We have a CodeIgniter based SAAS application. Sessions are stored in the database.
We use this class as a replacement for CI sessions
With one specific customer ( same office, multiple users, same IP ), the session is getting reset or destroyed on a page refresh.
This has never happened before with any other users or from other location. I am not able to reproduce this issue.
Steps:
User Logs in & sees home Page.
User begins navigation by clicking some link
Session times out and they are prompted to login again
And this continues after each login.
Session expiration is set to 3000 s and time_reference is GMT and sess_time_to_update = 300 s.
Any help on how to go about investigating this issue will help.
This happens in IE , Chrome and therefore does not seem to be a browser issue.
This same set of users have never had this issue before.
check the size of the session cookie. maybe it is larger than the allowed size > 4096. I know it's a long shot, but try it out nevertheless.
Related
Very weird issue.
Im logged into Laravel app with 2 different users in Chrome and Chrome Incognito.
When I submit {any} update form it logs the other user out when I refresh.
The user that I submitted the form with is still logged in.
When simply browsing around both users remain logged in.
Environment
Windows XAMP
session drive = redis (I have tried changing this to see if it helps)
UPDATE:
Same thing happens when logged in from 2 seperate browsers - Chrome / IE
I presume something in the Illuminate\Http\Request class causes this behavior.
UPDATE 2
Keeps both users logged in when I select the "Remember Me" option.
similar issue: https://laracasts.com/discuss/channels/laravel/laravel-not-reading-session-cookie-on-form-post-in-chrome-when-logged-in-with-remember-me
Hints to being XAMP bug - using different dev environment solved it.
I think with it being such a weird issue - and not many people experiencing it must be a issue with my specific environment.
The sessions in PHP use a cookie (created automatically) that is stored by your browser, is very posible that the mode igcognito that you are using delete this cookie whe you refresh the page.
When starting the first Incognito window, it uses a completely brand new and blank internal profile that has no cookies nor session data. Any cookies or session info are set immediately during that session. Further Incognito windows opened all share that same session, so they share the cookies/session data.
Let's suppose I'd opened two or more user sessions on two or more devices (same user with not admin privileges).
At the current session, if I log out, it means all others sessions will also close? If not, is there a way to do this by an URL request?
something like this:
User call a method, ex: [plone-site]/close-all-sessions-except-this;
Results on: all user sessions, opened on the others devices are closed.
Would be better if this method were native in plone.
gmail has this feature. I think it's an important security and privacy issue.
Not really sure what you are asking, but if you want to automatically logout all authenticated users (not only one user) you can:
Go to ZMI
Enter inside acl_users
Select the session plugin
In the "Invalidate all session identifiers" section click the "Clear secrets" button.
As you can read there:
By clicking the button below you clear all secrets used to validate
sessions. This will immediately log out all users who use session
authentication and require them to log in again.
That's a nice feature request, would you mind opening an issue? AFAIK Plone doesn't include that by default.
When you log out of one session Plone will close all sessions for that browser AND site URL, because the session is stored in a cookie set to site's domain. However Plone won't log you out from other browsers/devices, nor in the edge case you're accessing the site by IP, if that's available.
I have auth working fine. Users can log in and out, no problem. The thing is, if users share a login, they can all be logged in at the same time as the one user. Not good.
I need to have CakePHP know when a user is logged in, which I assume is a process started using:
'Session' => [
'defaults' => 'database'
]
As per the Sessions book page.
It's then I get lost. Unless I have missed it there is no reference to limiting users to one active session each. Has anyone come across this before and, if so, how did you work around it?
To clarity:
All sessions deleted from DB & all cookies deleted in browser = nothing set in either when visiting the /users/login page (incidentally, this has been set up as per the tutorials - nothing fancy).
Login = session set in db with id corresponding to cookie in browser. Exactly what you'd expect.
Logout (which then redirects back to login) = old session removed then replaced by another in DB and cookie. Different id. So something is picking up the expired cookie and refreshing it. Hmm.
The information held in the cookie is just the session id. In the DB it's simply:
Session id | a blob | expiry time
I assume you save users and sessions in a database (by default in cakePHP it is named sessions).
Add an active_session field, update it upon login, check it on requests to ensure that current user session id matches the last one stored in the database.
On Login action do:
UPDATE `users` SET `active_session`='$session_id';
When user goes to a page that requires login, you search that value:
SELECT * FROM `users` WHERE `active_session` = '$session_id';
If the user signs in other place, the previous session key gets overwriten, and the SELECT above returns an empty result-set.
It's possible to clean the old session token before the update, so this way old session will be destroyed on per user basis.
Be careful, if you are using AuthComponent, it might rotate sessions itself, for more information you may find in the corresponding section of CakePHP manual.
I'd definitely go AuthComponent-way, and wouldn't re-invent the wheel in CakePHP.
I tie users to their cell phone. Every day they get a new 6 digit code via twilio sms. Makes it hard to share logins, but not impossible. Ultimately, I would like to track how many different machines a users uses per day and establish some fair use limitations. If a user uses three or four machines in a day, that's fine, but when they start using the same user id on twenty or fifty machines a day, that might be a problem.
I am using joomla 1.5.My login is with standar joomla module , I am having the request to automatically logoff users once thy close their browser, I dont know how Joomla handles the session or if is there any trick I can do to make this.. Thanks in advance
You could turn off cookies, I suppose - Check the Global Configuration.
For anyone else looking at this.
You can't clear a session when somebody closes the browser as the server doesn't know this has happened and the session data is stored on the server.
You can't disable cookies as then no one would be able to log in.
In global configuration you can set the session lifetime value to something like 15 minutes and if there is no activity in that period of time the user is automatically logged out.
This isn't easy to explain, but I'll try my best.
The issue has started happening in a site that was built some years ago using classic asp, the symptom is that the administrators log-in using a form and then an session variable is set, but suddendly when they request a new page they are prompted again to log-in.
This problem isn't specific to any browser, I've reproduced the problem with Firefox and IE8.
Using Fiddler I can see that suddenly the server sends a new Set-Cookie header, despite a previous session cookie being sent in the request.
From that moment, the server will switch between the two sessions randomly, none of the sessions seem expired, they preserve their own variables, but for the user it's useless because he might be asked to login and then the form data is processed in the already logged-in session.
What can I try to find out the problem?
The server is a shared hosting with IIS6, the hosting company isn't too friendly but the cost of moving everything to other place makes things stay as is.
Thanks.
Some further info:
Showing the machine name as suggested by Aaron D. always shows the same name, but I had stored the start time of the application in global.asa:
Sub Application_OnStart()
Application("Start") = now()
End Sub
And it turns out that when showing that info in a test page it does change as the detected session changes. So there are two servers (with the same name) or somehow it's running twice the application.
Is it possible?
I have a couple ideas but nothing definitive.
Are some requests over HTTPS and others over HTTP? Are the cookies set to only transfer over secure connections?
Are your requests alternating between a subdomain and the primary domain? Example, some requests go to www.foo.com and others to foo.com? The cookies may not be shared between the two unless you set the domain inside the cookie. This could also happen with multiple subdomains.
This one is a less common, but is the company hosting your site on multiple servers that are distributing the load? You could tell this by creating a page as specified here:
http://mentaljetsam.wordpress.com/2008/01/29/classic-asp-code-to-print-current-server-name/
If this turns out to be the case, the solution with be to change your session state model from "InProc" to use a shared resource such as a database.
Are you sure that it switches you between sessions and doesn't just expire your session away? It could be that your app is restarting (based on your edit) and this is killing your sessions, but the cached result makes it look like it's still valid. Can you try doing hard refreshes and/or check the results with an HTTP traffic watcher like Fiddler? That might give you a better clue about what requests are actually going across the wire.