Where can I see who is currently logged in to Plone? - plone

Is there a way to see who is currently logged in to a Plone site?
Rationale: I want to make sure not to interfer with users working on content when I restart the instance.

Out-of-the-box, there is no way to see if users are currently using your site, only if they have just been using it. Just tail the instance-Z2.log access logfile.
Note that due to the nature of the HTTP protocol, 'current' users of your site do not maintain a connection, and thus, until they are back again for the next request, there is no accurate way to determine if anyone is using the site.
There are work-arounds, such as using sessions and timeouts, that use recency to estimate how many users are still around. collective.portlet.usertrack is one such approach. Note that such approaches can have a hefty scalability penalty though.
If all you want to do is not inconvenience users during a restart, use a caching frontend and / or a load balancer and more than one instance instead. That way users see cached content or content generated by an instance still up while you restart your first instance.

you can try collective.portlet.usertrack

Related

Security for Exposing Internal Web-based application to the World

We have an internal CRM system which is currently a website that can only be accessed inside our intranet. The boss is now wanting to have it exposed to the outside world so that people can use it from home and on the road. My concern is security based in the fact we will be exposing our Customer base to the outside world. I have implemented 3 layers of security as follows:
User Name and Strong password combination to login
SSL on all data being pushed across the line
Once the user is logged in and authenticated the server passes them a token which must be used in all communication with the server from than on.
Basically Im a bit of newb in the respect of web security. Can anyone give me advice on whether I am missing anything? Or something should be changed?
There's a whole world of stuff you should consider, and it'll be really hard to quickly answer this - so I'll point you at a range of resources that should help you out / get you started.
First, I'll plug http://security.stackexchange.com, for any specific questions you have - they could be a great help.
Now, on to more immediate things you should check:
Are your systems behind a firewall? I'd recommend at least your DB is placed on a server that is not directly available to the outside world.
Explore and run a range of (free) security tools against your site to try and find any problems. e.g.:
https://asafaweb.com
http://sectools.org/
Read up on common exploits (e.g. SQL injection) and make sure you are guarding against them:
https://www.owasp.org/index.php/Top_10_2010-Main
https://www.owasp.org/index.php/Category:Vulnerability
How is your token being passed around, and what happens to it if another user gets hold of it (e.g. after it being cached on another machine)?
Make sure you have a decent password protection policy (decent complexity, protects against brute force attacks by locking accounts after 3 attempts).
If this is a massive concern for you (consider the risk to your business in a worst case scenario) consider getting an expert in, or someone to run a security test against your systems?
Or, as mrunion excellently points out in the comments above (+1), have you considered other more secure ways of opening this up, so that you don't need to publish this on the web?
Hope that gets you started.

Check if anyone is currently using an ASP.Net app (site)

I build ASP.NET websites (hosted under IIS 6 usually, often with SQL Server backends and forms authentication).
Clients sometimes ask if I can check whether there are people currently browsing (and/or whether there are users currently logged in to) their website at a given moment, usually so the can safely do a deployment (they want a hotfix, for example).
I know the web is basically stateless so I can't be sure whether someone has closed the browser window, but I imagine there'd be some count of not-yet-timed-out sessions or something, and surely logged-in-users...
Is there a standard and/or easy way to check this?
Jakob's answer is correct but does rely on installing and configuring the Membership features.
A crude but simple way of tracking users online would be to store a counter in the Application object. This counter could be incremented/decremented upon their sessions starting and ending. There's an example of this on the MSDN website:
Session-State Events (MSDN Library)
Because the default Session Timeout is 20 minutes the accuracy of this method isn't guaranteed (but then that applies to any web application due to the stateless and disconnected nature of HTTP).
I know this is a pretty old question, but I figured I'd chime in. Why not use Google Analytics and view their real time dashboard? It will require minor code modifications (i.e. a single script import) and will do everything you're looking for...
You may be looking for the Membership.GetNumberOfUsersOnline method, although I'm not sure how reliable it is.
Sessions, suggested by other users, are a basic way of doing things, but are not too reliable. They can also work well in some circumstances, but not in others.
For example, if users are downloading large files or watching videos or listening to the podcasts, they may stay on the same page for hours (unless the requests to the binary data are tracked by ASP.NET too), but are still using your website.
Thus, my suggestion is to use the server logs to detect if the website is currently used by many people. It gives you the ability to:
See what sort of requests are done. It's quite easy to detect humans and crawlers, and with some experience, it's also possible to see if the human is currently doing something critical (such as writing a comment on a website, editing a document, or typing her credit card number and ordering something) or not (such as browsing).
See who is doing those requests. For example, if Google is crawling your website, it is a very bad idea to go offline, unless the search rating doesn't matter for you. On the other hand, if a bot is trying for two hours to crack your website by doing requests to different pages, you can go offline for sure.
Note: if a website has some critical areas (for example, writing this long answer, I would be angry if Stack Overflow goes offline in a few seconds just before I submit my answer), you can also send regular AJAX requests to the server while the user stays on the page. Of course, you must be careful when implementing such feature, and take in account that it will increase the bandwidth used, and will not work if the user has JavaScript disabled).
You can run command netstat and see how many active connection exist to your website ports.
Default port for http is *:80.
Default port for https is *:443.

Managing Software Updates

I am looking into different ways to handle updating an ASP.NET application across many different clients, and looking for suggestions from your previous experience.
We need the client apps to check if they have any available updates.
A way to Auto update (If possible, something similar to chromes but for webapp).
Some way to check that we are the ones sending the updates. (Checksum of some sort I would guess)
Any other tips/advice
Thanks
Edit: after thinking more about this overnight, I would have to agree that auto updates may not be the best. However maybe something more along the lines of how wordpress does it. Wordpress will display saying that there is an update available then clicking will auto update the system.
I would absolutely not have your application auto update on clients (assuming you mean clients are entities external to your organization) servers. We would immediately stop using a product that would "phone home" and update itself. Clients need to be able to choose when and how an update on their server occurs.
If you are going to do this, the easiest way would be to set up URI the systems could ping once a day etc. and see if there are updates available. If so the application would pull it down from the host system and update itself. If you do it using SSL then the certificate would verify the URI being hit is your company.
Having a hard time figuring out if you're actually talking about a web application or a desktop application. If you're trying to do something similar to Chrome...I'm guessing a desktop application. If that's the case...check out ClickOnce deployment.
It offers the first three bullet points you mention:
Every time a person runs the app, it will check for updates.
If updates are found, the user can choose to install them or not (better user experience than forcing the update on the user).
The application always checks the URL that the app was installed from...which in your case would be your servers.

Has anyone tried building an ASP.NET Session State Provider for Amazon SimpleDB?

If not, are there any fundamental limitations of the service that prevent one from being built?
In response to Garys answer. "If you're hosting your app on EC2, it'll be fine"
Even if you're hosting your application on EC2 you should not really use SimpleDB to store session state. It provides an "eventually consistent" guarantee, so if you PUT something there is no guarantee that you will see the item on your next GET.
see: http://docs.amazonwebservices.com/AmazonSimpleDB/2007-11-07/DeveloperGuide/index.html?EventualConsistencySummary.html
This is fine when you want to use simpledb to do indexing on data that does not need to be immediately up to date and can be reconciled later, but in the case of session state, you'd likely want something with ACID guarantees (like SQL Server) as you want to know that once you have committed something you will get it back on the next read.
This obviously depends on your requirements, but most people use session state to store shopping cart items or similar. Your site visitors will soon get upset if things appear to go missing from thier cart, then re-add them and then discover they have added the same item twice when they come to pay.
There's a C# library for working with SDB.
If you want to roll your own, the API, WSDL and other documentation can be found at http://aws.amazon.com/simpledb/#resources.
It's a pretty straight forward API that rides over HTTP. The hardest part is writing the signing code. There's plenty of implementations in other languages.
As for using it for session state, there's a huge speed difference between using SimpleDB from EC2 and anywhere else on the internet. If you're hosting your app on EC2, it'll be fine, otherwise, it'll be brutally slow.
You could base it off this MySQL provider:
http://harry-kimpel.spaces.live.com/Blog/cns!CAA619CB4C4D1B6C!342.entry

Concurrent logins in a web farm

I'm really asking this by proxy, another team at work has had a change request from our customer.
The problem is that our customer doesn't want their employees to login with one user more than one at the same time. That they are getting locked out and sharing logins.
Since this is on a web farm, what would be the best way to tackle this issue?
Wouldn't caching to the database cause performance issues?
You could look at using a distributed cache system like memcached
It would solve this problem pretty well (it's MUCH faster than a database), and is also excellent for caching pretty much anything else too
It's just a cost of doing business.
Yes, caching to a database is slower than caching on your webserver. But you've got to store that state information in a centralized location, otherwise one webserver isn't going to know what users are logged into another.
Assumption: You're trying to prevent multiple concurrent log-ins by a single user.
A database operation at login and logout won't cause a performance problem.
If you are using a caching proxy, that will cause a problem:
a user will log out, but won't be able to log back in until the logout reaches the cache
Your biggest potential problem might be:
if the app/box crashes without a chance for the user to log out, the user's state in the database will remain "logged in".
It depends on how the authentication is done. If you store the last successful login datetime (whatever the backend), so maybe you can change the schema to store a flag "logged_in" and that won't involve an extra performance cost. (ok, it's not clean at all)

Resources