I am new to lift and trying to write a simple login application. When I leave my login page for some time, and I enter username and password it doesn't login instead it perform session expire behavior.
I checked the log and found that whenever I got INFO - Session navoo0xdu1ia1vi8m1c0cnl3w expired log message, the above behavior happens.
I am not able to understand why request is using the existing session, even if it's already expired. Please guide me where can I found documentation/example/tutorial to understand this behavior and how to implement simple session based login functionality.
Any help will be appreciated since this problem is bottleneck to me. I googled a lot but couldn't find anything useful.
If your session is expiring then it is because of one of two things:
1) The value set in LiftRules.sessionInactivityTimeout
or
2) The value set for session expiry within your container session.
The former is actually set to nothing by default, which means the latter will override it. Be aware however that provided you are interacting with Lift and have not disabled the heartbeat pulse then sessions do not expire. If you watch the AJAX traffic you will notice a page heartbeat used for function GC which keeps the page bound functions alive.
Related
My requirement is, I want to logout the user after 3 minutes of inactivity whether the app is in background or foreground.
In worklight.properties,
mfp.session.independent=false
mfp.attrStore.type=HttpSession
serverSessionTimeout=3
In main.js, for the session timeout when the app is in foreground, I have set
WL.Client.setHeartBeatInterval(-1);
Now, the application perfectly logging out, but once the app is logged out i want to show the user that session is timed out.
Is there any method available in Mobilefirst which will be triggered on session time out?
There is no built-in feature to handle this. You need to write custom logic. For example, have some flag stored in the localstorage of the application and store in it what was the last way the user logged in, due to actively tapping the logout button, and if not... it means it was due to a session timeout.
Lets say, create a variable called activelyLoggedOut. By default false.
The user logs in...
Some time has passed... a request is made. The session expired. When the challenge is received then in the challenge handler you check for the value of activelyLoggedOut, if it's false you know that it's because of session expiration - output the relevant message.
or, the user taps "logout". Before logging out, change the value to "true",
After loggin in OneDrive through a web application as explained here (http://msdn.microsoft.com/en-us/library/dn659751.aspx), I can see that a session (WL.getSession()) is obtained correctly. However, if I make a refresh on the page, it is getting lost. I guess this is due to some cookies management. Is it possible to have the session not cleared at refresh?
Thanks,
Stanislav
Typically, you should call WL.login or otherwise check login status first (see WL.getloginStatus). These will return a session object if the user is logged in and has consented, so on refresh your session object should not be null unless they have logged out and you need to sign them in again. You may be "losing" the session depending on when you are calling WL.getSession()
Check out the interactive SDK sample on signing users in
I need to create and action that returns whether or not the user's session has expired. The problem is that requesting any action will refresh the user's session timeout. So, I need this action to NOT refresh the timeout.
Is there some way to make a controller action that has access to the session, but does not refresh the timeout?
Figured it out. We built an http module to read the forms auth ticket which could be accessed at site.com/.formsauthticket. By handling it at this level, it did not trigger the session at all. I'm afraid I cannot provide code here but we set the module to return the number of milliseconds till the session expired. We then used this number to make some client-side timers.
We based our solution on an answer to a different question found here. Hope this helps someone else!
I am working on a e-commerce project using the Auth Component for authentication and Sessions Component for storing my cart.
The problem is that the session gets cleared abruptly after a while even when I am actively browsing the site. I know this should be because of the Session timeout but just increasing the timeout value is not the solution I am looking for.
I want the session to expire only when a user closes his browser. Can this be achieved?
AFAIK all you can do is to set a session timeout variable far into the future. Sessions are automatically cleared when the browser is closed (unless you set a Remember Me type cookie). Setting it far into the future will effectively accomplish what you need to do.
How long into your session is it timing out? It should only timeout when your user is inactive for a period of time. If it times out in-between requests, and you know the timeout time has not elapsed, you have some other issues going on. What are the settings in your core.php file regarding your security levels and session timeouts?
How do websites generally log users out and send them to the log in screen automatically when a user's session expires? Is this done through ajax or running async handlers? Can you give me a bit of an explanation.
Banks and such use a client-side timeout via javascript, or something similar. Really, though, the server handles the actual session, so if you disabled the client-side logic it would act as if you were attempting to make transactions while logged out.
Use a cookie as well as a session.
Cookie must be set when a session is
started.
If the cookie is present but the
session is gone, redirect to the
login screen.
If there is no session and no cookie
do nothing
(pardon me if you can't do that because I never used ASP and basing my answer on my PHP knowledge)
Typically, you set an expiration timestamp on your session ID cookie. When the cookie fails to be sent, the client is logged off (no given session ID).
This method is often combined with JavaScript and another timestamp token. When the timers start running down, a notification is sent that allows the user to "refresh" their session... essentially, making a request before the session timestamp expires.
The "refresh" request could be anything, even something as simple as an image load.
If you are using Tomcat you can use its built in <security-constraint> mechanism within your web.xml definition. All of the timing, login screen, and page redirects are handled by Tomcat with little effort on your part other than definitions.
Oh, IIS... nevermind.