I would need to record the value of an eVar only when the session ends.
Thank you,
Marco
a session ends when the session times out (as in, due to user inactivity), when the user leaves the site, or when the user closes the browser. There is no 100% reliable way to listen or mark any of these events. Your best bet is to populate the eVar on every page or activity and set attribution in interface to last value. But again, this will not reliably give you what you want.
Related
Currently, I have a Rails application whose edit form is on a separate edit page. Is there a way to make sure no two users are accessing the edit page at the same time? Or a user can only access the edit page if no other user is currently on the page?
Or to ask a simpler question, is there a way to get a list of users currently on the page?
I am on Rails 4.
HTTP is a stateless protocol. It was designed to allow idempotent transactions. The server does not store transaction state information about each chain of requests. The session allows you to mitigate this design pattern and allow the server to track where your users have been. In order for you to know if a user is on a page, you will need to store in your database where each user is. Remember, that when a user decides to navigate away from a page, your servers will not know it, only when a request is made to a different page.
I assume you don't need to track anonymous session information, so you probably need to override your controller action that ensures users are logged in to save where the user is at. Before rendering the page, ensure the count of user's current location equal to the rendered page is 0.
You can have AJAX fire on the page, updating the location of your user on these pages so you can ensure that there has been no user in a reasonable timeout. Without the AJAX you would need to consider what the reasonable amount of time a user would be editing information, and consider that a non-reasonable amount of time is likely the actual amount.
There's no 'RAILS' feature that can be turned on to check where a user is located, this would be a roll your own situation.
I think the best way is to use a Redis Store (or anything in memory), or make a temporary sessions table for that.
Then you can authorize the show action to check whatever you want.
I have a need to make a change to a database value at the moment that a user logs out. I can make this happen when the user clicks 'logout', but I need this to happen when a user times out as well. Is there some sort of listener or other such method I can use to achieve this?
Basically, due to SimpleMembership not supporting online user checking, I am forced to use a database field, a boolean, that records if a user has clicked login or logout, but obviously I cannot set this field to "false" if unless they click logout. Hence my need to detect automatic logouts, so to speak.
Any suggestions?
See: How to get notified of session end?
If you're sessions are in-process you can subscribe to the Session_End event. You will eventually (after the session timeout has expired) be notified that the session has ended.
ASP.NET has session states. So the one you should be interested is the Session_OnEnd event. But you can only use this inProc mode.
Refer to: http://msdn.microsoft.com/en-us/library/ms178583.aspx
Add this to Global.asax
public void Session_OnEnd()
{
//Perform your logic.
}
You will not be able to subscribe to any notification that lets you know when the session times out.
Instead, you will need to keep track (most likely in a database) of when the user performed their last action. Then have some sort of job that will periodically check to see those members that have not performed an action in any given time-frame and trigger the logout method.
I have a set of methods that clear cache data on log out, is there an easy way to trigger these functions when the session times out? I have updated my web config to have a time out of 1 minute for testing.
The issue i'm having is certain things displayed are meant to persist based on the user logged in, if the session times out and a new user logs in they will see the previous users information. This does not happen on log out because of the logic in place.
I don't need an answer but a pointer in the right direction on how to handle time out functions.
Add this to your global.asax:
public void Session_OnEnd()
{
//Find user's data using SessionId and remove it
}
What I did was simply ClearAllSessionKeys on log on instead of on session time out. This had the same effect and fixed my issue.
we've implemented a system similar to the one described in this other SO post. Basically, if the user doesn't do anything for 14 minutes, we prompt them that they will be logged out. If they click on "keep me logged in" we do an ajax request to keep their session alive, otherwise, they are redirected to the logout page after a minute.
It works pretty well, and is inline with similar systems employed at sites like mint.com and bankofamerica.com. The only problem is that our application's users tend to have multiple tabs open to refer back and forth to different pieces of data. So the problem is that they may be actively working in one tab, but then the other tab times out and logs them out. This causes an abrupt session timeout for the user when they were not expecting it. btw, mint.com has this same issue.
So I was wondering if anyone had any ideas to combat this?
I have one idea, each request could set a "last active time" cookie. Upon auto-logout, the server could check this last active time and if it's relatively recent, avoid logging them out. The manual logout would of course ignore this cookie so if the user wants to log out he can do so at any time. However, I'm afraid that this may be exposing some sort of security risk that I'm not able to see at this point. Thoughts?
Before showing the pop-up, ask the server how long ago the user has done his last request.
so I have designed this voting thing which does not let somebody vote for the same article twice in 24 hours. However, suppose a person votes and after seeing the person was able to cast vote or that he is falling in that 24 hour window, I disable the vote-casting button (and this is all Ajax btw).
But what to do when a person closes his/her browser and comes back up or even refreshes the page? Obviously, he would not be able to cast vote, because of my algorithm, but the person would still end up succeeding in making call to the server. So if he really wanted, he would keep refreshing the page and clicking on the vote and put unnecessary load on the server. How to avoid that by doing some sort of client-side thing or something?
I am using ASP.NET MVC, so session variables are out of question.
Am I being over-concerned by this?
If voting happens only from logged in (known) members then you shouldn't have any problem.
If, on the other hand, everyone can vote then you need to store all user vote events:
timestamp
poll
poll_vote
ip
user agent
user uniqueness cookie
So you'll need a random hash sent out as cookie. This will ensure that you don't accept another vote for the same poll from the same person.
If the user deletes his cookies you fallback to plan B, where you don't allow more than (say) 10 votes from the same IP and user agent combination for 24 hours.
The system is not perfect since users can change IPs and (more easily) user agents. You'd need advanced pattern detection algorithms to detect suspicious votes. The good thing about storing all user vote events is that you can process these later on using a scheduler, or outsource the votes to someone else who can process them for you.
Good luck
Refreshing is not a problem
If you're doing all this voting using Ajax, refreshing a page won't do anything except load the page using GET.
If you're not using Ajax you should make sure you call RedirectToAction/RedirectToRoute action result, that would as well help you avoid refresh problems.
How do you recognise users
If you use some sort of user authentication this re-voting is not a problem. But if your users are plain anonymous, you should store IP address with your votes. This is how things are usually done. This makes it possible to avoid session variables as well. But you have to be aware of this technique because it's not 100% perfect.
Cookies?
You could of course also use absolute expiration cookies. They'd expire in an day. Advanced users would of course be able to avoid your voting restrictions, but they would be able to avoid other ways as well. Sessions BTW are also based on cookies anyway.
Combination
But when you'd like to make you system as great as possible, you'll probably use a combination of the above.
The best way would be to track who voted for what and when on the server (probably storing it in a database). In order to do this you must use an authentication system on your site (probably forms authentication) to identify users. So every time someone tries to vote you check first in your data storage if he already voted and when and decide whether to validate the vote or not. This is the most reliable way.
If your site is anonymous (no authentication required to vote) then you could store a persistent cookie on the client computer that will last for 24 hours and indicate that a vote has already been cast from this computer. Remember though that cookies might be disabled, removed and are not a reliable way to identify a given user.
I am using ASP.NET MVC, so session
variables are out of question.
Any reason for that? Sessions are perfectly fine in ASP.NET MVC applications. It is in your case that they won't work because if the user closes the browser he will lose the session.
Obviously, he would not be able to
cast vote, because of my algorithm,
but the person would still end up
succeeding in making call to the
server. So if he really wanted, he
would keep refreshing the page and
clicking on the vote and put
unnecessary load on the server
Automated bots could also put unnecessary load to your server which is much more important than a single user clicking on F5.
If you just want to ensure the user can only vote once on an article then you just need to store a Set (i.e. HashSet) of all article id's that they've already voted on, then just check before allowing the vote.
If you still wanted a 24hr limit then you need to store a Dictionary<articleId,DateTime> then you can check if he has already voted for that article and if he has when it was.