I want to write up a scenario that looks something like:
Given I am logged in
And I am on my profile page
Then I see my name
For the "Given I am logged in" - do I need to write something like:
When I go to the log in page
And I fill in "user_username" with "test"
And I fill in "user_password" with "invalid password"
And I press "Sign in"
Question is: does the test have to go through the login scenario every time I test a logged in user functionality?
EDIT:
Note that I am using the Devise gem. I am not sure how to log in the user directly since the user session, cookies, etc have to be set
I would write a step definition to handle the login instead of a scenario.
This step definition can then put the cookies in the cookie jar for subsequent use.
If you store the cookiejars in a hashmap keyed on the test users then the method can be smart enough to only log in when needen and reuse a session if one is still available. This can save a lot of time in the tests at the expense of not having completely independent tests, since now they're coupled through the session data on the server. The session can always be cleared by logging out before logging in again.
Related
I am working on web application in MVC4-asp.net.For login I am using Simple membership Provider method to login.All is working properly but according to project requirement there will be no same user can not login at the same time on different machine.how to make changes in MVC simple membership.if any user is logged in and any one try to login at the same time using same username then it will be display message like "This user is already Logged In" and user will be not able to log in at that time.
Please give some suggestion on that.
Thanks in advance.
You Can do it by many ways, simple approach is
Set one flag at the time of login into database.
Check flag every time when you are sign in.
Remove flag at time of logout.
There are some issues in using this approach like what if user is close browser without logged out, for that you can set session time out.Hope this will help.
i've got a site, which has a login system.
here's my scenario:
user is not logged in
fills in a form to submit data
before the create action, i check if the user is logged in.
if the user is not logged in, they are prompted to sign up and log in..
upon sign up / login the form is submitted and the form data saved without prompting the user to save it again.
In order to do this, I need to use a redirect_to, specify the controller and action, however, this requires a POST, and I don't believe you can post variables on a redirect.
any ideas of a work around, which would keep the current user flow?
Some options you might want to try:
Perform the user registration using AJAX, so you never have to leave the page and won't need a redirect
Store the form data to a 'temporary' user account, then update the account to 'real' with the user registration info. You may want to occasionally clean out old 'temporary user' data that never completed the registration.
Convert the form data to serialized form and pass it along with the redirect as a url parameter (only works for a guaranteed small amount of data)
Store the form data in the session (last resort, only use if your traffic will remain relatively low, as you may end up running into scalability issues)
Well, you type username and password in form, hit "OK" button. Then data going to server side and check users database if that user is existed. Then it return user id. And what next?
That data is saved in cookies?
Does it mean, that with every clicked link, site login you to website again?
I mean,
you click some link on site
browser redirect you to that page
site checks your cookies
site grab username and password from cookies
site checks is that data is valid (via connecting to database)
show page to you
Is that correct?
User enters credential.
System validates credential.
Upon successful authentication, server saves user object into session.
System grabs user info from session.
System displays webpage.
Tadaa!! :)
UPDATE
To add a little more...
User visits the secured webpage.
System checks if session contains a user object.
If user object exists in session, allow user through to visit the page.
If user object doesn't exists, redirect user to login page.
You don't need to store user password in the session. In fact, it is highly discouraged. Checking to make sure the user object exists in the session is sufficient.
When the user clicks the logout page, then proceed to invalidate the session... that's it. :)
Almost correct. You rarely go to the database with every request. You usually set a cookie with a expiry date and save the user session and info in memory. So every time a request is made, if the user is not authenticated, you authenticate him, generate and send him a cookie with, say, 5h expiry. So, in the next 5 hours, whenever a request comes in with that cookie, you trust that the user is an authenticated, valid user and you don't have to check the database.
It's not how every site does it nor it is the only way to manage session and cookies but I think it is the most widely used.
You should probably use sessions, but that's pretty much the gist of it. That way the data doesn't accidentally persist.
I mean, for my simple site at home, that's how I do it. But it's still locally hosted, so the security is guaranteed to be crap.
Oh, and no need to check with the database whenever you click on another link -- too much time wasted.
Typically, an application takes advantage of the session that is established between the browser and the web server, and makes a note that that session is "authenticated". "session" is a built in feature of HTTP. If the browser is closed, or after a certain period of time passes, the session is automatically closed. If the user does an explicit logout, the application marks the session as not-authenticated.
The wiki page for Devise suggests using the following to test if the user is not logged in:
Given /^I am not authenticated$/ do
visit('/users/sign_out') # ensure that at least
end
Which works, but feels wrong as it's only testing that a certain route is visitable and not really testing that the user isn't logged in.
Are there other, better ways that can be used to test if the user is logged in with Devise?
The Given statement is setting up a known state before executing the test scenario, see GWT. In this case, it signs the user out before running the scenario.
You can use the following scenario to confirm that a resource is really protected by authentication:
Scenario: Anonymous denied access
Given I am not authenticated
When I go to protected_resource
Then I should see "You need to sign in or sign up before continuing"
The protected_resource needs to be defined in features/support/paths.rb
how do I prevent my users for more than one simultaneous login per account. I am using Vb.Net SQL.
Just coming from a 'web programmers' point of view, there is one really simple way:
You have to use some sort of central session system, where a Cookie on the user's browser has a hash, or some unique key that is also stored in the database. One each page request, or at set intervals, you check if that hash exists in the database.
Then, whenever you have a user log in, you delete any hashes that are tied to that user in the database, and then you create a new one for the user logging in.
What happens is if a user logs in, and you delete existing hashes from the database, then the other user will be logged out when you go to check for their hash in the database.
Not VB-specific, but: when the user logs in, keep track of the fact they are logged in. You can keep this in a cookie (watching out for the fact that a cookie can be tampered with.) You can keep track of it in a session variable. Or you could keep a boolean field in the database, "is_logged_in".
Then, when the user attempts to log in, you can check to see if they've already done so. If they're already logged in, the script might just return them to the home page (provided they used valid credentials. Otherwise a rogue user could type a username but leave the password blank, and depending on the behavior of your program, could see if a user was logged on at that specific time.)
Also, it is common that when someone is logged in, the webpage itself replaces the "Login" link with some text that says "Welcome, rascher!" and maybe links to their profile or preferences page.
Edit: Also remember to set is_logged_in (no matter how you track it) to "false" if they log out. It might also help to time this out - say, when the user closes the browser, or after "n hours" of inactivity (though that can be really annoying.) It will depend on how long people are generally logged into the system. Also note that someone might log in on their home computer, stay logged in, and then try to log in to the same place from work or their iphone. You might could look at ways of dealing with this (if the IP address is different than the current login, then log the other person out? Or something.)