How do I set up passport.js so that if I have two different users login in, it would be two distinct accounts? Right now I am running into a weird bug in which one user logs in. If a second user logs in, and the first user refreshes the page, the first user becomes the second user.
I have tried google strategy and i expect how to solve this problem
Related
I am starting a little learning project that would involve the following scenario:
User enters the page, there is a counter on the page which is connected to real-time database on firebase he/she presses the button, counter goes up, database is updated, but this user is not allowed to increase the counter anymore. Even when the app is closed and he/she opens it in couple of days.
The question is: is it possible to achieve something like this without explicitly login user in? So that on subsequent sessions the prohibition persists based on IP address or something. Maybe it could be achieved with local storage?
Thanks for any responses and ideas!
What you're describing requires that you can identify the app instance: the specific installation of your app on a certain device. For Firebase the easiest way to do this is using Firebase's anonymous authentication. This creates a unique identifier for the app instance, without requiring the user to enter any credentials.
I have created a project as that has admin, teacher and student. They all have login forms and redirect to different based on who logged in, thus i have 3 folders student folder, admin folder and teacher folder and afer each one login the page will take them to the appropriate pages in their folders but without destroying the session it redirects user to the contents of admin pages. Personally i think it is because i put
session_start();
if(!isset($_SESSION["username"])){
header("location:index.php?action=login");
}
to each page. please help what can i add to make sure that each individual user can access what they are required to access
You have at least 2 issues here:
You assume that opening a new tab should not share the session with other tabs. I don't remember the details on PHP sessions. But, afaik, the state is stored on the server, and it uses some magic such as cookies to figure out what is the session that you are using. Problem is that two different tabs will hardly start a new session. In fact, the only possibility I see is if the session id is passed along with each request as a url or a header - then you can pick the correct session... which is pretty seldom used because use cases where such approach is needed are limited. (tbh, running 2 different sessions in 2 tabs is not a very real scenario). If you really want to run separate sessions on the same machine, you can try to run several incognito windows.
Second, more important issues, is the logic behind your application. Possibility of going to any page, once you have passed a login for any of the users means that the ritual of providing 3 logins into your system is totally useless, since there are no internal checks if the user is having rights to go to one or another page. Proper thing to do, is, once you logged in, to store the role (student, teacher, admin) as a session parameter. Then, on each page you should verify not only that the user name is set, but that stored role matches the role definition needed to view this particular page. If role does not match, then you should handle it appropriately. You may log user out, or display an access error message and provide a link tor redirect to allowed page.
I have a Hapi backend for my website where on the front-end, a user logs in on my website using his Google account and then I do the usual process of sending the id_token to the server to decrypt and verify his Sub field to authorize the user.
The problem arises when the user logs out of Gmail or Google apps on some other tab or window, the user is logged out of my website by Google on the front end and I am unable to control or know it (at the backend).
This renders my session maintenance useless at the server as the user is forcibly logged out on the front end.
I saw that Stack Overflow has (obviously) taken care of this and even when I log out of my Gmail, I still stay logged in on SO. This is exactly what I want for my app wherein I am able to control the session at the client-side even when he or she logs out. What do I need to do?
I just implemented Google JavaScript sign-in button to our homepage, and everything works the way it suppose to, but thats sometimes bad..
So the thing is that our users use our application on the same computer, 3-4 different users per day. Having a google sign in gives us access to implement some Google product features in our own site.
I understand that sign-in with google signs you into the Google account, and also gives permission to application.
Also i understand that this is the way it works to make the life easier for user, not to sign in each time on every site.
I can easily remove the application permission via GoogleAuth.signOut() or GoogleUser.disconnect(), even with GoogleAuth.disconnect(), so the .isSignedIn() will become false, so the user will always have the prompt screen, also i use prompt: 'select_account' on .signIn() to make sure even single user will get the prompt screen.
The problem is when the 2nd user enters to our login screen and chooses "Sign in with Google", he can actually choose any previous user in the prompt screen and enter into our application as not himself, but actually can choose the previous user and authenticate himself as the other without entering any password.
Password will be only asked if previous user also logs out from his Goole account.
I know a hack is to redirect user to URL:
https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=YOUR_REDIRECT_URL
But thats seems like a very poor solution, because our users use our application also with their personal devices, so its kind of bad if they get logged out from all applications they have signed into.
I know asking password on each sign in is not the way auth2 intended to work, but i'm sure there is a way forcing user to enter password on each time they press "sing in with google" button.
Ive spend multiple hours on searching for a solution and tried multiple things, i hope someone of you can point out the needle in the haystack that i missed
I have built an e-commerce website using express.js. The authentication method used is passport.js. We store the cookie with all the information we need in redis.
Everything was fine until we started driving more traffic.
Now the problem
When user A comes to the site, logs in and makes a purchase, every day or two 2-3 customer details are wrong.
User A comes to the site and make a purchase. The email and address of the user A sometimes becomes the email and address of user B
We cannot easily replicate this as this happens only once in 50 purchases.or sometimes twice in 50 purchases.
So I had to call all my contacts and check what is the wrong thing we have done. And curiously one guy replied me that he also have the same issue. He is saying it the problem with passport.js, and he wrote custom authentication method to remove passport and till now he has not faced any issue. He also uses exactly my set up. NODE-EXPRESS-REDIS
I am quoting his words here
Whenever a user logs in from one computer, open the site in another computer then refresh the page, You can see the logged in details of the first user in second computer, and this issue is not frequent but it comes once in a while