I am having trouble storing sessions in database with codeigniter.
When a user logs in, a session is created and stored in the database. The data is filled in the database. When a user uses the logout button, the session data is emptied, however, the session still exists in the database.
The problem is when a user doesn't use the logout button but just closes the webbrowser. The session data is not emptied, but the user is still logged out. (i hava set this in my config file) The session should be destroyed in the database but it is not!
When a user logs back in after having clicked the 'logout' button, the session that has been created the first time the user logged in, is filled again with the data. So no problems with this.
But when a user logs back in after having closed the browser, it creates a new session.
This problem ends up in having endless sessions, sessions are being created every time a user closes the browser.
something else that confuses me: when I log in with an account, a session is created. When I then logout with that account and log in with another account, the session is stored in the same record as the other account. When are new records in the session table created?
I am using version 2.1.3 of codeigniter.
What am I doing wrong?
//Session config:
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_expire_on_close'] = TRUE;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'ci_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;
You have sess_expire_on_close set to TRUE, so this is expected behavior, and you usually want that in most circumstances. The issue is, a new cookie (hence session) is generated when the browser is closed and opened again. From the CI session class documentation (go to the bottom where it talks about saving sessions in a db):
Note: The Session class has built-in garbage collection which clears out expired sessions so you do not need to write your own routine to do it.
So, it's not something you have to worry about addressing, orphaned sessions will be automatically garbage collected from the DB by the session class. If you want, you can implement code to clean it out via cron, but you really don't need to.
Now, if this presents a problem for specific logged in users (e.g. 'remember me') but you want the session to expire on close for everyone else, you can work around it by manually setting another cookie that far outlasts your session cookie and correlate an item in it within your session DB. This allows you to figure out who the user 'was' and reconstruct the session if it should magically persist for them. There's a bit more about that in this answer to a somewhat related question.
Related
I'm having this problem with my application where it will eventually (unsure of the timeframe, presumably 1 hour) stop updating live with firebase realtime database changes without logging out and back in. The security rules prevent unauthorized users from accessing data. The user will remain logged in and the authentication session persists, so I've been miserably confused as to why it eventually stops updating.
After a painful amount of internet scouring, I've come to find out that the token ID given on login lasts only 1 hour, at which point they are refreshed automatically using the refresh token. (For the record I am logging in with firebase.auth().signInWithEmailAndPassword).
Now, my question - Do I need to resubscribe to my database after the token ID is refreshed? More specifically, do I need to call firebase.database().ref().off() and then subsequently call firebase.database().ref().on() when a token refresh is detected? If not, can you possibly point me in the direction of what might be going wrong?
Edit: It may also be worth noting that if I change my security rules to allow unauthenticated reads, the user is still able to write to the database indefinitely without having to reauthenticate.
Firebase passes the new authentication token to the database automatically. As long as the user remains the same, you don't need to reattach the listeners.
The only moment you might have to reattach is if the user somehow becomes signed out. This may happen when the ID token can't be refreshed, for example because the account has been disabled, or the password has been changed. In that case the existing listeners will be canceled, which will be logged in the client, and the (optional) error callback for on will be invoked. At that point you'll need to reauthenticate and attach new listeners.
Wanted to know if there is any way to find when your session is about to expire while using class Ext.data.Session, as the Ext.data.Session does not provide any event. As per the definition of the class it is used to store session information with the server data being loaded.
What I want do in my application is user login session management. That is when a user logs in it starts a session and when the session is about the expire I prompt to the user that your session is about to expire. Any event performed in the application resets the session timeout time.
I have checked this example on Miami code but as per the logic, the session will be tracked from the time of loging in. But wont be updated whenever there is some event in the application. Hence irrespective of user performing any event the user will be promted that his session is about to expire. This not helping me, as I need to reset the timer if the user performs some activity.
Let me know if I am driving the question in the right direction, else will rephrase accordingly.
Well, Ext.data.Session and User Login Session what you need are two entirely different things.
Ext.data.Session manages data stored in various records such a way that it ensures consistency, uniqueness of the data and saving data to the server.
Thus, Ext.data.Session cannot be used for your purpose.
I'm implementing session management and am currently storing 4 types of info in the db:
user_id
session_id (hash)
insertion_time (for timeouts)
persistency (if user
has a persistent cookie)
It is possible for the user to have multiple sessions open with different devices. If the user logs out, how do I know which of those sessions I should delete?
What unique information is usually stored along with the info I've already got? IP address does not really work as it could be shared. Should I store the browser info, but what if it is the same?
You should only use a single session id/hash to recognise a session.
When a user logs in (e.g. with username/password) you will tell them what their session id/hash is.
When a user is browsing, they will tell you their session id/hash for every page load. That's how you know it's an existing logged in user, and not some random new user.
When a user tries to loggout, they will still tell you their session id/hash. You can use that to find and delete the correct single session.
You have to store Last access time Last Modify Time of the Session to calculate the Idle time for Session Timeout.
To Identify the User Session you have to store the browser Id. Browser Id and User Id mapping will lead you to figure it out which session of the User you have to delete.
I have a mission to limit multi login on site(f.e. login from different computers under same username). My PM want to do this with saving session id. How I can do it? I have idea to save flag to database after login, and unmark it after unlogin.. but if browser suddenly or accidentally closed it cant be unmarked. Help me please
You have to store a UUID, the users ID and a timestamp in your databse:
On login create a UUID for the current session of the user (String::uuid();) and Store the uuid in the users session and also in a cookie.
If the users already has an active session or a cookie, read the UUID from there.
A user is now "valid" if:
The user logs in and no database entry is present. The UUID doesn't matter.
The user logs in and the timestamp is "old" (define your own value... 15 minutes?). The UUID doesn't matter.
The users UUID and the user id matches the database entry and the timestamp is not "old".
A user is now "invalid" if there is a different UUID in the database and its timestamp is not "old".
If the user logs out by hand, remove the database entry. If the users just closes his browser he can either resume his session via his cookie or his session (application session, not the browser one) gets automatically invalidated after the timestamp gets "old".
Drawback: If a user wants to switch the computer / browser fast, he/she must use the logout function or else wait for your defined timeout. However, you could also implement a mechanism which logs out the current active user on a session-collision and closes all active processes or whatever you are doing in your application :).
I would like to make my website to allow only one session at a time. For example, let say user has login to my website on firefox, if the user login again to another browser like opera on the same computer or different computer, the session on firefox will be destroyed. However, the session on firefox remained if it remains as one session. May I know how can I do that? I am using php and apache. Thank you.
Regards.
Benjamin
I'll suggest you to do something like this:
Suppose when user "A" loges in to the "Com_1", for the first time. Save a unique code in the database against that session, and same with the user session.
At the mean time if he (user "A") loges in again on "com_2", then check his status in the database and update the unique code in the database.
again back if same user (user "A") refreshes the page on "com_1", we all you need to do is check the unique code from the session and match it to the database, It is for sure it will not match, then log it out and destroy the session.
For keeping the user loggedin, even if browser is closed, you can store the cookie on the browser, and re-generate the session accoordingly.
Hope this helps. Thank you.
You can use the following algorithm
create an integer field in the databse userLoggedInCount
On each login increment that flag and store the result in the session.
On each request check the value in the database and the one in the session, and if the one in the session is less than the one in the DB, invalidate() the session and decrement the value in the database
whenever a session is destroyed decrement the value as well
Credits to Bozho because he posted this, answering to a question
here
Keep a central database table or text file of who is logged in at the moment. If a user is already logged in in another session, invalidate that session by setting the "logged in" flag to false.
I think you'd have to do something like that :
add a "last_session_id" column to your user table
when a user logs in, update its last_session_id field with its current session id
on each page, if the user has an authenticated session, check if the session id is equal to the one recorded in your database. If not, destroy this session.
Store session id in the database. retrieve last login session id from db, set session id using session_id(oldid) and change session variables related to authentication like $_SESSION['LOGIN']
and destroy the session and create new session with new session id. follow example for logic https://www.php.net/manual/en/function.session-create-id.php.
this will make the last login allowed. validate on each page session variables related authentication. this makes it session invalid because of this session_id reset by a new login.
Save users' IP=>SESSION_ID pairs in a database. When user try to load your page you must compare the actual IP=>SESSION_ID pair then allow/deny if the pair is ok/different.