Implementing session management - c

I'm implementing session management and am currently storing 4 types of info in the db:
user_id
session_id (hash)
insertion_time (for timeouts)
persistency (if user
has a persistent cookie)
It is possible for the user to have multiple sessions open with different devices. If the user logs out, how do I know which of those sessions I should delete?
What unique information is usually stored along with the info I've already got? IP address does not really work as it could be shared. Should I store the browser info, but what if it is the same?

You should only use a single session id/hash to recognise a session.
When a user logs in (e.g. with username/password) you will tell them what their session id/hash is.
When a user is browsing, they will tell you their session id/hash for every page load. That's how you know it's an existing logged in user, and not some random new user.
When a user tries to loggout, they will still tell you their session id/hash. You can use that to find and delete the correct single session.

You have to store Last access time Last Modify Time of the Session to calculate the Idle time for Session Timeout.
To Identify the User Session you have to store the browser Id. Browser Id and User Id mapping will lead you to figure it out which session of the User you have to delete.

Related

Allow user to make only one active login using salesforce?

In salesforce, can we allow specific user to login one at a time globally ? If he is login into the salesforce already, then he should not be able to login again, unless first active login gets loggoff. Is there any way we can achieve this using OOTB?
I don't think this is possible. Sessions in Salesforce can be locked to the original IP address though, which would prevent you from logging from two different locations. You can also set sessions to have a 15 minute timeout, so if they logged in a second time, after a little bit, the first session would be terminated.

Correct way to save User-Data in Electron

Hello, StackOverflow Community.
I am currently programming an electron Application which contains a login.
My login is working perfectly but now I do not know how to correctly save the information from the user.
The user should not be able to edit the file or the cookie type of thing so that he cannot abuse the system to be another user without knowing his password.
I hope you can understand my problem and help me out!
When storing user data you shouldn't store it locally at all you should make an authentication key and store it in your database with your user, you then need to store this on the client side too. Normally people store this in memory therefore once the user exists the system they "sign out" if you don't want them to you could save it to some sort of settings file using something like electron-settings or a cookie using the electron API. Once you have this key you should use that to authenticate calls to your API and when doing so you should check that the key is valid for the user who is performing the action.
Example:
When UserA sends a message to UserB you should check that UserA's auth key equals the key which represents UserA in your database.
Using this method will make it hard for other users to "guess" other users keys and also keep user data safe from user interaction.
NOTE: Change the users auth key every time they login to prevent someone from stealing it!

Extjs session manageemt

Wanted to know if there is any way to find when your session is about to expire while using class Ext.data.Session, as the Ext.data.Session does not provide any event. As per the definition of the class it is used to store session information with the server data being loaded.
What I want do in my application is user login session management. That is when a user logs in it starts a session and when the session is about the expire I prompt to the user that your session is about to expire. Any event performed in the application resets the session timeout time.
I have checked this example on Miami code but as per the logic, the session will be tracked from the time of loging in. But wont be updated whenever there is some event in the application. Hence irrespective of user performing any event the user will be promted that his session is about to expire. This not helping me, as I need to reset the timer if the user performs some activity.
Let me know if I am driving the question in the right direction, else will rephrase accordingly.
Well, Ext.data.Session and User Login Session what you need are two entirely different things.
Ext.data.Session manages data stored in various records such a way that it ensures consistency, uniqueness of the data and saving data to the server.
Thus, Ext.data.Session cannot be used for your purpose.

Restrict multi login in CakePhp

I have a mission to limit multi login on site(f.e. login from different computers under same username). My PM want to do this with saving session id. How I can do it? I have idea to save flag to database after login, and unmark it after unlogin.. but if browser suddenly or accidentally closed it cant be unmarked. Help me please
You have to store a UUID, the users ID and a timestamp in your databse:
On login create a UUID for the current session of the user (String::uuid();) and Store the uuid in the users session and also in a cookie.
If the users already has an active session or a cookie, read the UUID from there.
A user is now "valid" if:
The user logs in and no database entry is present. The UUID doesn't matter.
The user logs in and the timestamp is "old" (define your own value... 15 minutes?). The UUID doesn't matter.
The users UUID and the user id matches the database entry and the timestamp is not "old".
A user is now "invalid" if there is a different UUID in the database and its timestamp is not "old".
If the user logs out by hand, remove the database entry. If the users just closes his browser he can either resume his session via his cookie or his session (application session, not the browser one) gets automatically invalidated after the timestamp gets "old".
Drawback: If a user wants to switch the computer / browser fast, he/she must use the logout function or else wait for your defined timeout. However, you could also implement a mechanism which logs out the current active user on a session-collision and closes all active processes or whatever you are doing in your application :).

Allow one session only at a time

I would like to make my website to allow only one session at a time. For example, let say user has login to my website on firefox, if the user login again to another browser like opera on the same computer or different computer, the session on firefox will be destroyed. However, the session on firefox remained if it remains as one session. May I know how can I do that? I am using php and apache. Thank you.
Regards.
Benjamin
I'll suggest you to do something like this:
Suppose when user "A" loges in to the "Com_1", for the first time. Save a unique code in the database against that session, and same with the user session.
At the mean time if he (user "A") loges in again on "com_2", then check his status in the database and update the unique code in the database.
again back if same user (user "A") refreshes the page on "com_1", we all you need to do is check the unique code from the session and match it to the database, It is for sure it will not match, then log it out and destroy the session.
For keeping the user loggedin, even if browser is closed, you can store the cookie on the browser, and re-generate the session accoordingly.
Hope this helps. Thank you.
You can use the following algorithm
create an integer field in the databse userLoggedInCount
On each login increment that flag and store the result in the session.
On each request check the value in the database and the one in the session, and if the one in the session is less than the one in the DB, invalidate() the session and decrement the value in the database
whenever a session is destroyed decrement the value as well
Credits to Bozho because he posted this, answering to a question
here
Keep a central database table or text file of who is logged in at the moment. If a user is already logged in in another session, invalidate that session by setting the "logged in" flag to false.
I think you'd have to do something like that :
add a "last_session_id" column to your user table
when a user logs in, update its last_session_id field with its current session id
on each page, if the user has an authenticated session, check if the session id is equal to the one recorded in your database. If not, destroy this session.
Store session id in the database. retrieve last login session id from db, set session id using session_id(oldid) and change session variables related to authentication like $_SESSION['LOGIN']
and destroy the session and create new session with new session id. follow example for logic https://www.php.net/manual/en/function.session-create-id.php.
this will make the last login allowed. validate on each page session variables related authentication. this makes it session invalid because of this session_id reset by a new login.
Save users' IP=>SESSION_ID pairs in a database. When user try to load your page you must compare the actual IP=>SESSION_ID pair then allow/deny if the pair is ok/different.

Resources