I have a JSF login page using form authentication. I login users by calling HttpServletRequest.login(username, password). Logging out is done by first calling ExternalContext.invalidateSession() and then calling HttpServletRequest.logout() for the current user.
My plan is to keep track of the logged in user in an application scoped list by adding to the list anytime a user logs in and removing from the list when a user logs out.
I have two concerns with this approach:
If a user that was already logged in tries to log in again without first logging out, I want to invalidate the existing session and do some cleanup. How do I access the session for a given logged in user? I could also use this functionality to forcefully logout some users.
If a session expires (e.g. timeout) I want to remove the user from the list of logged in users. How do I listen for a session expiration?
Maintain a Map<User, HttpSession> logins in application scope yourself. During login, check if logins.put(user, session) doesn't return null and then invalidate it.
Let the User implement HttpSessionBindingListener and implement valueUnbound() accordingly so that it does a logins.remove(this). Or, if you don't have control over User, then implement HttpSessionListener#sessionDestroyed() instead to perform the remove.
Unrelated to the concrete problem, calling HttpServletRequest#logout() is unnecessary if you already invalidate the session. The user is tied to the session anyway.
Related
Admins should be able to log out a user remotely through the admin console.
When a user logs in, a cookie is set with cookies.signed[:user_token]
The cookie is deleted with cookies.delete :user_token when user logs out.
I can only access and delete the the cookie for the current user that is sending the requests to my rails controller. The cookies hash only has the :user_token of the current user and the session_store key.
Is it possible to access the cookies of all logged in users and delete them from one account? I can't find any info on this.
An alternative way of doing this:
Keep track of the log-in state(0 or 1) of every user in the database. Every time a user logs in, the state is set to 1.
Allow admins to change the state to 0 through the admin console.
The client browser requests the login state every minute or so. if the state is 0, send a logout request.
What do you guys think about this way of doing it?
As far as i know, cookies are stored in the user's browser. You can't delete them. You could invalidate them somehow, but per user, it would be difficult.
Storing login state in the database should be the solution you are looking for. So when a user comes in, you do the usual authentication and then check database. If 0 you make them login. That way admins can change that one value. Also you gotta put something in to expire the flag in your session table
I have an app that allows users to only log in through Facebook. The backend is Parse. I have many fake users creating accounts and screwing up my app, posting inappropriate things. Is there a way to block a list of Facebook accounts from logging in/using my app? I have the list of their Facebook IDs, but I am not sure how to block them by writing a Cloud Code.
Thank you in advance!
Simply add a new boolean column to your User table to indicate if this user is blocked/blacklisted. Every time a Facebook user gets a new session, their authData field needs to be updated. So you can use thebeforeSave trigger on Cloud to check if a user is blacklisted and return an error which prevents them from getting a new token and logging in at all.
Now to block a user, find their session record in the Session table and delete it which invalidates their token and logs them out. Then simply set their blocked field to true. They should not be able to log in to your app any more.
Consider this following scenario:
Suppose you are building an account-based application where you can access some parts of an application without having to log into an account. But, when the user wants to access that part of the application that needs to them to be logged in, we are directing to the LoginViewController and the user is now successfully logged in. There are multiple places where this is happening, and there is a single callback after the user is logged in: didUserLoginSuccessfully. Now, the problem here is, the user is expecting to resume whatever they were doing earlier, but to give them that experience, we don't have that information -- the methods and variables to perform the operations when the user is logged in -- saved.
I solved this using the concept of blocks. Saving all the methods that were to be performed if the user is logged in inside a block variable and executing it in the login callback using [block invoke].
Is this the right approach? Are there any better ways to do it?
This question has multiple facets which regards an application that has a login, along with instant messaging i.e. QBChat. All of these questions kind of relate.
1) When a user logs in, I create a session, login the QBUser in, and log in the QBUSer to QBChat. Is is common practice, when a user logs out to log out of QBChat, log out of QBUser and destroy the session?
2) Currently, when the application is sent to the background, I log the user out of QBChat, QBUSER and destroy their session and when the user comes back I create a new session and log them back in to everything. I do this to make sure that the users session doesn't expire when while the application is in the background. Is there any other way to automatically renew sessions when the application is in use?
3) Finally, this question relates back to the second one, if I am using the application and the session expires, is there a call back function that will be called if the session expires? So if I use the application for 2 hours straight, and the session expires is there anyway I can get a indication that it expired and either manually renew it or have it done automatically?
1) When a user logs in, I create a session, login the QBUser in, and
log in the QBUSer to QBChat. Is is common practice, when a user logs
out to log out of QBChat, log out of QBUser and destroy the session?
Yes, it's common pattern.
Two things that you need to know:
you can create session and login in 1 query http://quickblox.com/developers/IOS#A_couple_of_words_about_Authentication_and_Authorization
you don't need to do QBUser logout and destroy a session, you can just destroy a session. It's enough.
2) Currently, when the application is sent to the background, I log
the user out of QBChat, QBUSER and destroy their session and when the
user comes back I create a new session and log them back in to
everything. I do this to make sure that the users session doesn't
expire when while the application is in the background. Is there any
other way to automatically renew sessions when the application is in
use?
3) Finally, this question relates back to the second one, if I am
using the application and the session expires, is there a call back
function that will be called if the session expires? So if I use the
application for 2 hours straight, and the session expires is there
anyway I can get a indication that it expired and either manually
renew it or have it done automatically?
I do only QBChat logout. You don't need to destroy session every time.
You can recreate session if need without destroy it before.
To check session expiration datetime use
NSDate *sessionExpiratioDate = [QBBaseModule sharedModule].tokenExpirationDate;
I have an app which presents a login screen on first launch. When the user logs in, I give them an option to remain logged in. This establishes a session with an expiry on my server. What's the most appropriate way to do the following things:
Store whether the user is logged in or not.
Present the user with a login or logout option on application launch based on the validity
of their session.
End their current session if they choose to logout (or if their session is expired).
I'm guessing this is a common design pattern and there should be tried and tested ways to do this but I seem to be using the wrong terms to search because I haven't found a satisfactory answer.
Some ideas:
I would suggest you store your sensitive session information in the application's KeyChain. I wouldn't store here the state of wether the user is logged in or not, just store that in memory. Your webservice should be able to return an error when the session ceases to exist, or if the user has logged out.
If the backend determines the session's validity, then you should have a RESTful call where you can pass the session information, returning whether the session is still valid.
Again, if they choose to logout, then you could perform another call to your backend passing the session information.
For the Keychain, use the KeychainItemWrapper from Apple's examples.