I'm working on a Symfony 1.4 project and I would like to do:
a log in the backend of the items added by the moderator and
the time of login and logout of moderators.
I use "sfDoctrineGuardLoginHistoryPlugin" for the history of login and logout .
This plugin uses a listener on the session state change and checkout the database login or logout status But the problem when the moderator leaves the page open a long time and does not touch anything or when he closes the browser so there is no action recorded in the database
is there any solution in (php or Node Js or Ajax ...) to know when the user's session went off ?
There's nothing in Symfony 1.4 for this that I'm aware of.
One potential workaround could be to ensure you're updating some kind of last_active timestamp whilst a moderator is using the website in addition to the login and logout times. The updating could be done using a filter, for example.
This would then allow you check if the user has logged out OR was last active > 30 minutes ago, basically emulating a scenario where the user has just closed the browser window or allowed the authenticated session to expire without logging out.
Related
I'm working on a community networking site where users session never expires (unless log out button is pressed). Along with that I've wordpress cms integrated for blogging hosted in sub domain.. I use js to trigger login and logout on wordpress site.. Means when users login to main (non- wordpress) site, they are also automatically logged in to wordpress site.. Here now the problem is, after certain period of time or when browser is closed, the wordpress site automatically logged out from the system-leaving only main website in session, and that will need users to logged out from main website and again re-login just to trigger back the wordpress login...
I'd just want wordpress to never automatically (even if the windows is closed) logout unless logout button is pressed.. I used the following function which doesn't seems to work..
function change_wp_cookie_logout( $expirein )
{ return 1555200; // 6 months in seconds
}
add_filter( 'auth_cookie_expiration', 'change_wp_cookie_logout' );
I've tried with different similar tactics but doesn't get it working..
Thanks in advance
I'd recommend you to check about cookies, in my humble opinion that would be the best approach to persists the user data for a long term. You could use the cookies to restore their data in a new session using some key information. Basically, whenever they close the browser the session will expire (disconnected by the server), but if you have cookies on their end, you could check in server side when a new session is requrested if does it exist a cookie and based on the info you had store there, you can restore the info necessary on their web session.
You can read more about on oficial page:
https://en.support.wordpress.com/cookies/
I've seen this post: What's a good strategy for renewing the expiration of a forms auth ticket between .net and php?
That post suggests renewing the cookie on every PHP page the user accesses. What if I am designing a one-page application, which of the following works or what better methods are there to renew the session and cookie to let the user stay logged in?
Scenario:
A user is on a page writing a long post, which would cost him >30mins. The cookie remains 30mins until expire.
Suppose even if the cookie got renewed, the user left the public PC that he was using and forgot to logout. After a lengthy time of inactivity, the application should be able to log itself out.
Do I...
Ajax POST to renew the cookie and session upon every click and key press? (sounds like a ridiculous work load)
Display a popup before cookie expires that let user renew cookie on button press. (sounds annoying)
Questions to sum up:
What methods are there to renew the session and cookie to let the user stay logged in in a one-page application?
Also, how does StackOverflow and other platforms manage to let user stay logged in so seamlessly, what techniques might they be using?
Use a recurring (once a minute for example) ajax-call to a simple backend-script, that re-sets the session-cookie and updates the session-file ... super simple.
Using Symfony2 and FOSUserBundle, I am not getting the expected behavior on the following implementation.
To begin, know that Continue where I left off option in Chrome restores completely the user session independently of having checked some "Remember me" or something like that. Therefor,it saves a cookie with all the information of the session.
What I am trying to do is to avoid the creation of a session from the cookie stored through that Continue where I left off option on Chrome.
Or, if I cannot avoid the creation of the session, at least try to know that the session comes from that completely transparent way.
I have found this in Symfony2 documentation (specifically here):
In some cases, however, you may want to force the user to actually re-authenticate before accessing certain resources. For example, you might allow "remember me" users to see basic account information, but then require them to actually re-authenticate before modifying that information.
The security component provides an easy way to do this. In addition to roles explicitly assigned to them, users are automatically given one of the following roles depending on how they are authenticated:
IS_AUTHENTICATED_ANONYMOUSLY - automatically assigned to a user who is in a firewall protected part of the site but who has not actually logged in. This is only possible if anonymous access has been allowed.
IS_AUTHENTICATED_REMEMBERED - automatically assigned to a user who was authenticated via a remember me cookie.
IS_AUTHENTICATED_FULLY - automatically assigned to a user that has provided their login details during the current session.
So, if I don't get it wrong, a user that transparently logs in as a result of the Copntinue where I left off option, should have the IS_AUTHENTICATED_REMEMBERED.
Well, the reality is that it is not thus. The reality is that the granting is IS_AUTHENTICATED_FULLY.
Has anyone passed through this?
Any idea on all this?
Thanks
Sessions are handled server side. Depending on your server's configuration for sessions lifetime, you can close your browser and re-open it without losing the session. This has nothing to do with the Continue where I left off option of Google Chrome.
The granting is IS_AUTHENTICATED_FULLY because the session is still active on the server and not because of the Google Chrome option.
Simple example use case. Let's say we set a 5 minutes session lifetime.
Without the remember me option :
I log in : a session is created on the server.
I close the browser.
I come back 10 minutes later : session has expired therefore I have to provide my credentials.
With the remember option :
I log in : a session is created on the server AND a cookie is created on my browser saying hey I'm connected.
I close the browser.
I come back 10 minutes later : session has expired BUT as the result of the cookie saying hey I'm connected, a new session will be automatically created. Therefore I will not have to provide my credentials again.
In both case if you come back within the first 5 minutes you will be automatically logged in because the server still handle a session for your browser.
I've been asked to build a project management application that could only host one user at a time. I managed to do that by simply creating a status row in my user table which is set to 1 when somebody is logged in.
Now, status = 1, nobody else can log in, they get an error message instead saying that another user is already using the application. When the online user logs out, I update the status row in the database and set it to 0 in order to allow other users to log in freely.
Everything is working just fine except, as you can see, it relies on the logout button and many users forget to logout that way, they just close the tab or the browser leaving status as 1 and then blocking the whole system.
I tried a few methods to update the database on page close with session timeout or via onunload but I couldn't reach a clean and reliable way of doing so.
How could I develop such a system combining single-user mode and auto/smart logout at the same time?
Thanks for your help.
The only way you can achieve this is by checking whether the logged in user has been active in the last X minutes. Check this when the new user tries to log in. When the previous user has been inactive for that period, unset the status in the database and let the new user in. You should then also invalidate the session of the previous user, in case he comes back.
Don't try to detect session endings.
You could reduce the user's Session timeout. I think you can accomplish that both from Php and the Webserver (Apache, IIS, ..), should really look at the man pages. That done, you could realize a polling system which periodically ping the user to verify his/her presence. For example, you could make a client-side Ajax script which pings the site at fixed intervals, so that would prolong the user's active Session. If the user doesn't ping the site anymore, after the time-window has expired, then set his/her status = 0.
That is just an idea. Try searching more about on Google.
A variant: you could set a cookie from the server-side language, and associate the session with that cookie. So, give it a short expire time. Then make a client script which periodically send a hidden request to the server. When the server receives the request, it re-write the cookie again, so the new time will start again from the beginning.
I would like to store the login, logout and duration time in database.
The login time is created when the user is authenticated(successfully logged in)
The logout time is created when the user clicks the logout button
The duration is logout - login time. (logout minus login)
But the problem is, what if the user didnt click the logout button. Here are the situations:
Internet loss
Close the browser/tab. (I need this must use javascript, but i donnu how to do it, any idea?)
EDIT:
I forgot to add something to the question, the program is a full flash program, there is no navigation to other page. Only 1 page
It's important to remember that all session/log-in functions in PHP are usually cookie based. So, changing the lifetime of the session cookie should solve your problem:
http://us3.php.net/manual/en/function.session-set-cookie-params.php
Also, you can set the PHP sessions so they only use cookies:
http://us2.php.net/manual/en/session.configuration.php#ini.session.use-only-cookies
Again, you can catch the browser window / tab close but ... why? For instance I may have your site open in multiple tabs. If I close one of those tabs should I automatically be logged out of your website? That's a very bad design. Instead, set the session lifetime so it expires if the browser is closed and not just a tab. (Note also that window.unload will logout when any window on your site that closes - including a pop-up or an iframe. Do you really want that?)
http://us2.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
If you want to store session state in a database try any one of these guides. Or, roll your own with session_set_save_handler
You can't rely on receiving an event for the user logging out, if they simply close their browser, or disappear from the internet.
In this case you'll have to have a session timeout of some kind, and record the logout when your app realises their session is too old.
If this is a real requirement, then I'd say you need a "cron" job monitoring the sessions for timeout. When a session has timed out, if the were logged on, it then records a "logout" event for that user.
Note that you can't use (for example) ASPNET's Session_End event, because that won't be reliably called either (for example if the server process restarts).
Another option is to add the logout time next time that user logs on - when they log on, you check for old sessions and assume that any which weren't closed lasted for a fixed amount of time since the last page hit.
That's really all you can do.
Regarding the closing of browser/tab, you can bind the unload event (window.onunload, jQuery's $(window).unload(fn), or any other) to notify your server. A more general purpose solution would be to periodically ping your server (say, every 5 min), but it might be annoying to the user, so do so judiciously.