This question has multiple facets which regards an application that has a login, along with instant messaging i.e. QBChat. All of these questions kind of relate.
1) When a user logs in, I create a session, login the QBUser in, and log in the QBUSer to QBChat. Is is common practice, when a user logs out to log out of QBChat, log out of QBUser and destroy the session?
2) Currently, when the application is sent to the background, I log the user out of QBChat, QBUSER and destroy their session and when the user comes back I create a new session and log them back in to everything. I do this to make sure that the users session doesn't expire when while the application is in the background. Is there any other way to automatically renew sessions when the application is in use?
3) Finally, this question relates back to the second one, if I am using the application and the session expires, is there a call back function that will be called if the session expires? So if I use the application for 2 hours straight, and the session expires is there anyway I can get a indication that it expired and either manually renew it or have it done automatically?
1) When a user logs in, I create a session, login the QBUser in, and
log in the QBUSer to QBChat. Is is common practice, when a user logs
out to log out of QBChat, log out of QBUser and destroy the session?
Yes, it's common pattern.
Two things that you need to know:
you can create session and login in 1 query http://quickblox.com/developers/IOS#A_couple_of_words_about_Authentication_and_Authorization
you don't need to do QBUser logout and destroy a session, you can just destroy a session. It's enough.
2) Currently, when the application is sent to the background, I log
the user out of QBChat, QBUSER and destroy their session and when the
user comes back I create a new session and log them back in to
everything. I do this to make sure that the users session doesn't
expire when while the application is in the background. Is there any
other way to automatically renew sessions when the application is in
use?
3) Finally, this question relates back to the second one, if I am
using the application and the session expires, is there a call back
function that will be called if the session expires? So if I use the
application for 2 hours straight, and the session expires is there
anyway I can get a indication that it expired and either manually
renew it or have it done automatically?
I do only QBChat logout. You don't need to destroy session every time.
You can recreate session if need without destroy it before.
To check session expiration datetime use
NSDate *sessionExpiratioDate = [QBBaseModule sharedModule].tokenExpirationDate;
Related
Admins should be able to log out a user remotely through the admin console.
When a user logs in, a cookie is set with cookies.signed[:user_token]
The cookie is deleted with cookies.delete :user_token when user logs out.
I can only access and delete the the cookie for the current user that is sending the requests to my rails controller. The cookies hash only has the :user_token of the current user and the session_store key.
Is it possible to access the cookies of all logged in users and delete them from one account? I can't find any info on this.
An alternative way of doing this:
Keep track of the log-in state(0 or 1) of every user in the database. Every time a user logs in, the state is set to 1.
Allow admins to change the state to 0 through the admin console.
The client browser requests the login state every minute or so. if the state is 0, send a logout request.
What do you guys think about this way of doing it?
As far as i know, cookies are stored in the user's browser. You can't delete them. You could invalidate them somehow, but per user, it would be difficult.
Storing login state in the database should be the solution you are looking for. So when a user comes in, you do the usual authentication and then check database. If 0 you make them login. That way admins can change that one value. Also you gotta put something in to expire the flag in your session table
I have an app which presents a login screen on first launch. When the user logs in, I give them an option to remain logged in. This establishes a session with an expiry on my server. What's the most appropriate way to do the following things:
Store whether the user is logged in or not.
Present the user with a login or logout option on application launch based on the validity
of their session.
End their current session if they choose to logout (or if their session is expired).
I'm guessing this is a common design pattern and there should be tried and tested ways to do this but I seem to be using the wrong terms to search because I haven't found a satisfactory answer.
Some ideas:
I would suggest you store your sensitive session information in the application's KeyChain. I wouldn't store here the state of wether the user is logged in or not, just store that in memory. Your webservice should be able to return an error when the session ceases to exist, or if the user has logged out.
If the backend determines the session's validity, then you should have a RESTful call where you can pass the session information, returning whether the session is still valid.
Again, if they choose to logout, then you could perform another call to your backend passing the session information.
For the Keychain, use the KeychainItemWrapper from Apple's examples.
I have a JSF login page using form authentication. I login users by calling HttpServletRequest.login(username, password). Logging out is done by first calling ExternalContext.invalidateSession() and then calling HttpServletRequest.logout() for the current user.
My plan is to keep track of the logged in user in an application scoped list by adding to the list anytime a user logs in and removing from the list when a user logs out.
I have two concerns with this approach:
If a user that was already logged in tries to log in again without first logging out, I want to invalidate the existing session and do some cleanup. How do I access the session for a given logged in user? I could also use this functionality to forcefully logout some users.
If a session expires (e.g. timeout) I want to remove the user from the list of logged in users. How do I listen for a session expiration?
Maintain a Map<User, HttpSession> logins in application scope yourself. During login, check if logins.put(user, session) doesn't return null and then invalidate it.
Let the User implement HttpSessionBindingListener and implement valueUnbound() accordingly so that it does a logins.remove(this). Or, if you don't have control over User, then implement HttpSessionListener#sessionDestroyed() instead to perform the remove.
Unrelated to the concrete problem, calling HttpServletRequest#logout() is unnecessary if you already invalidate the session. The user is tied to the session anyway.
I have given the following command in my environment.rb
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:session_key] = 'sessionname'
I want my application to expire to some dynamic value which i get from user.
Once the session time which user gives me lapses, i want to remove all the cookies.
I could expire all cookies other than the one above i.e sessionname
This holds the session id and this is the main cookie i want to expire.
Could some one suggest a solution?
it's not good idea to expire session key as it will disrupt users from working with your application
i'd suggest you to have a separate permanent_session_id in cookies which you generate manually upon login and store with expiration time. then use that cookie to log users in if session does not exist.
such approach will allow users to stay logged in while using application and be logged out automatically if permanent_cookie_id is expired after restarting session.
just wanted to know:
In my rails 3 app when a user logs in, i store their id in a session variable like this
session[:id] = #user.id
i noticed that when i login and then close the browser the session is destroyed. Is this wise to do or better to create a logout feature to destroy the sessions. What can go wrong if i leave it as is.
Thanks for help
I noticed that when I login and then
close the browser the session is
destroyed. Is this wise to do.
If this is happening then it's good if session get expired/destroyed when user closes browser. This is what mostly done in websites.But can be hard when you are trying to providing remember me or always sign in like functionality. In this case you might not have to destroy session when browser is closed.
or create a logout feature to destroy
the sessions.
You can create a logout feature to destroy session but call this when user hits logout link.