I have a javascript/node application that uses cookies to authenticate users to the site. I need to be able to logout users even if their browser window is still open.
I can make their cookies invalid on the server... but that does not log them out until they click on some link in the site, or close their browser window. I need to be able to instantly kick them off the site even while their browser window is still open. Any ideas?
You can try setting up websocket connections. Websockets are basically duplex channels that don't require long polling. Essentially they only communicate when something needs to be done, on either end. For your situation the client side of the websocket connections would listen for specific messages from the server and the application would then react to those changes; in your case it could force a log out.
I cant understand if you want to redirect them after a while or redirect them after they logout.
If the case is such that you want to end the session after a while, you could set te maxAge of the cookie in order to last the maximum time you want your users to be able to interact with your site.
Here is an article about maxAge and expires: HTTP Cookies: What's the difference between Max-age and Expires?
Also, you could set a function that set a time out and next, if you have something like Express-sessions and passaport, you could use the logout(). But I dont recomend this. I think that is better to set the maxAge of the cookies and let the vainilla do their best.
In every case, you could use some helper in your routes that check if there is an active session. This way you could redirect them if the cookie has caducate.
Sorry aboutmy english :)
You need 3 things: mouse movements and keyboard actions, a timer, log out redirect.
check for mouse movements and keyboard actions;
if there's no activity, you start a timer;
when the time is over you redirect the user to logout url;
If you make their cookies invalid on the server, then simply force a refresh with window.location.reload(). Here's the SO question concerning that.
Here's an example I am currently using on one of my projects:
if(getCookie("id") == ""){
window.location.href = "login";
}
Put that right after the body tag for each of your pages.
Then when you expire the cookie...
expireCookie("id");
window.location.reload();
Since you've essentially deleted the cookie, the first script will now redirect the user to the login page.
Related
I'm trying to work a solution to timing out a user from my web application. I'm currently using ng2-idle and it seems to only work on the active window rather than be tracked server side (angular server webpack)
I need to handle these two events in addition to the one above:
On Browser Close
On Connection loss (Power cut, blue screen, etc..)
After testing, my timeout was not being tracked after closing the window. Ng2-idle has modules such as keepalive but I'm not exactly sure how to use it and if it solves my problem
I will provide code if needed
thank you
The main problem is, that the client and server are communicating in stateless manner. This means if the user disconnects no body knows.
If your browser has a hook function for closing or navigating to another site you could use that and send the logout request.
Another thing which relavant is session expiration, you should use that. If you are using a token you will need to blacklist that, as non active as long as the session may be valid (or however).
Disconnect is a major problem (session expiration tried to solve that somehow).
A more sophisticated way if it is really crucial to log out on disconnect you may need to use websockets or http long polling. You would need to send a heartbeat and if it's not responding, after some time you will automatically logout the user.
Hope these thoughts kind somehow help.
when you close your browser session will destroy.So you can use session to logout.
I want to invalidate the session when the user close the tab or browser in my GWT Application. I saw lot of threads Confirm Browser Exit in GWT but didn't get the solution which i am looking for. This should not fire when user refresh the browser(it shouldn't invalidate the session) and even it should not fire when user navigate to other screen or download any file.Any Idea?
There is no way to tell the difference between closing a window or navigating away in various ways. You may be able to get around refreshing a page issue by creating a timer on the server side to see if a user requests your page again within a certain period of time, but it's not clear what benefits you get.
From a user experience view, you should offer a Sign Out (Log out) button or something similar, so a user can clearly indicate an intent to leave your app. Also, you can set an inactive timeout on your session, to invalidate session after a period of inactivity.
I am using socket.io in my node.js application to give real time experience to my users. But due to leak of my experience with socket.io, I have some doubt with browser tab management. Let me explain first.
My website does not allowed login to user from multipul browser at a time. means If someone login from one browser, and then try to login from another browser, I have to kill previous login session. Means my socket.io emit messages to previous browser's all tab for logout, but my second browser's all tab should not get message for logout. How Do I do this?
Another question is I want to count distinct logged in users for my deshboard. But with multipul tabs, count is showing wrong figger. (eg. Single user accessing website from single browser but from 2 or more tabs, on server, socket client is showing each connection for tab, Here I need just one count. How Do I get it?
If some one has example/sample regarding above user case, please share it, so new coumer will gets help from it.
thanks
I need to build a feature like most of the banks use. Where..
if user has log in to bank account in a browser tab & again he/she change the url of browser & move to some other site.. and again come to bank's page by clicking browser's BACK button.. then bank automatically log out user from there site.
I think may be by java script we can do this.. but, can not able to understand how to do this. I'm using PHP for my server side script. Is this, possible by PHP to do this..
Regards
Suresh
This not a java/PHP question but depends on the exact behaviour you want to implement.
The only way to track the user "live" is through javascript. So if you want to know when the user leaves the page, you can bind yourself to an event listener and then do an ajax call or something like this that invalidates the session on the serverside. Keep in mind that users may be browsing your site with JS disabled, so you need a fallback on the serverside.
I would recommend you to implement session storage on the serverside with a storage mechanism (either the built-in PHP session store or some external storage like Couchbase or Redis, Memached,...) and set the logout time to a sane default (lower if it is something like a banking application).
If you have the basics in place, use JavaScript to enrich the user experience, for example by showing a "countdown" when the user will be logged out and sending session refresh ajax calls to the server to renew the session every time the user has an interaction with the website and such.
For more detailed information I'd need more requirements from your side!
This is in context to an ASP.Net application. The application makes use of a specific data which is set for a page. After this data has been set all the operations from this page onwards use the set data.
The problem is that if the user opens another tab with a competing data it overwrites the older data for the same session and for the same user which invalidates the operations on the first tab.
I know the suggested way is to refactor the code to remove such coupling but that is not possible. Here's another thread that discussed this but didn't specify any solutions other than refactoring the code (http://stackoverflow.com/questions/632062/ways-to-detect-ctrl-n-or-when-a-user-opens-a-new-window)
So, how can I detect (and notify the user) or stop the user from opening another tab - through javascript/Jquery?
You could set a session variable isActive and set it to true, along with all the other session data when the user opens the application the first time. After this, if the user opens another tab, check to see if isActive is true. If it is, inform the user and don't set the data again.
In pseudo-code, your logic should flow like this
if (!isActive)
//set session data
else
//alert the user: You have another active session
This would be a better solution because there is no guarantee the user does not visit the page to set the session, then temporarily turn off Javascript to launch a new tab without you being notified.
You should realize that you cannot prevent multiple pages being open on the same site by the same user. A user can always do such an operation using multiple different browsers on the same computer or browsers on different computers. As such, what you really need to do is to design your application to either just handle this situation gracefully or detect such a conflict and decide what the safest action is to take when it occurs (chances are, at the server, you either ignore the data from all sessions but one or you somehow merge them all together). What the safe action is depends upon what the data is or how it was changed.
The most straightforward option is to coin a new server-based session for the user each time the user visits and, at the server, invalidate all previous sessions so any older session that tries to make any future updates to the server will be denied because of an invalid session. This prevents any sort of multi-session data conflict.
If you want to be able to inform the user when their session becomes invalid, you could do a slow poll of the server (say once every 20 mins) as long as the window is open and on your site to check the session validity such that you can inform the user when their session has expired.