I need to provide the user with a way to start over. I'd like to clear the secured session cookie with a pipeline call but have found nothing in the docs.
I tried that once to reset a site session while the user logs out. The easiest way was to set the cookies in delete mode:
sid
pgid-[site]
SecureSessionID-[ID]
AuthenticationStateToken-[ID]
You can use the SetCookie-Pipelet for this. No custom-code is required.
Don't forget about all the other cookies your site sets: wishlist, cart, user, ... They might pull things into the new session you don't want to have.
Found the default pipeline - ViewUserAccount-LogoutUser.
That seemed to do the trick.
Related
I am using Symfony ( current version 2.6.4 ) whenever I want to check if a user is loggedin ( I am also using FOSUserBundle ) I use $user = $this->getUser(); in my controller which works out just fine but if I open 10 links in 1 second this query is repeated for all 10 pages in that second, not so ideal in my option. So my question is, is there a way to cache this query for say 60 seconds and is it even advisable, will it affect new registrations or something. I am using APC as my doctrine cache but if someone knows the answer please also tell us how to use other ways incase other people also wonder how to do this. Thanks.
To start with, sql databases do a good job of automatically caching queries. So while there is some overhead in composing and sending the query to the server, the server itself will respond very quickly. You won't save much be adding another cache.
Should you still try and optimize? In your example of 10 requests per second one assumes that the requests are actually doing something besides getting the user. It's up to you to decide if caching the query will actually speed things up. In most cases the answer will be no. Trying to save every possible microsecond is called premature optimization and is something to avoid.
Having said that, it's worthwhile to look at what the security system is doing. Selected user information is stored in the session. You can use the debug profile bar to look at it. For each request, the security system pulls the user out of the session and then calls $user = $userProvider->refreshUser($user); By default, refreshUser is what causes the database to be queried.
You can easily plug in your own user provider (http://symfony.com/doc/current/cookbook/security/custom_provider.html) which just returns $user. No database interaction at all. Of course if the user's database information does change then they will need to log out and then log back in to see the changes. Or do something else to trigger a real refresh. But for many apps, not refreshing at all will work just fine.
It would also be easy enough to put a time stamp into the session. Your refreshUser method could then use the time stamp to decide if a refresh was actually needed.
So it's easy enough to eliminate the query and actually worthwhile just as a learning experience. Security is one of the more complicated components. The more you understand it the better off you will be. Customizing a user provider is one of the easier things to do.
I just saw your comment about the OAuthBundle. I have not used the bundle in awhile. Implemented my own but I'm surprised that it's hitting the oauth server on each request. If it is then this would in fact be a good use case for overriding the user provider. But I'd be surprised if it was really doing that just for user information.
I am using Symfony 2.
Session is created by Symfony2 whenever user login is successful.
Is there way to get the count of active session?
Do I have to write any code to get this information?
There is no way in symfony2 to do this. You will have to build custom logic to do this.
If you write "lastLoginDate" to database, you could try to use this to estimate, how many users logged in the last hours. In addition, you could check the "session.gc_maxlifetime" php.ini setting to know how long a php session stays alive.
this post is also nice to read
http://www.symfony-grenoble.fr/en/238/list-online-users/
I'm implementing a floating licenses module in my ASP.Net website (Framework 4).
So far, I've chose to assign a license to a user within my LoggedIn method and it works like a charm.
Now, I want to deal properly with the user's disconnection.
Is it correct to react to both the LoggedOut method and the Session_end ? It seems like dupplicating code to me...
What would be the best place(s) to handle a proper disconnection ?
Edit :
I plan on storing each user's license within a session variable.
You could simply put your code in the Session_End & terminate the session when the user logs out.
To terminate the session use:
Session.Abandon();
http://msdn.microsoft.com/en-us/library/system.web.sessionstate.httpsessionstate.abandon(v=vs.100).aspx
You might also want to read this page regarding Session-State events:
http://msdn.microsoft.com/en-us/library/ms178583(v=vs.100).aspx
The Session_OnEnd event is supported only when the session state Mode property is set to InProc, which is the default.
I am searching to find a way to read and write on session data but with out having the HttpContext. Current.
Why I won to do that ? because I wish to make some action with the user Session after the page have been close and unloaded.
For example, a user load and see a page, then I create a thread to make some action and let user go. Inside this thread I like to read the session data, but in this case HttpContext . Current is not exist any more.
So is there a way to read Session Data knowing just the session id.
I store my session inside an SQL server, and I see them. its there on table ASPStateTempSessions :)
How can I read them "offline" and manipulate them ?
Thank you in advanced.,
Still not quite clear why you might want to do that but you might not actually need to do it on Session_End(). At that point, it may be too late for you to work with the session data anyway (I've read some articles before about this). What might be a better solution is to actually attempt to work on the session data when your application actually has the context.
For example:
There's nothing to stop your application creating an asynchronous request on a new thread in the background (or even a different application, such as a Windows Service, for instance) when the specific session variable that you want is updated or has been set. This way, your application will be able to access the current HttpContext as well as all of the session data.
Not sure if this helps, but it was worth a shot ;)
Richard.
I may be a little late but...
Today I found about the:
System.Web.HttpRuntime.Cache
I know is not the same that a session but I think it's much better alternative that db.
Regards.
Weird problem here, we're running a few mixed environment web applications, that use Windows or Forms authentication depending on where the user comes from.
I'm curious how everyone else might be handling expired sessions to avoid the errors you would get from someone leaving an idle session open for too long and then trying to resume work, mainly looking for best practices on the subject.
Any suggestions or opinions would be greatly appreciated.
Thanks,
I'm not sure how your authentication method affects session timeouts, the mechanism they use to get in shouldn't affect how long they can stay in.
Generally speaking, if someone does have an expired session, you can add code to check to see if their session is active. If it isn't, just redirect them to a login page, or display some other friendly text.
Basically something like:
if (Session.IsNewSession)
Response.Redirect("login.aspx");
Don't store unnecessary information on the session.
If you are storing something you can reload, have the appropriate code that will reload it if it wasn't found in the session
Consider if some processes are meant to be handled in long periods of time, in which case save intermediate info to the database.
If the user is doing a process that uses the session, and the data is missing, take them to step 1 (not much you can do about it, if you don't have the info elsewhere).