I am using facebook connect and authenticate the user with it.
For each user, there is session key that expire after X minutes. How can I get the user session after the session is over ?
I tried-
FB.Connect.requireSession();
but I don't want to use this function because it pops up the facebook connect
username and password. I want to get the user session without him to reenter his username and password/ and I dont want to ask for infinity session.
You have to prompt for extended permissions with offline access. When this is completed facebook gives you a special infinite session key which you need to save and use when you want to act on that user's behalf.
FB.Connect.showPermissionDialog("offline_access", function(result){
//callback function when users accepts extended permissions
});
http://wiki.developers.facebook.com/index.php/JS_API_M_FB.Connect.ShowPermissionDialog
Related
I have maintained sessions for users logs in my webApp, 1 for customer and another for employee.
Once the customer gets logged in I am storing his ID in a table called current_users
pg_query($con,"insert into current_users values ('".$row2['id']."','','','')");
While logging out, the user is deleted from current_users
if(pg_query($con,"delete from current_users where cid='$id'")){
session_destroy();
header('Location:index.php');
}
Now the problem is, this works fine when the user logs out clicking on logout button, but what if the user just closes the site?, or what if the session is expired but the user is still there in current_users?.
Is there a way to log out customer when the session gets expired?(like just redirecting to logout.php would be enough for me), or is there a way to know if the session got expired while the user is not on website (he just closed it without logout).
Note:- I am using session in php apache server.
I have managed to setup a custom login system using Firebase. The user enters email/password and is redirected to the main page(which is private). I am having issue with onAuthStateChanged after logging in. When I check the auth state after logging into the main page, i get invalid user (null). The firebase dashboard shows I have logged in successfully but onAuthStateChanged is the opposite.
I am trying to check if a user is logged in to my html pages, if not I want to redirect them to the login page. I like how the authentication works in firebase but I need to protect my html pages not my divs (which is what the vast majority of firebase auth tutorials show).
If anyone has an easier way to password protect a web directory that looks nicer than HTaccess, please advise (I am not crazy about using wordpress for password protection, but its an option). Otherwise, I guess I will have to do this in PHP. Thanks in advance!
(function () {
firebase.auth().onAuthStateChanged(function(user) {
if (user) {
// User is signed in.
console.log(user);
console.log('A user is logged in.');
} else {
// No user is signed in.
console.log('Invalid user. Redirecting to root.');
window.location.replace('../index.html');
}
});
})();
If you navigate to a new page, Firebase will have to initialize again. As part of that it will try to restore the user's authentication state, but this requires a call to the server which takes time.
For that reason the onAuthStateChanged listener will initially fire with null as the current user (and auth.currentUser is set to null). Then once the user is signed in, the listener fires again with the user object for that user.
If you want to detect this initial state, you can either store some token value in the browser's local storage that you can check for yourself on the new page, or you could set a time-out for when you expect the user to be re-signed in and only then navigate away to the index.html page.
When user login, I set
req.session.username = "....";
So, we can know this session has username
But how do I detect if this username is already logged in from another computer and logout (delete session) that another computer
On the server simply create a hash that contains a list of logged in users and the session they are currently using. Store this hash wherever you store stuff (SQL DB, NOSQL DB, flat file, in memory DB, etc).
Upon login, do a quick look at that list (pseudo code):
if( user in logged in list)
delete the session listed for that user
otherwise
create the session
log session into logged in user list
Simple.
I don't think there is a sure way to detect if the user makes a request from another computer. You can use http header User-Agent but if both computers have exactly the same user agent and version you would still see them as same.
Using IP is even more error prone because multiple devices may just use same WIFI router or proxy that doesn't set HTTP_FORWARDED_FOR.
However; if a user tries to start a new session (log in) using a user name that already exist you can either refuse the new session or destroy the old one.
You need to maintain a list of active sessions in array or redis.
Since you will retrieve the user details when they try to login, you can add a property, loggedIn, which will be a Boolean with a default value of false in the user schema.
Now you can append an extra control-flow within your login middleware to determine if the user is logged-in or not:
/** Check if user is already logged in */
if (user.loggedIn) {
let error = {
status: 401,
message: 'user already logged in. '
+ 'Please request a password reset if you suspect this is not you.'
}
return next(error);
}
// if not, log user in, set the `loggedIn` flag to true and move on.
And whenever the user logs out, reset the loggedIn flag to false.
I want to check if the username and password which is in a database are correct.
For this i made a javascript function.
function checkLogin() {
username = (document.getElementById('login').value
password = document.getElementById('password').value)
if (username == db.Membership.select(username)){
alert("it exists")
So this function gets called everytime when someone clicks on Log in after they have entered their details. Is it possible to check if username and password are correct?
In web2py, db.Membership.select(username) is Python code and must be run on the server in a model or controller (or module) -- it is not Javascript and cannot be run in the browser.
Furthermore, it doesn't make sense to simply check in the browser whether a user's login credentials are valid because (a) you need to know on the server whether a user is logged in (in order to control access to functions and resources on the server) and (b) an attacker could simply run some Javascript in the browser console to fake a valid login.
In web2py, a user's logged in status is stored in the session, which is either stored on the server (in a file or in the database) or in an encrypted and signed cookie (which cannot be altered from the client side). The authentication itself must happen on the server (so it cannot be faked).
If you want to log a user in, you should use the standard login mechanism. If you want the login submission to be handled via Ajax, you can post the credentials to a web2py controller function, and in the controller, you can call auth.login_bare(username, password), which will either log in the user (i.e., update the session to indicate login) or return False if the login fails.
I am using Slim Framework as a back end, and Backbone.js as a front-end framework. The application is created to allow users to submit a form and when they do, they will receive a mail/pdf receipt with certain data and it performs as mentioned below:
User visits the website to request the receipt.
The site asks them to login
Once they do, their details (username, email, etc) are stored in sessions.
When they submit the form using Backbone.js/Front-end through api calls, the data is received and receipts are generated.
Details stored in session (username, email) are used while generating receipts.
Once done, the receipts are mailed.
PROBLEM SCENARIO:
A user logs in, and leaves the application open for very long after filling some details of the form. The server side session times out but the front-end stays the same. The user then comes back and fill the rest of the form. However, since the session has timed out, the variable set in background (username, email) returns null, and the application either fails or does not work as expected.
I would like to inform the user about session expiration, and if no response comes, log them out from front-end. Also, if the user closes the browser/tab, i would like their session to logout.
you only need a client side javascript to check if the user is still login in couple of seconds and your server side also must send to the client if him/her still login.
function checkIfLogin(){
Backbone.ajax({
dataType: "jsonp",
url: "URL HERE",
data: "", // if you have data
success: function(data){
if(!data.isStillLogin){
// statement if not login
}else{
// call again the checker
setTimeout(checkIfLogin, 10000);
}
}
});
}
checkIfLogin();