I'm using forms authentication to log users onto my website.
But what happens if someone is trying to login with the same details from different machines at the same time? Is there a way to check this?
Ideally, I'd like to display a message to the second attempt saying that that user account is already logged in..
Thanks
Hold that information server-side (the list of users that are already logged in). Then, on each login, check if not already in that list.
When ever a login happens save the values of Username and Password in Sessions and after that for every login check with the already logged in values in the sessions, if matches display a message and dont allow to login.
Related
I'm using firebase authentication for my app and I have the users sign up, login, and log out all set up and going. However, I'm a little confused on how to manage the state of the users login status. Currently, if a user is logged into the app, but doesn't use the app for an extended period of time, firebase doesn't recognize them as logged in. I'm looking at the documentation and the approach is a bit unclear.
Should I be storing a FIRAuthCredential every time the user logs in, and then call reauthenticateWithCredential using that credential?
Firebase Auth only requires recent sign-in for sensitive operations like: deleting a user, changing a user's email or password. These are for obvious reasons. You want to make sure it is the same user before making such sensitive changes. Otherwise, the user is considered signed in indefinitely by the Firebase Auth backend (your assumption that "firebase doesn't recognize them as logged in" is not correct). Of course, a developer may also require re-auth before other operations like updating credit card, shipping address, etc. A developer would check the auth_time on the Firebase ID token. Only in such cases would you re-auth. You should never store credentials such as password on the client to avoid prompting the user to reauthenticate. It is needed to protect the user's account.
yes I think that is going to be right approach or second approach you can try is like when a user press login button instead of directly calling Authenticate User put a check in which last login timestamp value will be stored when user login compare timestamp value and then perform selected operation as you want . NOTE - you will be required to check weather user exist or not , but I think first approach will be better as if you had noticed in many Social apps like kik it ask for reauthentication after a long period of time but first it authenticate user instead of displaying home screen it take to reAuthenticate screen
Context
I am using Parse.com as my backend for a mobile app. I use Facebook login only for now.
Assuming the user has logged in with Facebook and now has an account created on Parse already.
Question
Every time the user opens the app, should I do a check if his account is still valid by using PFUser.currentUser().become()? Or should I use the cached PFUser.currentUser()?
I have found out that if I delete the user account in the Parse backend, if I don't do a become(), the PFUser.currentUser() is still valid, even if the account does not exist anymore.
What is the best practice?
It's generally better to add a column to the user such as 'disabled', and when the app starts you can refresh the user, check that flag and display a message to the user and logout. That, from a user point of view, is similar to using become (at least as long as you check and notify the user).
So, you should do something if you're going to be removing or disabling users in the background. The main question is wether you fully delete the account or just delete the contents but leave the (empty) user in the system as a record.
Is it possible to send an email with a user with a link that automatically sign him in based on authentication_token or something similar? (No login required).
Sure, it is possible. Just send a link to login with a query string containing the username that should be logged in. When your login code gets this, sign the user in.
Just be sure to generate a unique token instead of just using email/username
And also you should tell users that the link can be used to sign in since they might forward it to others.
I intend to build a customized logic on Devise on Rails. Here is the logic: user can try to login, and if the does not exist, then it will create the account for the user. Just to skip the registration process.
Now sure how to hack into Devise. Please help!
Thank you in advance!
Edit: Sorry that I didn't make it clear enough: I have implement the on-create-validation on the user model to authenticate with another system. Logic is:
If success with another system's authenticator, then create a new user with the same password and login user.
Else login fail.
You know that if someone make typo he will create new account and will be mad that all of his/her stuff disappeared? When there is small amount of user then it isn't problem. But when your society will grow then it can make you some black-PR. You should rather check by AJAX call that there is user with that email/username/nick and if not then show the registration form, but on other hand this can be security issue if your users are signing in using non-public data like email or if username is different from nickname shown on your page.
Why would you want to skip the registration process? I don't see any benefits.
First, the user can enter the wrong username or password by accident.
Second, the user can enter the right username, but the wrong password. So he/she already is a registered user, but still get a new account.
Third, when a new user is automatically registered, how does the user actually now what his username or more importantly, his password will be?
Personally, why not just add "Remember Me" or "Forgot Password?" to your login form. If, for any reason, the user doesn't want to enter his login data or simply doesn't know his password required to login he can use these options.
Or, if you are working with permissions, why not just make a guest user if someone is not logged in?
What if they type in the wrong password or username on accident? Then you just automatically create them an account? IMO that would be a bad user experience. You either know your account or you don't. If you have an account and can't remember then you use the 'Forgot my ...'. If you don't have an account, then you go signup. You could implement oAuth and use accounts from a multitude of sites (i.e. Github, Twitter, Facebook, etc.) that would make it easier.
Within my rails app, I would like the user to be able to browse and explore without signing in, However, when the user is trying to create a record, it should let him save it only after he/she is signed in. If the user is not signed in, then it should route him to the signup process. The user should not go through the trouble to creating the record all over again.
For example, the user can go to any shopping site, add items to the cart. While checking out, the user is prompted to signup/ sign in. Even if the user is routed to the sign up page, The items are still present in the cart (the user doesn't have to add them agn)
Is there a gem for that? or how can this be achieved in a rails app.
Shortly, what you have to do is to create a guest user instance for every user which is not logged in and visits your site. You treat this user as if it was a registered user, persisting everything to the database accordingly. Then when the user comes to the point he has to register you alter his guest user details on the database, this way everything he has done as a guest will remain the same.
You can find a screencast explaining exactly how you can achieve your goal here: Guest User Record - RailsCasts
You could store this info in your session, then when the user signs up and logs in to the site , you could show the stored info in the session.