Can someone tell me what the default timeout is when using activeRecord store?
I don't want to 'set' the timeout because I want it to behave as a session cookie.
ie: expire when the user closes the browser, which doesn't happen if you manually set the expire date.
When I leave the expire date off, the session will timeout sometime within a couple of hours of no use. Why is this so?
So really what I'm asking is, is it possible for the session to not timeout at all when the user keeps his/her browser open and only expire when he/she hits logout or closes the browser?
Keeping in mind:
the cookie doesn't get deleted if you specify an expiration on the activeRecord session_store when user closes browser.
I think there is two points here, Session Timeout and Page/HTTP Timeout from Web Server.
As far as I understand, ActiveRecord Store Session store doesn't timeout, unless the user moves away from the page.
Alternatively, if the Web Server decides after sufficient time of idle-ness to then drop the connection, which in turn negates the Sessions.
Related
I'm using express-session, connect-redis and ioredis to store the session and the user will have the redis key stored in a browser cookie.
connect-redis resets the TTL every time the server is being interacted with, which means that right now with default settings the in-memory session will outlive the browser cookie at some point as the user interacts with the website. I would like to keep the user session alive and not show a popup to the user specifying that they should reauthenticate or that they will be logged out soon or something like that. How do big sites such as YouTube and Facebook keep user sessions alive? I've never experienced the sudden need to reauthenticate on youtube in years I think. So my question is how should cookie session expiration dates get handled with an emphasis on good user experience, and not sacrificing security?
My current idea is to simply just check when there is a certain amount of time equal to the time left before a cookie expires, and if that turns out to be true AND the user has just interacted with the website, reset the maxAge property on the cookie. In that way, if the user isn't going to interact with the website for more than that certain amount of time say 3 months, and the time left before the cookie expires is exactly 3 months, then the user will get logged out the next time the user visits the site after those 3 months. In other words, as long as the user keeps doing something on the website in intervals of less than 3 months, then they will always still be logged in and authenticated. What do you think about that? I could also set the rolling property to true, but I don't want to send session cookies with every authenticated request because of performance reasons. Also, I can't write to the cookie trying to increase its expiration date with client-side Javascript since I'm setting httpOnly to true.
To be honest, it's much easier then that. Imagine you have a remember me when you sign in, if that was untoggled, you'd change TTL to a day or few hours when session is created or you use the TTL you set by default.
You definitely want the sessions to forcefully expire, so these keys change up all the time and make any hijacking unlikely.
Below is how I set my redisStore up, I am lacking sync between two devices wanting a single account session but that's a topic for another time.
WEBAPP.use(SESSION({
name: "WebSiteNameOrCookieName",
store: new redisStore({
client: client,
ttl: 604800,
disableTouch: true
}),
secret: "your_secret_key_make_it_hard_as_hell",
cookie: {
domain: ".example.com",
sameSite: 'strict',
secure: true
},
saveUninitialized: false,
resave: false
}));
I have a web application where I want users to only be able to use it from one location (meaning a user can't actively be using the application at two locations). Currently I got this working in a very common way by only allowing 1 cookie session to be valid and removing any existing ones when a user logs in. Unfortunately I've been told that my method of only allowing 1 cookie is unacceptable because my users move around a lot to different sites and are tired of having to login every time. An easy solution would just be to allow more than 1 cookie, but I can't do this because I need to make sure a user account is not being used at two locations at the same time.
I'm wondering what is the best way to implement a system like this where a user can't be active at more than 1 location, but shouldn't necessarily have to login at every location they visit.
One possible idea I had was to allow multiple cookies to be recorded, but once a cookie becomes active (meaning I notice that session navigating the application) all of the other cookies are locked out for a certain timelimit like 15 mins. If no cookie session has been active for 15 mins then allow any cookie to login and gain dominance over the others untill it exceeds the timelimit.
Edit: It's ok for them to remain logged in after they leave a location
One way to do this is to log their last ip address and at what time that access was. On each access, you can check their last access.
If the last access is from the same ip, let them through.
If the last access is from a different ip, check how long ago that was. You can then define a cut-off point for how long they need to be idle before they can access it from another location. 15 minutes seems reasonable.
All of this can be done on the backend and this would possibly provide a higher level of security.
The browser allows users to store their credentials. Let them use this feature to log back in without hassle.
No need for a timeout. Allow multiple cookies, but only one active one.
Instruct your users to close the application when they leave their workstations. Make this something that's easy to do. Put a close button on each page or perhaps catch onBeforeUnload and notify the server that the page is no longer being displayed. Do keep the session when the user closes the application, but mark it as currently inactive.
When you get a request with a cookie that belongs to an inactive session, activate that session without complaints if the user has no other session active.
If the user still has another session active, something fishy is going on. So remove all sessions and send the user to the login screen.
(That'll teach them :) )
Well, you type username and password in form, hit "OK" button. Then data going to server side and check users database if that user is existed. Then it return user id. And what next?
That data is saved in cookies?
Does it mean, that with every clicked link, site login you to website again?
I mean,
you click some link on site
browser redirect you to that page
site checks your cookies
site grab username and password from cookies
site checks is that data is valid (via connecting to database)
show page to you
Is that correct?
User enters credential.
System validates credential.
Upon successful authentication, server saves user object into session.
System grabs user info from session.
System displays webpage.
Tadaa!! :)
UPDATE
To add a little more...
User visits the secured webpage.
System checks if session contains a user object.
If user object exists in session, allow user through to visit the page.
If user object doesn't exists, redirect user to login page.
You don't need to store user password in the session. In fact, it is highly discouraged. Checking to make sure the user object exists in the session is sufficient.
When the user clicks the logout page, then proceed to invalidate the session... that's it. :)
Almost correct. You rarely go to the database with every request. You usually set a cookie with a expiry date and save the user session and info in memory. So every time a request is made, if the user is not authenticated, you authenticate him, generate and send him a cookie with, say, 5h expiry. So, in the next 5 hours, whenever a request comes in with that cookie, you trust that the user is an authenticated, valid user and you don't have to check the database.
It's not how every site does it nor it is the only way to manage session and cookies but I think it is the most widely used.
You should probably use sessions, but that's pretty much the gist of it. That way the data doesn't accidentally persist.
I mean, for my simple site at home, that's how I do it. But it's still locally hosted, so the security is guaranteed to be crap.
Oh, and no need to check with the database whenever you click on another link -- too much time wasted.
Typically, an application takes advantage of the session that is established between the browser and the web server, and makes a note that that session is "authenticated". "session" is a built in feature of HTTP. If the browser is closed, or after a certain period of time passes, the session is automatically closed. If the user does an explicit logout, the application marks the session as not-authenticated.
I have a problem with my authentication in CakePHP. Whatever I try, Cake will either tell me I'm de-authenticated after each request, either I'm still authenticated, even though I closed the browser before.
I'll explain in a few words how my authenticating system works. The user logs in, with either remember me checkbox checked or not. If it's checked, I will create a cookie so as the user is auto-logged in the next time he visits the site. Basically, when the user closes his browser, I need to delete all the session cookies Cake stores in the browser. This way, when the user comes back, he sees the login page if he didn't want to be remembered, or is automatically logged in from the remember me cookie if he chose to store it.
The problem is I played with both Session.timeout and Security.level from core.php, with no positive results. If I put the timeout to 0, Cake will de-auth me after each request and I'm not able to view any page so. If I put any other value for timeout, the user might close the browser and when he re-opens it, he could be still logged in, as the Cake session didn't expire.
In conclusion, how can I automatically delete the session cookie whenever the browser is closed?
Take a look at this article maybe can helps you, I use something similar for other purpose.
http://bakery.cakephp.org/articles/admad/2009/09/02/how-to-bend-cakephp-s-session-handling-to-your-needs
see: ini_set('session.cookie_lifetime', 0);
I am currently building an internal web application used in a factory/warehouse type location. The users will be sharing a single PC between several people, so we need to have a fairly short session timeout to stop people wandering off and leaving the application logged in where someone else can come to the PC and do something under the previous user's username.
The problem with this is a session can timeout while a user is currently entering information into a form, especially if they take a long time.
How would you deal with this in a user friendly manner?
Keep the server informed about the fact that the user is actively entering information.
For instance send a message to the server if the user presses the TAB key or clicks with a mouse on a field.
The final solution is up to you.
Use AJAX to regularly stash the contents of the partially filled-out form so they have not lost their work if they get booted by the system. Heck, once you're doing that, use AJAX to keep their session from timing out if they spend the time typing.
The best advice would probably be to ask the users to close the browser window once they're done. With the use of session-cookies, the session will automatically end when the browser is closed or otherwise on a 30 minute timeout (can be changed afaik).
Since there by default is no interaction between the browser and the server once a page is loaded, you would have to have a javascript contact the server in the background on forms-pages to refresh the session, but it seems a bit too much trouble for such a minor problem.
If the session timeout is so short that the user doesn't have the time to fill in a form, I would put an AJAX script that makes a http request to the server, every few minutes, to keep the session alive. I would do that only on pages that the user has to fill in something or has already started filling something.
Another solution would be to use a session timeout reminder script that popups a dialog to remind the user that the session is about to time out. The popup should display a "Logout" and a "Continue using application" that makes a ajax request to update the session time out.
Maybe that a keep-alive javascript process could be helpfull in this case. If the script capture some key triggers, it send a "I'm still typing" message to the server to keep the session alive.
have you considered breaking the form into smaller chunks?
Monitor the timeout and post a pop-up to notify the user that their current session will expire and present "OK" or "Cancel" buttons. OK to keep the session going (i.e. reset the counter to another 5 minutes or 10 minutes - whatever you need) -or- Cancel to allow the session to continue to countdown to zero and thus, ending.
That's one of lots of ways to handle it.
Using a JavaScript "thread" to keep the session open is, to me, a bad idea.
It's against the idea of session timeout which exists to free some resources if there's no user in front of the application.
I think you should adjust the session timeout with the more accurate time, in order to fill the form in an "typical normal use".
You may also be proactive by :
having a JavaScript alert displaying a non-intrusive warning (not a popup) to the user before the timeout expire, which say that the session will expire soon (and give an link to send an ajax request to reset the timeout and remove that warning - that will avoid the user to lost the form he is currently typing),
and also have a second JavaScript "thread", which, if the session has expired, redirect to the login page with a message saying that the session has now expired.
It think that's the best because it avoid the user to fill a complicated form for nothing, and handle the case when the user has gone away.
As an alternative for the technical solutions, you could make your application in such a way that everytime a particular job is done, for example filling in a form, you ask the user if he wants to continue doing another job or if he's done. Yould could have a startscreen with menu options and if the user chooses an option he first has to enter his credentials.
Or put a password field on the form. Depends on how many forms they have to fill in a session.
When the user posts the form and their session has timed out, you should make sure you save the form values somewhere and then ask the user to login again. Once they have re-authenticated you they can then re-submit the form (as none of their data will have been lost).
I had developed something requiring very long session. The user logged in on a page when he sit on the machine and after doing his work, logged out. Now he may use system for few minutes or for hours. To keep session alive till he logged out, I used timer with javascript, it went to server and updated an anthem label with current time on server.