My question relates to CakePHP 3.x and the problem of blocking selected pages and blocking all user sessions while the database is updated. The database of the website is in my case updated by the external program (I have influence on its code). The time of the update is long aproximatelly 40 minutes and I do not have any good idea how should I solve the following issues:
a) How should I automatically block some selected pages while the update takes place? More specifically, only while the update of the database is conducted no-one should be able to enter some pages eg.:
www.mypage/information/updateinfo
www.mypage/information/updatestatus
The user could be automatically redirect to the "update information page" or be informed otherwise.
b) How from the external program can I "throw away" all logged users and destroy all other sessions in the website? During the update no-one can be logged and no-one can have the ongoing session because the data in the database is being changed.
Pretty simple:
Put the user session in the DB
Have a table or lock file both apps have access to
When updating first delete all entries in the session DB table from your updating app
Then set the lock file / DB config lock entry
Check for the lock, redirect as needed
Related
I need to do the following tasks in CakePHP 3:
Logout users manually
Limit the number of sessions to one per user
I'm using database sessions to accomplish that. Is it possible to save additional data in sessions table? If yes, could you give me an example please?
The session database model is a cake model like all the other models, which means you can interact with it, in the same way, by adding new columns to that table and/or deleting sessions if needed. Use the model object to update delete entities in that table (I assume you're talking about cakephp 3.x)
Limiting the number of sessions to one per user can be tricky as sessions are created even if a user is not logged in. So you will have "user-less" sessions in your database as well.
Suggested way to tackle this
When a user logs in, get the current session ID and find the row in the session table that needs to be updated to include the username
At this time you may also want to delete the other rows that have the same user name, effectively destroying all the other sessions for this user.
I'm trying to get the current logged (in my app) user in every winform of my app, but I don't know how to differentiate between multiple logged users in the app.
I have an ActiveUsers SQL Table with SessionID and UserID to identify a single user.
Also how can I close the session (delete the userid from the ActiveUsers table) if the app is terminated abnormally?
Any help?
Edit: The app is composed of several winforms and is intended to run in multiple Pcs at the same time. Users are created in the application and stored in SC_User table with UserID as PK. The ActiveUsers table has UserID as FK and SessionID as PK. What i want is to get the UserID of the user using the applicattion in any winform and use it to for example change the app language preference of the that user. For a single user i insert the UserID in the ActiveUsers when login and delete when logoff.
Keeping application-wide data is quite easy. All you have to do is add either a static (shared in vb.net) class or a singleton class to your project and store the application-wide data there. (Extra read: differences between singleton and static)
As for the second question, You don't really have a way to know if the client is closed without proper logout. What you do in these cases is implement a keep-alive mechanism.
A simple implementation would be to add another column to your session table to keep track off the time stamp when the logged in user was last active (usually a timer inside that static/singleton class will be in charge of updating this column every x time, and once the difference between this column and the current datetime is big enough, you can safely assume that the application is closed without proper logout.
You can even run a scheduled job on your sql server to delete the records on the session table where the application is closed without proper logout if you want to.
I'm implementing session management and am currently storing 4 types of info in the db:
user_id
session_id (hash)
insertion_time (for timeouts)
persistency (if user
has a persistent cookie)
It is possible for the user to have multiple sessions open with different devices. If the user logs out, how do I know which of those sessions I should delete?
What unique information is usually stored along with the info I've already got? IP address does not really work as it could be shared. Should I store the browser info, but what if it is the same?
You should only use a single session id/hash to recognise a session.
When a user logs in (e.g. with username/password) you will tell them what their session id/hash is.
When a user is browsing, they will tell you their session id/hash for every page load. That's how you know it's an existing logged in user, and not some random new user.
When a user tries to loggout, they will still tell you their session id/hash. You can use that to find and delete the correct single session.
You have to store Last access time Last Modify Time of the Session to calculate the Idle time for Session Timeout.
To Identify the User Session you have to store the browser Id. Browser Id and User Id mapping will lead you to figure it out which session of the User you have to delete.
I need to store user sessions when they login to my website. Plan it this:
Store user session in memcache when user signs in.
All user activities are tracked so log all that in memcache only so i dont have to hit the DB every second writing "A shared a photo" "A clicked on a link.."
When user logs off OR the connect is cut then write an edt time and copy all data to the DB.
Now problem is if memcache crashes then all this data gets lost. So what is the work around?
Do note: I am tracking all user activity including mouse clicks, so i cannot be writing to the DB every second for each user hence i was suggested to use memcache but i am open too other ideas also.
What you're describing is pretty much why we wrote membase in the first place.
I've used memcachedb but have moved to redis and it rocks!
I would like to make my website to allow only one session at a time. For example, let say user has login to my website on firefox, if the user login again to another browser like opera on the same computer or different computer, the session on firefox will be destroyed. However, the session on firefox remained if it remains as one session. May I know how can I do that? I am using php and apache. Thank you.
Regards.
Benjamin
I'll suggest you to do something like this:
Suppose when user "A" loges in to the "Com_1", for the first time. Save a unique code in the database against that session, and same with the user session.
At the mean time if he (user "A") loges in again on "com_2", then check his status in the database and update the unique code in the database.
again back if same user (user "A") refreshes the page on "com_1", we all you need to do is check the unique code from the session and match it to the database, It is for sure it will not match, then log it out and destroy the session.
For keeping the user loggedin, even if browser is closed, you can store the cookie on the browser, and re-generate the session accoordingly.
Hope this helps. Thank you.
You can use the following algorithm
create an integer field in the databse userLoggedInCount
On each login increment that flag and store the result in the session.
On each request check the value in the database and the one in the session, and if the one in the session is less than the one in the DB, invalidate() the session and decrement the value in the database
whenever a session is destroyed decrement the value as well
Credits to Bozho because he posted this, answering to a question
here
Keep a central database table or text file of who is logged in at the moment. If a user is already logged in in another session, invalidate that session by setting the "logged in" flag to false.
I think you'd have to do something like that :
add a "last_session_id" column to your user table
when a user logs in, update its last_session_id field with its current session id
on each page, if the user has an authenticated session, check if the session id is equal to the one recorded in your database. If not, destroy this session.
Store session id in the database. retrieve last login session id from db, set session id using session_id(oldid) and change session variables related to authentication like $_SESSION['LOGIN']
and destroy the session and create new session with new session id. follow example for logic https://www.php.net/manual/en/function.session-create-id.php.
this will make the last login allowed. validate on each page session variables related authentication. this makes it session invalid because of this session_id reset by a new login.
Save users' IP=>SESSION_ID pairs in a database. When user try to load your page you must compare the actual IP=>SESSION_ID pair then allow/deny if the pair is ok/different.