store, IsNew should not be set. Am I going crazy? Is there something easy that I am doing wrong? Is this a fundamental misunderstanding of how to use sessions?
Please let me know if I need to include code or additional details.
I would have had the same assumptions you did, and browsing the source, it looks like it should work as you described. You might try debugging and stepping through it, particularly the New method for the store you're using (e.g. FilesystemStore.New or RediStore.New). If that method successfully reads the cookie and finds the session in the store, it should set IsNew = false, according to the source.
Also note that just checking the session ID is not a good way of validating this behavior. If you look at the source, it decodes the session ID from the cookie, then tries to look that up in the backing store. If the lookup fails, then the session ID will match, but IsNew will be true and there won't be any values in the session. Make sure you're setting some value in the session and check for that instead of the session ID. The behavior is different for the CookieStore since it stores the session data in the cookie itself.

Why code igniter session time expiration not calculating from last user activity?

I am wondering why codeigniter session time expiration is not calculating from last user activity.This way i can retain active users. Right now even user performing activities, the session gets expired due to the limitation.
I think you are facing a bug.
Codeigniter's session stores the timestamp of your user's last activity.
The framework use this information to calculate the expiration time.
Also, I've read multiple times that Ajax calls may broke CI sessions. I've also been struggling with CI's sessions and i've been forced to pass $config['sess_use_database'] to false as a workaround.
https://degreesofzero.com/article/fixing-the-expiring-session-problem-in-codeigniter.html
https://ellislab.com/codeigniter/user-guide/libraries/sessions.html
https://ellislab.com/forums/viewthread/182755/#900523
You can check whether user is performing activity or not. If not you can ask the process to sleep for 1 sec. This way the session will never expire.
sleep(1);
In PHP this will work. This way you can make the process sleep when user is idle.

laravel remember function explanation

what's the difference beetween if I set second parameter of Auth::attempt() to true and false? If I close the browser and come to page I'm always logged in either if I set true or false. So I can't see any difference. Can someone explain it to me?
From the docs at http://laravel.com/docs/security
If you would like to provide "remember me" functionality in your application, you may pass true as the second argument to the attempt method, which will keep the user authenticated indefinitely (or until they manually logout). Of course, your users table must include the string remember_token column, which will be used to store the "remember me" token.
Laravel by default sets a session cookie upon authentication, with a lifetime configured in app/config/session.php. The default is 120 (minutes) which means your session will stay active for two hours after your last activity. With the remember me set to true, it will set an additional cookie to keep you logged in permanently.

Remove session variable when user leaves page

I have a page that sets a session variable to hold a list of lookups from the database for the page when the page is loaded.
The page also will need to access that list of lookups when Ajax calls are made from the browser.
I'd like to not load the list of lookups from the database for each Ajax call, but I would like to remove the list of lookups from the session if the user leaves the page. Is there a best practice or recommended strategy for doing this?
You can clear the session variable with javascript using something like this
window.onbeforeunload = cleanup;
function cleanup()
{
// Clear session variable here
}
However, this isn't foolproof since the user could always disable javascript, etc. Usually this won't be an issue since the session variable will have a timeout anyway. If you are really concerned, you should remove any current sessions on page load.
Another option, depending on your situation, is to use the Caching.Cache class to hold the values. When you insert the values into the cache, you can set them to expire after a TimeSpan, and just set it for pretty short, like 5 minutes or so.
Note that while sessions are per user, their is only one cache per server instance.

will session expire in my scenario?

I am designing a top level page which is designed by implementing a frameset. In one frame of the frameset, I will invoke JavaScript to refresh the page to post to some URL regularly (every 10 minutes). In the other frame of the frameset, I will let user do the major work -- let end user enter input for a time-consuming form (e.g., to have a written essay test).
My question is, in my scenario, I think the frame which does the major user input work will never session expire, because the other frame will refresh? Is that understanding correct? My confusion is, I am not sure whether in another frame posting to some other URL in the same web site will block the other frame from session expire?
thanks in advance,
George
You are correct, that will keep the session alive.
The server keeps track of when you last fetched a page and passed your session identifier as a cookie. When it has been longer than the session timeout interval, it will no longer accept the session identifier and considers your session expired.
By hitting the server in the background, you are maintaining the session. Note, you do not have to do a POST. A simple GET will suffice.
Note, I am assuming your session timeout is longer than ten minutes.

Resources