A user named 'user1' signed in at compter a. Then in another computer b, account 'user1' can't sign in, user1 must logout, then user1 can sign in on computer b.
Is devise support for this?
You can add column into users table, which will indicate if user logged in or no. Set it to true when user logs in, and then false when logs out. On user login check this column if its false, then login your user, otherwise show some notification than somebody else using this account.
To avoid situation when user just closes tab without logging off, make rake task that will logout user after some time
UPD: As #Arjan said, you dont even need rake task, you can use devise's module for this
Related
Scenario: As an Administrator I need to invalidate a user's session (log them out) after I update the user's password. This is in accordance with best practices as per https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#Renew_the_Session_ID_After_Any_Privilege_Level_Change
I am using Devise and I saw here https://stackoverflow.com/a/45756884/664675 there is a config to log the user out: config.sign_in_after_reset_password = false
However, I have enabled this config in my devise.rb but the user remains logged in. Not sure why that is?
I am also using Redis as the session_store
Example::Application.config.session_store :cache_store,
key: '_example_session',
secure: true
Is it feasible to delete the particular user's session store from Redis upon Password reset by the Administrator? And if so how could I find their particular session key within Redis?
the flag sign_in_after_reset_password does not relate to logout user at all, sign_in_after_reset_password = false imply that in case a user update his account password by himself then do not automatically sign-in his account again, and that logic happen only on PasswordsController#update.
So you as admin try to change password of another user in a custom controller, of course it's not logout user no matter the value of sign_in_after_reset_password is.
devise use gem warden to logout user (in other word: destroy user session) and warden base on request session not base on database, that mean there's no way an admin can get another user's session to reset, so you can not force logout another user by only devise, you need to handle this feature outside devise (such as add session to user table or a devise hook something like timeoutable)
reference: https://github.com/heartcombo/devise/issues/5262
What you're looking for is the setting sign_in_after_change_password which you should set to false (it defaults to true). The method has a slightly confusing name – it means "should we sign the user in after changing their password" instead of "should the user have to sign in after changing their password".
References:
https://github.com/heartcombo/devise/blob/master/lib/devise.rb#L296-L298
https://github.com/heartcombo/devise/blob/c82e4cf47b02002b2fd7ca31d441cf1043fc634c/app/controllers/devise/registrations_controller.rb#L163-L167
I am using Devise and since my app is in Beta, I want to control which users who have signed up can sign in.
So, even if the confirmation email is sent, how can I make it so that just when an admin has confirmed the account they will be able to sign in? Is there any module in Devise that would let me do so?
All you need to do is add an "approved" attribute to your user table, use admin to change its status and before sign in you can check whether user is approved or not. You can find detailed information here: link
Within my rails app, I would like the user to be able to browse and explore without signing in, However, when the user is trying to create a record, it should let him save it only after he/she is signed in. If the user is not signed in, then it should route him to the signup process. The user should not go through the trouble to creating the record all over again.
For example, the user can go to any shopping site, add items to the cart. While checking out, the user is prompted to signup/ sign in. Even if the user is routed to the sign up page, The items are still present in the cart (the user doesn't have to add them agn)
Is there a gem for that? or how can this be achieved in a rails app.
Shortly, what you have to do is to create a guest user instance for every user which is not logged in and visits your site. You treat this user as if it was a registered user, persisting everything to the database accordingly. Then when the user comes to the point he has to register you alter his guest user details on the database, this way everything he has done as a guest will remain the same.
You can find a screencast explaining exactly how you can achieve your goal here: Guest User Record - RailsCasts
You could store this info in your session, then when the user signs up and logs in to the site , you could show the stored info in the session.
Use case: User fills out a form to add a product and register at once. When the user has submitted the combined form, the app authenticates the user and is logged in (assume validations passed) without the need to confirm or login.
I've removed the confirmable feature out, but when the user fill out the form, it succeeds, but the user doesn't get logged in unless they go to a login form. This isn't such a great experience, so is there a way to Register a user and immediately log them in?
What I actually wanted was sign_in(#user) from my controller
If you want to login without confirmation then Remove :confirmable option from devise options in User model.
I'm using forms authentication to log users onto my website.
But what happens if someone is trying to login with the same details from different machines at the same time? Is there a way to check this?
Ideally, I'd like to display a message to the second attempt saying that that user account is already logged in..
Thanks
Hold that information server-side (the list of users that are already logged in). Then, on each login, check if not already in that list.
When ever a login happens save the values of Username and Password in Sessions and after that for every login check with the already logged in values in the sessions, if matches display a message and dont allow to login.