If one user have login in one computer or a browser,then he login in another computer/browser again,so the former login should be marked as invalid,is there any way to implement this?
One way it to set a cookie with a session id when they log in, and record the latest session id somewhere server-side (like a database) keyed by that user id. On any website access, verify it's the latest session for that user.
Related
I have a external facing website (Back end SQL Server and ASP.NET) where I want a feature that if a user from same id is already logged in, and he tries to login again from some other browser or through some other channel, his previous session should be expired.
So for this in which way should I proceed ?
You can store the sessions in a database, by providing a unique session-id every time a user logs in. By storing the session-id also in a session variable you can see when the user is logged in somewhere else.
For example:
User A logs in in Safari on his laptop
Session id is generated and stored in database and session variable
User A browses to different page
Session id in database is compared with session variable
ids match, user is still logged in
User A logs in using Chrome on his phone
Session id is generated and stored (overwriting the previous) in database and session variable
User A browses on his laptop to a new page
Ids do not match, redirect to login page
You can also make this more general by keeping a session table, in order to allow a maximum number of sessions per user. The key is just to use a global storage like a database in combination with the session information to verify where the user logged in last.
Passport by default allows the same user to login from multiple browsers and have unique sessions created. How can I configure it to destroy the first session when the user tries to create a second session?
Currently I'm using the 'Sessions' model to add the username to the record and upon subsequent login check by username if the sessions exists. But this increases traffic to the db. I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified. I'd be thankful for ideas around how to achieve tweak with express for this purpose or any other workaround/suggestion.
Much thanks!
I saw that at least 4 users upvote this question, so I decided to create passport-strategy for that. The new strategy called passport-one-session-per-user. It's open source strategy you can access here: https://github.com/AminaG/passport-one-session-per-user
How to use it? add it right after session. For example:
app.use(passport.session())
var passportOneSessionPerUser=require('passport-one-session-per-user')
passport.use(new passportOneSessionPerUser())
app.use(passport.authenticate('passport-one-session-per-user'))
Not need for settings, or configuration.
How it is works?
The strategy, created an array that contain serializaed user objects, and sessionID.
Every time user logged in, the strategy check if the user already logged in. If so, it's flag the other session. The next time the user in the other session make a request, the strategy see the flag, and log the user out.
I'm thinking express must be doing it already or made to, keep the 'logged in users' information in memory so that the process can be simplified.
I believe the session model loggs the user in, and saves only that logged-in-ness in the session cookie. The server itself has no clue about who is logged in, but just checks this state in the (signed) session cookie provided by the browser.
You can write your own Passport.js strategy to handle it differently.
There are two stores in my "Magento" website with two different domain names.
I have shared the domain in the customers configuration so if a user signs up for the first store, he can also sign in the second store with the same credentials.
Now what I want is if customer is logged in first store, that user automatically is logged in second store.
How can I do this? I though about cookies but I am not able to set a cookie for a different domain.
Any idea or suggestions?
I am not a "Magento" guy, but I can suggest something for you scenario. If your user/login table is shared between your stores, then you have have a logged in flag, so if the user logs in to store1 set this flag, now if the user navigates to store2, you need to check this flag and based on the flag status you can create user session on store2
I have a CakePHP app where users have pages tied to their accounts. For example, the page ID 123 is tied to user 321.
Whenever the user logs in, all the pages tied to his account are saved in the session.
Admins are the only one who can tie a page to an user. And here is the problem. If an admin adds a new page to an user and if this user is logged, he won't see this new page tied to his account unless he logs out/in. In other words, while his current session is valid.
What would be the best way to deal with this? If there is any way...
Find the user session and... update? delete? Is this even possible and/or "elegant"?
Send a message to this user warning about the new page and tell him to logout/login?
Stop saving this info in the session and rely on database only?
You really should stop saving this info in session.
I use .NET MVC3 framework with razor and my question is simple, how to kill a session from another session ?
I would like to make an admin view with the list of users and the user's session ID and from this view i would add a button or a link which allow me to kill the session of a specific users.
It is possible ?
Thanks for your response
You could keep a list of logged in users somewhere on the server. Once a user logs in you could add it to your logged in users list. Then you could write a custom Authorize attribute which upon successful authorization will verify if the user is in the list of logged in users and only then allow access. And when under administrator account you could have some action which removes users from this global users list.