I'm looking for a way to limit all routes within a group to one user at a time. In practice, this translates to an admin control panel that only one admin can use at a time. Any number can be logged into the web app at any given point, but if one enters the control panel, it should lock the others out until he returns to the regular client website.
I'm running laravel 5.2.9
If you asked and forced all users to Logout after leaving the Admin Panel
Then it will be so easy:
After login add a flag in Database
Then add a middleware to Route::group when flag exists don't allow others
After logout, remove the flag
Once you want to let all users login to the system, so limiting the session timeout is not the solution.
You can do as following:
Store last user and the access timestamp to larval Cache or DB each time a user visits admin page
Before allow a user to enter admin page, check the stored user and its last access from Cache/DB. If no data was stored (first access) or it was expired (max idle time after user's last access) or it was the same user, then let him in.
This way if current admin stay idle and someone else took the page, then current admin will be redirected to normal area on his next action.
Related
I'm developping a website with a member area and user levels. admin members can access to an area where they can view, add and change some sensitive data.
To add a protection layer on this group of pages, i'd like to ask users their login and password before accesing the home page of the restricted area even if they are already logged in.
How can i do that ? in the symfony doc, i haven't found anything about a second authentication of the users.
What you're looking for here is IS_AUTHENTICATED_REMEMBERED vs IS_AUTHENTICATED_FULLY. If you have remember me functionality you can set the session to expire after 30 minutes to an hour (or whatever time interval you think is ok) When the session times out, in admin areas, if you check for is authenticated fully they'll be asked to login, if they visit any place with lower bar (e.g. is authenticated remembered) they'll still appear logged in. This is basically what amazon does when you try access your user settings page. Sure you're logged in and can add stuff to your cart, but once you try and access your sensitive data, you must re-login.
I would avoid a second authentication... I is better to work with restriction layers (user roles)... the FOSUserBundle already provides all the needed functionality
I have login system in my site and users have to pay for using my site. As they have to pay, I am afraid that one user may share his username and password with another users. So I have to set my login system in such way that no user can use more than one browser at a time. But they can change the browser from time to time (not at the same time but different periods of a day). How can I implement that by php? Any idea?
You could generate a token/hash from their session ID whenever they log in. Add this token as a cookie value and then store it in the database. If the user is logged in and their cookie value doesn't match the value stored in the database, then they've probably logged in somewhere else.
Use helper javascript preloader to collect non-personal browser information and generate a hash from login time/account/IP/browser info.
Check on server side that no more than one hashes are active per user account at a time and force logout on former ones if that happens. Use another client-side javascript to periodically ping server and check hash uniqueness and seamlessly re-login legitimate users for "dynamic IP" use case.
Thus if user shares his account with another user they will keep constantly "kicking" each other out of site until annoyed enough to pay for second account.
Detect his IP and on every change make him add the computer (like Steam does it) and set a flag with last access date. On each action he makes update the field (like an online system) if no activity present in 10 minutes from other 'computers' he is accessing only 1 , you can`t prevent this because people can be ignorant, even if you make them enter sensible data to make him more sceptical in giving his credential is futile...
The only way which comes to my mind is you can keep a flag(a table column) in the database once the user logged in. So if he tries to login again, you will check if the flag is set. If it is set, then you can give error.. And remember to reset that flag once the user logged out..
Try checking the ip, or use 2 factor authentication.
(for example require the user to click a link in his e-mails to login)
I need to know if there is an user logged in my website. For this purpose, I have only his session ID.
I got this id using: session->getId();
¿Is it possible?
Thanks in advance.
add a custom field to the session when the user logs in and then just check that field
Given that the web is essentially stateless, it is hard to know for sure if a particular user is logged onto a website.
One way to accomplish your goal is to keep a running log of all the users logged in, and the last visit time. Then you could query that log and if the users last visit time was less than 5 minutes ago, you could then say the user is logged onto your site. This will only tell you if the user is logged into your site, not if your site is the active tab in their browser.
Another way to get more "real-time" information as to the the active users of your site is to use something like SignalR which will allow you to do push to the browser. I've used SignalR in the past to send out system status messages to the browser and have it automatically update the page. The great thing about SignalR is it maintains an in-memory list of all the clients connected.
I am developing a system in php which has different types of users like admin, A, B, C.
I need to allow log in just one user from the type at a time. Means
1) if there is already an admin user is logged in, no other admin user can log in.
2) And the logged in credentials cannot be used on other pc at the same time (just like yahoo messenger login system).
I have tried to store session with login logout time in database table when someone login and logout.
But it creates problem when someone close the browser without logging out, the logout entry time misses.
You can always set the session expiration time extremely short (say 60 seconds) and use a Ajax postback on each page timed out at say 25 seconds to keep the session alive. This is how Facebook knows if you are "online" for their facebook IM
1) if there is already an admin user is logged in, no other admin user can log in.
If you want to stop multiple logins from same system then set a session flag like $_SESSION['loggedin']=true; while a successful log in occurs, then before each login attempt, check this flag and only when the flag is falseproceed with the login process.
If you want to stop multiple logins from multiple system then create a temporary table in your database to hold the status of your logged-in users and before any login attempts occur check this table to find any logged in user, if you dont find any user then only proceed, or else prompt the user
2) And the logged in credentials cannot be used on other pc at the same time (just like yahoo messenger login system).
create a temporary table in your database, which will hold the status of your all logged in users, then when a user who is already logged-in, attempts to log in from another place, check the status of that userid in your temporary table, if he is already found logged-in then either prompt him or deny him or log him off from other computer before logging him in again.
I am developing the user management portion of a website that will host a webcast. The goal is to prrevent the same user nam (email address) from being used concurrently. That is, we don't want two individuals using one login to view the event.
I've already setup a table that holds the user registration data with regID as primary key. My thought is to create a login history table with username as primary key, foreign key to user name in registration table. The login history table would simply timestamp when the user logs into the site. However, this won't accomplsih my goal of preventing more than one individual from using the same login name.
Instead, would it be better to have a login status field either in the login history or user table that is set to 1 for logged in and 0 for logged out? It would need a stored procedure to update the value at login and at logout, and would need to be validated when a user logs in such that if login status = 1, user already logged in and cannot login a second time. Is this a feasible approach?
Please share other methods you've used to prevent the same login credential from being shared amongst multiple individuals.
Thanks,
Sid
If it is OK to logout an already logged in user if someone else logs in with the same credentials then you could do the following: when a user logs in generate a random ID in your database for that user and the same in a cookie session. The two must match to authenticate.
Without rolling your own session handler, you could do a little parallel tracking. When a user logs in, you can store the user's session ID and login time in the database (maybe inside the user information table). The login script could then check for the existence if this sessionID and allow/deny login based on the presence of the session ID. If the ID's null/blank, then the user logs in. If there's a session ID present, and it's more than X minutes old, allow the login. Otherwise deny them.
Of course, you'd probably want to roll your own session cleanup handler at that point, so that when stale session files get deleted, you can remove the associated IDs from the database at the same time.
The problem here is detecting the user is logged in (i.e. whether he didn't logout).
One possible way is to register in the database the time of his last activity and the time of his explicit logout. You could then deny a login if it this was attempted less than say 5 minutes ago relatively to his latest activity and if he didn't login in between.
You could force "activity" by having the website pages periodically poll the server with Javascript.
It's easy to determine when someone logs in. It's much harder to determine when someone logs out. If you have a mechanism of killing the webcast streaming to a particular user quickly, you might want to have something which pops up asking the user if they want to kill their other session if you think there might be one active.
How are you doing user sessions on the server? If you store them in the db, you could query the active sessions anytime someone attempts to log in and see if they're already in there. Of course you'd probably also have to check some kind of timestamp since you're not guaranteed that sessions will disappear at session.gc_maxlifetime.
You might want to consider making a global variable in php to store a hash array with login status. This has the benefit that if the application has to be restarted for some reason, the user isn't stuck in the wrong state in the database.
You can store a mapping from user ID to IP or session cookie and redirect requests that come with different information to the login page. If the user logs in, the other session would be invalidated and further requests in the last session forward to the login page.