I've read that OnDisconnect ( server side) sometimes , can be bypassed ( application recycle etc).
The OnDisconnected method doesn't get called in some scenarios, such
as when a server goes down or the App Domain gets recycled.
And so I ask :
When a user connects , I generate him a token , keep it in the user cookie , and when OnConnect is called , I attach a connectionId with that token.
(the same way where onDiconnect is called , I set a value in the dateDisconnected)
This will also supports 2 connected users ( same browser)
example :
example :
id tokenId ConnectionID DateCreated dateDisconnected
----------------------------------------------------------------------------------------------
1 500 {1234-1234} 06-07-2013 null
2 500 {5432-5432} 06-07-2013 null
And here is the problem :
What will happen if a user has logged in (So I write this user in my DB as logged in) , do some chat , and then the server restarted ?
The client will try to reconnect and after 30 seconds it will stop.
But then , when the server is UP (after an hour ) - I STILL HAVE A LOGGED ON USER IN MY DB. and he is NOT. ( well , not with that connection ID anyway...)
How can I solve this kind of problem ?
The best way to solve this problem is to log everyone out on application start, aka in your case invalidate/delete all logged in token rows. Therefore whenever the server comes up the application is in a fresh state with no one logged in.
Related
I have added login throttling to my symfony app. If I try to log in 5 times in a row in the same minute with invalid credentials I have a TooManyLoginAttemptsAuthenticationException in the onAuthenticationFailure method of my authentificator, so far so good.
But if I try to login with correct credentials in the same minute after the TooManyLoginAttemptsAuthenticationException I was expecting to have the same error but I'm actually successfully logged in.
Am I missing Something ?
I often got message like the following when using my Meteor App:
09-15 22:42:52.400 3233 3233 I chromium: [INFO:CONSOLE(970)] "Error logging in with token: Error: You've been logged out by the server. Please log in again. [403]", source: http://localhost:12056/packages/meteor.js?hash=9725414143125e6990547986c27b473f43c89e8b (970)
I think it's because the token is expired for some reason (for example when I use Accounts.setPassword to change the user's password by force on server side, I will sure get this at next login attempt)
I don't want to know how to solve this question, I want to know, if there is an event or something else I can be informed when logged out by server, because I determine whether to go "main" page or "login" page by whether Meteor.userId() has value. when logged out by server, even Meteor.userId() has value, last login state is already invalid and re-login is needed.
I inherited a web application that has uses individual SQL account for authentication. I need to update the login procedure to use a different type of hash.
Pseudo code
if (login(newhash(password)) == 0) // login using new hash function doesn't work
{
if (login(oldhash(password)) == 1) // login with old hash works
{
SqlConnection.ChangePassword(connstr);
login(newhash(password));
}
}
The problem is the second login(newhash(password) would not immediately work. If I put a System.Threading.Thread.Sleep(5000) in between the ChangePassword and the login then it would work. SqlConnection is closed properly when doing the login()
I also tried using sp_password instead, but it still won't authenticate immediately with the new password. Is there any way to eliminate this "password change lag"?
EDIT:
I added SqlConnection.ClearPool(conn) and the problem persist. SQL Profiler showed the following:
Audit Login Failed
Audit Login
SQL:BatchStarting
SQLBatchCompleted
Audit Login Change Password Event
Audit Login
Audit Login Failed
So everything is expected from 1-6, however I don't know where does #7 come from.
I believe it's a connection in the connection pool that is getting in your way, How Can I Prevent Recurring Automatic Connections to Oracle Database? . Try clearing the pool before trying to reauthenticate, https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.clearpool(v=vs.110).aspx .
Is there any way to log out a user (or all users) from the server? Basically I'm trying to log out all users every time the meteor server starts up or restarts.
You could clear up all the loginTokens which would force everyone to log back in
Meteor.users.update({}, {$set: { "services.resume.loginTokens" : [] }});
What this does is it clear's each users loginTokens so that they wont match up if the user tries to log in, then they would have to log back in. To alter who to target change the initial query (currently {})
I need to create a log with successful logins and denied logins. I must save user that try access.
I don't know if hook_user_login is the correct way to do this task.
Appreciate any guidance to investigate. Thanks :)
hook_user_login() is only invoked when a user successfully logs in.
The hook you should implement is hook_watchdog().
function hook_watchdog(array $log_entry) {
switch ($log_entry['message']) {
case 'Login attempt failed for %user.':
// Somebody tried logging in as $log_entry['variables']['%user'],
// and failed.
break;
case 'Session opened for %name.':
// The login for $log_entry['variables']['%name'] was successful.
break;
}
}
Notice that:
Both $log_entry['variables']['%user'] (for when the login failed) and $log_entry['variables']['%name'] (for when the login was successful) are usernames, not the user object.
When the login was successful, $log_entry['user'] is the user object for the user who right logged in, an `$log_entry['uid'] is the user ID.
The other variables that could be helpful are:
$log_entry['request_uri']
$log_entry['referer']
$log_entry['ip']
$log_entry['timestamp']
Drupal already keeps a log of those events in admin/reports/dblog; you simply need to filter them by type (user).
There could be a reason to implement hook_watchdog() to keep a log for any failed/successful login, though: The database log is limited to N entries (where N could be 100, 1000, 10000, 100000, 1000000, basing on what set on admin/config/development/logging), and it is for all the messages passed to watchdog(); once the limit is reached, the old messages are lost.