I know how to log out a user when he requests to do so, but e.g. when he changes his password, I would like to log out all sessions that are currently active with the user.
How can I achieve this?
Thanks & Cheers!
Freundschaft
Related
I have a Node / express app, using Passport for account creation and authentication. I'd like be able to check which sessions are active, ie., which users are currently logged in.
I could have a flag on each user's profile which is changed on login / logout, but I don't know how passport handles users who just close the browser and don't specifically go to the logout route, so I don't know if this flag would be set to false in that case.
What's the best way of achieving this?
My end game is to be able to tell the serve whether or not to send a notification email to a other user when they receive a message from someone else - if they're currently logged it, they won't get an email.
Ok, so if you have Passport set up, then the answer depends on what session storage you're using. Essentially, you'll query your session store to see what active users are there, but the actual mechanics of doing so will vary depending on your implementation. Once you know if a given user is considered active by the session store, you can decide to send the message or not.
However, the session store isn't infallible. No matter how you have your session expiration setup, it's almost impossible to guarantee that the store has perfect knowledge of all users; there is invariably some non-zero amount of time from when a user closes a browser window to when the session considers him or her offline.
So, even with that preemptive attempt to make sure a user is online before sending a message, if you want real reliable delivery, you will want to have your client code send back an acknowledgement of receipt. If the ack fails, then you can safely assume the user didn't get it and send the email after the fact.
I wonder what is the best way to remove all sessions of a user that is connecting ?
What I want to do, is to logout all old sessions on all devices when a user logs in a new device.
I couldn't find any accurate answers.
Many thank's in advance
A part of the answer for MongoDB connections store is here : https://github.com/kcbanner/connect-mongo/issues/201
I am trying to implement a solution for logging in with the help of Passport.js, Node, MongoDB and AngularJS. I want to "interrupt" the process when the user presses "login with facebook/twitter/other", so that after the user details are returned from facebook/other, the user should be able to change some of them, amongst other their username before the user object is saved in the database (given that the username does not exist already). Where is the best place to interrupt this process? Is it a possiblity to redirect to a page and post an object from inside the main passport.js file?
Thanks alot!
I have OauthToken and OauthSecretToken token use is as
var service = new TwitterService(ClientInfo.ConsumerKey, ClientInfo.ConsumerSecret);
service.AuthenticateWith(OauthToken , OauthSecretToken);
Is there any way to check that this user has changed his/her password.
Thanks in advance.
There is no way to know this. One of the purposes of OAuth is that applications have no way of knowing anything about the users password, so there's no way of knowing if the user has changed their password.
I'm writing a module to force a user whose password has expired to renew its password. This app uses the acegi security plugin. After the expired credentials are detected, the user is redirected to a "insert a new password" page. However, when the form is submitted, the auth action is executed, instead of the desired one (renewPassword).
I suspect that this happens because the user is not logged in, so I was wondering if there exists a better approach for this.
For example, letting the user log in, but disabling its account until he/she refreshes his password.
Is this the right way to go? Can anyone share his/her experience ?
update
Come to think about it, as acegi is doing all the "check for expired credentials" work, I wont be able to log the user in and then change it, as I get an CredentialsExpiredException at authentication fail. So is there a way to do this?
Thanks in advance
I would suggest allowing the login, but setting a redirect flag in your code to push them to the password change page, so even if they try to change to another location in the site, it will push them back to the password change page. (I don't know how to code it in this language, as I've never used it, but it's how I would suggest to work around the seeming limitation)
finally solved it the "easy, not programmatic , conf. file" way.
In SecurityConfig.groovy I added an entry to the requestMapString
/login/renewpassword = IS_AUTHENTICATED_ANONYMOUSLY
This way, the renewpassword action inside the loginController can be executed without having the user logged in.
Thanks everyone for your time.