just wanted to know:
In my rails 3 app when a user logs in, i store their id in a session variable like this
session[:id] = #user.id
i noticed that when i login and then close the browser the session is destroyed. Is this wise to do or better to create a logout feature to destroy the sessions. What can go wrong if i leave it as is.
Thanks for help
I noticed that when I login and then
close the browser the session is
destroyed. Is this wise to do.
If this is happening then it's good if session get expired/destroyed when user closes browser. This is what mostly done in websites.But can be hard when you are trying to providing remember me or always sign in like functionality. In this case you might not have to destroy session when browser is closed.
or create a logout feature to destroy
the sessions.
You can create a logout feature to destroy session but call this when user hits logout link.
Related
We are experiencing a bizarre, very rarely occurring bug where a user will be logged into another user's account.
We are on Rails 4.2. We use authlogic for authentication and dalli as our memcached client. Use memcache as the session store.
I haven't been able to figure out what is causing the issue, but the worst part is that even if I did have a hypothesis I wouldn't know how to confirm if it worked or not.
I would like to find some way to log if a user has been given the wrong session, both to help debug the problem and to determine if a potential fix works.
I'm just not sure if it's possible. If the user's cookie has the wrong session ID, how can I possibly figure that out?
Try going back to signed, encrypted cookie session store. Use memcached for frequently accessed items, like the user record. Load the user model from memcached instead of the database.
If you really want to log session hijacking, then log the user's IP address. If the IP address suddenly changes, as if they were logged in one place, then all of a sudden are making requests from another place, then maybe another user hijacked their session cookie?
http://guides.rubyonrails.org/v5.0/security.html#session-hijacking
Be aware that using TOR would show that pattern, as it generates a new route every ten minutes, but doesn't mean the session was stolen or mixed up.
If you are not using signed or encrypted cookies, then it allows Javascript or malicious ads to steal the session id, and send it back to the attacker's server.
It could also be your session ids are not secure or random enough. Maybe a new session id overwrites another session id in memcached? Since you are using a different session store, maybe you customized the session identifier?
I have been using the devise gem for authenticating my rails app for some time now, and I just began to wonder how the current_user works
How does devise saves the current_user?
Browser session?
Application session?
Some other parts of the Application?
I am suspecting that the answer is number one Browser session. Reason being that even when an app gets restarted, and you try to access the app again from a browser that has been used to sign in already, it automatically signs you in.
My confusion though is this: If it is the browser session, it means that when the browser relaunches ( the session was ended ) current_user should be expired, and the user signed out; but it does not work so.
So, how does the current_user operates? thanks for all contributions.
current_user works by storing id of current user in the application session. Most commonly session is stored in cookies. Whether or not the cookies survive browser restart depends on client's browser settings.
If you have clicked remember_me it stores a signed token unique to user in a permanent cookie and stores it in browser. It is saved in database also.
When current_user is called again , rails checks if the permanent cookie exists, if so compares it with the one in database. If they are the same , you are logged in as that user.
I am using Devise gem to handle login/logout in my website. In client i use AngularJS cache is DSCacheFactory.
I have an issue about browser cache or angularJS cache. It is cache still stores old value when session ended.
Example:
login user A
logout user A
login user B
website shows user A.
I expect that after user B login website shows user B
The Angular DSCacheFactory just clears browser cache when they expired.
How to i can clear DSCacheFactory user A after logging in user B (session ends).
I know that post is old, but for future reference if someone need solution to described problem.
You have to check if user is currently signed in with some account and on new sign in attempt just invalidate previous session.
If you override Devise::SessionsController and Create action with that code you should notice expected result. It works correctly with angular devise library
https://github.com/cloudspace/angular_devise
def create
if user_signed_in? && params[:user].present?
sign_out(current_user)
end
super
end
I am using Rails Authlogic and i want to prevent same user to log in twice at the same time ,I found a way to invalidate all user session and allow only the new one (sign out the user from any other device and only allow the new one) but that not what i want ,i want to prevent the new log in and keep the already logged in
You may refer this site. I think this site is suitable for your question click here
This question has multiple facets which regards an application that has a login, along with instant messaging i.e. QBChat. All of these questions kind of relate.
1) When a user logs in, I create a session, login the QBUser in, and log in the QBUSer to QBChat. Is is common practice, when a user logs out to log out of QBChat, log out of QBUser and destroy the session?
2) Currently, when the application is sent to the background, I log the user out of QBChat, QBUSER and destroy their session and when the user comes back I create a new session and log them back in to everything. I do this to make sure that the users session doesn't expire when while the application is in the background. Is there any other way to automatically renew sessions when the application is in use?
3) Finally, this question relates back to the second one, if I am using the application and the session expires, is there a call back function that will be called if the session expires? So if I use the application for 2 hours straight, and the session expires is there anyway I can get a indication that it expired and either manually renew it or have it done automatically?
1) When a user logs in, I create a session, login the QBUser in, and
log in the QBUSer to QBChat. Is is common practice, when a user logs
out to log out of QBChat, log out of QBUser and destroy the session?
Yes, it's common pattern.
Two things that you need to know:
you can create session and login in 1 query http://quickblox.com/developers/IOS#A_couple_of_words_about_Authentication_and_Authorization
you don't need to do QBUser logout and destroy a session, you can just destroy a session. It's enough.
2) Currently, when the application is sent to the background, I log
the user out of QBChat, QBUSER and destroy their session and when the
user comes back I create a new session and log them back in to
everything. I do this to make sure that the users session doesn't
expire when while the application is in the background. Is there any
other way to automatically renew sessions when the application is in
use?
3) Finally, this question relates back to the second one, if I am
using the application and the session expires, is there a call back
function that will be called if the session expires? So if I use the
application for 2 hours straight, and the session expires is there
anyway I can get a indication that it expired and either manually
renew it or have it done automatically?
I do only QBChat logout. You don't need to destroy session every time.
You can recreate session if need without destroy it before.
To check session expiration datetime use
NSDate *sessionExpiratioDate = [QBBaseModule sharedModule].tokenExpirationDate;