I'm building a quick application for some data-vis, I need to let users log in from my local machine and then log out, allowing the next user to log in. However, every time I log in and then out of the application, when I try to log in again the application remembers that I logged in as the previous profile and auto logs in the last user. Is there a way to keep this from happening?
I am using the PHP SDK and using $facebook->destroySession(); in my logout.
Related
I ran an application that to have access, the user needs to log in, this application has multi levels of authentication, this application is a PWA too.
The problem is that when the user downloads the APP to the home screen it always opens on the login screen, but as it can be offline it will not be able to log in.
How can I do to keep it logged in? that is, when the user is offline or online go directly to their dashboard.
I read some answers about sessions and cookies, is it really the best way?
No react or angular or vue was used.
It took me a while to post the answer here, but it came.
Actually it was quite simple, just put in manifest.json to open the URL already logged in and solved my problem, of course it will only load if the user has ever accessed this URL according to my cache rules in the service worker, I suggest you try the same, if it doesn't work you can contact me that i can help.
I have a PHP application to check the users access(user/pass) and if the access is true, serve them the file for downloading by sending nginx's X-Accel-Redirect header to user.
The problem shows up when a user can share his login information(user/pass) with other people; so everyone have the login information can access the files and download them. I continue describing my problem by an example.
For example,
think we have two peoples who sharing their login access. so they both using a same User/Pass to loging in. let's call them "User_1" and "User_2".
User_1 loging in and start to download the file. at the same time, User_2 trying to loging in too. here, my php application noticed about the second login try.
I have their (ip address, user-agent, session_id) and I also can find out which file is already downloading by User_1.
When the User_2 trying to login, I will delete the User_1's session in php/mysql and if User_1 wants to download again, he have to re-login. I can even simply suspend this account(User/Pass), so no one can use it again!
But the problem is that X-Accel-Redirect already sent to User_1 for his previous login and download keeps continuing even if I delete the php sessions and force to loging out User_1!
So, I need a way to terminate User_1's alive download connection.
so, make it impossible to more than one download from the same user/pass at a same time.
I'm using Laravel 5.1.34 with sessions stored using the file driver and I'm experiencing some weird behaviours on my production server:
Quite randomly the logged user session expires and the user gets kicked out, even after a few seconds of activities.
It happens for instance with the admin user.
Could it be that using the same credentials from different browsers might invalidate the session for the latest user who logs in?
I've tried to find something about it on the internet but with no luck.
I have users that will use tablets to connect to my web application built with Symfony2. Remember me feature is great as it will not force them to log in every time.
My concern is if one of the device is stolen, the user session will remain active on that device because of the remember me cookie.
Is there a way for an admin user to log in and manually delete the user session that has the remember me?
For my application I need to know if a Facebook Connect session is valid from the server side.
The Javascript API lets you know if you are connected to Facebook or not, but it seems that this can't be done from the PHP client library.
The scenario where I need it is similar to the following:
Log in to The Run Around using Facebook connect.
Open Facebook in another tab.
Log out from the Facebook tab (not The Run Around).
Go back to the Run Around tab.
Enter a new entry, but deactivate the "Publish this run to Facebook" checkbox.
After submitting the form your run will get published though you logged out before! After that call, the site will log you out because the Javascript API will try to validate your status.
In the 5th step, the application should check with Facebook if the session has expired or not (or use a workaround). The Connect implementation of The Run Around is flawed and shouldn't be used as an example because of this security issue.
While I understand your analysis of the situation, this is actually the correct behaviour.
The Run Around is a Facebook Connect site, which means that it is completely separate from Facebook, as it should be. When you use FB Connect to link your FB account to the Run Around site, it establishes a local session and account for you in the Run Around database. This is technically what you are logged in to The Run Around with. Once this happens, your Facebook session is entirely irrelevant unless The Run Around wants to retrieve information about you from Facebook.
There are options to provide a FB Connect site with closer linkage to Facebook if you want to. See Detecting Connect Status and the FB.init() parameters for more on this. The Run Around has utilized this to force a logout of the local session once it detects that you are no longer logged in to Facebook. However, this only occurs once a page change or action happens and the Javascript runs to verify your FB session status.
The overall effect of how this all works is that Facebook Connect sites retain the ability to manage users locally, and only utilize Facebook features when needed and/or possible.
A friend told me the way to know if a session is valid or not:
http://wiki.developers.facebook.com/index.php/Users.getLoggedInUser
This method uses the session key as a parameter and returns the user id. If the session has expired, an error code is returned.
NOTE:
I won't use this in my application, as Zombat said, my app should keep its own session. I'll do what Digg does: be consistent with the log in and log out procedure by not automatically logging in and out when someone logs on Facebook.
The Run Around tries to do everything automatically, but that is problematic, specially because the app doesn't check the session from the server side.