I am developing an analytics system that I have a global user id and a session id. I am storing the global user id in a cookie created on my rails server, and the session id I store in a cookie that I create in a browser.
The global user id is set to expire in 2 years, and every time a new request from that user arrives I restart the counter. The same happens with the session id, except that the time is 25 minutes.
What is happening is that in some mobile phones the cookie that I set in my rails server is not persisted. So every time the user navigates to other pages he has the same session id but the user id changes.
What could it be?
Related
We have created an Identity server 4 application for single sign-on in Asp.net core 2.0. We use the Microsft Identity framework for login and account related pages.
The client applications are created using .net FW 4.7.1 in MVC 5 which are then connect to identity server for single sign-on purposes (used Identity server 3 in client application).
We have a requirement wherein allow users to log in to the application only from a single device at a time. To achieve this, on user login, we create a unique LoginSessionId and store it in DB. On logout, we just make this session-id null.
If someone else tries to login with the same user on another device, we just check if the LoginSessionId has value. If yes, then we give a message informing the user that he's already logged in on another device and if he wants to kill the other session. If he says yes, we let him login and reset the LoginSessionId with a new one. As for the first device login, we have a check-in place to log out that user if his current LoginSessionId does not match the one in DB, so he gets logged out.
We have also set the AccessTokenLifetime and IdentityTokenLifetime of the identity server-client application to 24 hours. Here is the problem we're facing:
When the 24 hours are up after user login, the user gets logged out since the Token must have expired. But the LoginSessionId mentioned earlier is not reset. Thus when a user tries to log back in, we end up showing the message of another user logged in, which is not really the case. Question is,
Is there is any way to raise the token expiry event so that we can clear the LoginSessionId there?
Is there any common place where we can identify the various reasons due to which user gets logged out. Like was it due to token expiry, or because he was idle for a long time (sliding expiry I think), or if he clicked logout himself etc.
What is the max value that we can set for AccessTokenLifetime and IdentityTokenLifetime.
One needs to implement IEventService and IEventSink in Identity Server 4 to get those evnts.
for more details, you can refer to this link.
link
OK...so I have a swift app that connects to a PHP backend. The user logs in, it stores a session on the server and sets an encrypted cookie in the cookieStorage on the app (I also store that cookie in keychain since cookieStorage can be volatile from what I'm told). I also store the username and password in keychain as well.
The session on the server expires after a time of non-use (let's say 30 days), but if the user comes back, the session renews itself if it's under 30 days old. So for example...lets say I don't come back for 15 days...my session is now reset to 1 day old and again has 30 days to expiration...however, if I come back on day 31, I have to re-login on the web app.
There are several viewcontrollers in this app that require the user to be logged in (a couple are uiwebviews that use the cookie to access the data on the server...those aren't a problem as they handle the sessions like a champ by default). The native views (tableview, etc) that require the user be logged in however are a different story.
Currently, on login, I set a switch in NSUserDefaults that the user is logged in...in didFinishLaunchingWithOptions, I just check to make sure the user is logged in...if they are logged in, we move them into the "private" area of the app, if they aren't logged in, we move them to the login screen (or signup screen).
All of this is fine and good...but with the sessions expiring on the server, I was wondering what is an appropriate way of handling this in an iOS app? I want them to stay logged in until they choose otherwise, but if the app stays closed for 31 days, the session on the server will no longer be valid. I was thinking that I could set a date in UserDefaults (last time app was opened) or something like that, and if they haven't opened the app in over 30 days, then I could just use the username and password stored in keychain to re-log them into the PHP backend and refresh their session and reset the stored login date (if the password is no longer valid, I would of course redirect to login view).
Is there a more appropriate way to handle this in an iOS app or does that sound like a valid approach? Should the date/session check be in didFinishLaunchingWithOptions and also in applicationDidBecomeActive ?
First, don't store anything that has to do with the login state in the userDefaults it's not secure.
Second, since you are storing the username and password in the keychain, why don't you just check the keychain and log the user in every time they open the app. This will give the user a persistent login until they log out then you can clear the keychain. Also this will give you another analytic point you can store in your database so you know every time the user opens your app.
Is there a reason you want to have a 30 day expiration?
This question has multiple facets which regards an application that has a login, along with instant messaging i.e. QBChat. All of these questions kind of relate.
1) When a user logs in, I create a session, login the QBUser in, and log in the QBUSer to QBChat. Is is common practice, when a user logs out to log out of QBChat, log out of QBUser and destroy the session?
2) Currently, when the application is sent to the background, I log the user out of QBChat, QBUSER and destroy their session and when the user comes back I create a new session and log them back in to everything. I do this to make sure that the users session doesn't expire when while the application is in the background. Is there any other way to automatically renew sessions when the application is in use?
3) Finally, this question relates back to the second one, if I am using the application and the session expires, is there a call back function that will be called if the session expires? So if I use the application for 2 hours straight, and the session expires is there anyway I can get a indication that it expired and either manually renew it or have it done automatically?
1) When a user logs in, I create a session, login the QBUser in, and
log in the QBUSer to QBChat. Is is common practice, when a user logs
out to log out of QBChat, log out of QBUser and destroy the session?
Yes, it's common pattern.
Two things that you need to know:
you can create session and login in 1 query http://quickblox.com/developers/IOS#A_couple_of_words_about_Authentication_and_Authorization
you don't need to do QBUser logout and destroy a session, you can just destroy a session. It's enough.
2) Currently, when the application is sent to the background, I log
the user out of QBChat, QBUSER and destroy their session and when the
user comes back I create a new session and log them back in to
everything. I do this to make sure that the users session doesn't
expire when while the application is in the background. Is there any
other way to automatically renew sessions when the application is in
use?
3) Finally, this question relates back to the second one, if I am
using the application and the session expires, is there a call back
function that will be called if the session expires? So if I use the
application for 2 hours straight, and the session expires is there
anyway I can get a indication that it expired and either manually
renew it or have it done automatically?
I do only QBChat logout. You don't need to destroy session every time.
You can recreate session if need without destroy it before.
To check session expiration datetime use
NSDate *sessionExpiratioDate = [QBBaseModule sharedModule].tokenExpirationDate;
i am really confused about sessions in php i doing website this is my first project and i am stuck a user logging system i cant understand how php session work are these session id unique to each user or are these unique to each browser
here is my problem
when i login in using username and password for user1 i start a new session and a unique session id is created lets say phpssesid XXXXXXXXXXXXXXXX so when i logout from user1 i destroy session and session id XXXXXXXXXXXXXXXX generated during login for user1 is deleted from temp folder
next i login using user2 and password a new session is again created but i get same session id i.e XXXXXXXXXXXXXXXX which was generated during first login i dont understand how come to users are assigned same session id to two different users
all this while i was using google chrome to browse
but then i used firefox to login using user1 and password but this time a new session id is created i.e XXXXXXXXXXXXXXX1 den i logout and again login using user2 and again session id assigned to user2 is same XXXXXXXXXXXXXXX1
i dont understand all this if sesssion id is unique to each user then why is same session id is assigned to two different users on same browser
Can't say much for PHP specifically, but HTTP by itself is stateless - i.e. if you make the same request, you (should) get the same response. What PHP and many other languages do is use session IDs - sometimes stored in cookies, sometimes stored in the URL.
Long story short, your Session ID should be unique to each user for each browser. For example, if Alice logs in on her home computer, then logs in on her work computer, the session IDs should be different. If Alice then logs out of her home computer and Bob logs in (same computer, same browser as Alice's first login) he should still get a different session ID - it's all done so that your framework (ie. PHP) can track 'sessions' of website use.
In your case, duplicate session IDs might be due to lingering cookies, server problems, or PHP might be legitimately reusing one ID (maybe for performance reasons). If you haven't modified much of the session code, chances are it's either the cookie issues with the browser or ID reuse.
I have given the following command in my environment.rb
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:session_key] = 'sessionname'
I want my application to expire to some dynamic value which i get from user.
Once the session time which user gives me lapses, i want to remove all the cookies.
I could expire all cookies other than the one above i.e sessionname
This holds the session id and this is the main cookie i want to expire.
Could some one suggest a solution?
it's not good idea to expire session key as it will disrupt users from working with your application
i'd suggest you to have a separate permanent_session_id in cookies which you generate manually upon login and store with expiration time. then use that cookie to log users in if session does not exist.
such approach will allow users to stay logged in while using application and be logged out automatically if permanent_cookie_id is expired after restarting session.