if I am logged in on my application but if i choose closing browser without clicking on logout how will be I logged out from server automatically?
Unless you have the user explicity log out, your server cannot know the user has closed their browser.
You can simply let sessions timeout naturally, for example, after ten minutes of inactivity.
Alternatively, you can add some js to the page to make regular pings back to the server to keep a session alive while the browser window is open.
Related
I have a webserver (Nodejs+express+ passport) that uses passport for local authentication. Does anyone know if there is some kind of callback occurring when user closes the browser tab? I would like to be able to detect this because I am trying to save logout time stamps for those users that do not explicitly logout (i.e. by clicking log out).
Thank you!
I would have asked you to check the questions on SO first, but I think is no way to do it the way you are trying. Well, check these links: how to run code on window close or refresh and how to detect it was close
Basically you can't. This is one of the reasons why many applications show 'last login time' and not logout time to users, see if that works for you.
Regarding saving the logout time of a user: I would say do not store the value at all. The sessions should be allowed to expire based on configuration: users can be logged out even by staying inactive a long time. A logout time for such users may calculated later, based on their last activity time, (which you can store on each page load/call to your server, when you refresh the user's session timer) and the session timeout value. Now this can be calculated when the user logs in the next time, or using a background process.
You can store the lastActivityDate of the user, and assume that a user is considered offline after xx minutes.
You can try to execute a ajax call on window unload, but if the user has two open pages, and he closed one, the data will be false. It is also not certain that the request reaches the server.
You can set a very short expiration time on your session, and while a page is open, do a ajax regular ping to keep the session open.
See update at end of question
In Rails 4 I understand that sessions are, by default, only supposed to exist for the browsing session. If you closed your browser, the sessions should no longer exist.
However, I'm not finding that to be the case. I have a Rails 4 app using all the defaults provided by Rails. I was working on some authentication code and ran into this problem.
When the user logs into the system, they have the option to "remember me" via a checkbox. When they check the box, the session should have an expiration of 2 weeks. The goal is that when the user logs into the system and closes his browser, he can then open the browser up again and use the app without having to authenticate again.
On the flip side, if the user does NOT want to check the "remember me" box and logs in to the app and closes the browser, when the browser opens again the user should be required to authenticate again because his session "expired" when the browser closed.
The problem is that my sessions never go away. I tested some simple code where on page 1 I set a session variable in the controller and then on page 2 I display that session. When I close the browser and go to page 2 (not page 1 so session is not set again), the session still exists as it did before.
I thought sessions were supposed to expire when the browser closed by default? I have also tried this with "cookies" instead of sessions and get the same result.
In short, how can I get a session/cookie that expires/dies when the user closes their browser? It doesn't seem very secure to me to have all sessions persist if the user doesn't want them to, and I'm not going to have my users delete their cookies everytime they close their browser (may be on a public computer where their login info should ONLY persist until they close the browser).
Update
I think I found what may be causing the problem. I'm using Chrome as my browser and I had it set to "remember where I left off" when the browser closes and opens. This seems to save all sessions/cookies. I verified this with Gmail as well. If you have the "remember where I left off" set, but don't set the remember me token in Gmail, Gmail opens right back up when you close/open browser. If you tell Chrome to open a new tab on open, then Gmail sends you to the login page like I expect.
So that solves one problem, but the overall problem still persists. How can I make this "secure"? Let's say you're at a public computer, and a malicious user sets the browser to "remember where I left off" when the browser opens. So you login to an app (such as Gmail) but don't check the "remember me" box. So when you close the browser you expect your login to be "secure". But if another user opens the browser back up, he's already logged into your app.
Is this something I can feasibly prevent? If Gmail has this flaw (with an army of very intelligent developers) should I be bothered that this situation exists?
The browser "remember where I left off" functionality was indeed the problem. Removing that option resulted in the "expected" behavior for my cookies/sessions.
How to get session timeout of Domino server in XPages-SSJS. I want to prompt user to save his/her data before session expires. Thanks
Servers only communicate with users when those users make a request to the server.
Because of this, servers cannot send information to the user if they haven't requested it.
For example:
A user requests a page from a server.
The server sends that page back to the user, and creates a session
for that user. The session is set to expire in 5 minutes.
Those 5 minutes are up, and in the meantime the user hasn't requested
any further pages. So the users session ends, but because the user
isn't making any requests, the server has no way of communicating this
to the user.
This is just the way that HTTP traffic is designed to work. There are ways around this however, and by altering the example above I will show you one of the easiest ways:
A user requests a page from a server.
The server sends that page back to the user, and creates a session
for that user. The session is set to expire in 5 minutes. The page that the
server sends back has a javascript setTimeout function which is set to fire off just before the session of the server expires.
Those 5 minutes are up, and again, the user hasn't requested
any further pages. So the users session ends and the server has no way of communicating this
to the user. However, javascript on the page knows that the session on the server is due to expire, and fires off an alert to tell the user to save their work.
In SSJS you can get the setting of the SessionTimeout with the following code:
facesContext.getApplication().getApplicationProperty("xsp.session.timeout", "30");
But this is a static value (in minutes). The session expires in X minutes (30 is default) after the last request of the current session.
Well the timeout is reset with every interaction between server and client. So what could be done is basically have a count down on the client side that resets after every new request. And that could also be used client side to trigger a save interaction for a defined time prior to the actual session timeout.
Whether this makes sense or not is debatable... Alternatively auto-saving could be implemented aswell.
Everyone knows browser closes session when window is closed... interested in this question to deep understanding how session cookie works.
I found around:
Session cookies are never written on the hard drive and they do not collect any information from the user's computer. Session cookies expire at the end of the user's browser session and can also become no longer accessible after the session has been inactive for a specified length of time, usually 20 minutes.
So, the question is - how long are sessions in common browsers - chrome, firefox, ie, opera?
The session is alive as long as the browser and the server think it's alive for - for the browser, that is typically as long as the browser is open (assuming no "remember me" functionality). But the webserver may discard the session data if it thinks the client has gone away. For many web servers, this is set to be 20 minutes sin ce the previous request on that session - this is not dependant on the vendor of the browser.
I am using Spring acegi security for single sign on on multiple applications. I need to extend session timeout at client side if user writing something on browser too. If user opended multiple sessions or browsers then i need to consider active session on all the sessions he opened. If he is active then i should not log off him eventhough he is inactive in another sessions.
Please suggest me any ideas how to track and know at the client side too.
Any idea is greatly appreaciated. Thank you.
Running application app1 in two tabs say tab1 and tab2.Timeout is 10 minutes. So we implemented timeout functionalit in java script which is at client side. This code gives Confirm box after 10 min. If user says continue, we are extending the session by firing the alive url. This working if application running in a single tab. Same applciation app1 open in multiple tabs say tab1,tab2. Here applicaiton app1 opened in two tabs but single session. We are woking the application which is opened in tab2 and not using applciation in tab1. So application in tab1 is inactive for 10 min.then application in tab1 giving confirm box and we dont answer to that confirm box tab2 will make applciation to log out. So what is the solution for not making logout as we are working application on Tab2. Any ideas? How to track whether application in active in other tabs?
This is not straigt forword answer. (Since I do not think there is a solution for that)
you could try to fire a pixel(*) between the application and by that extends the session time.
lets say that you have:
app1, app2, app3
the user logged in to app1 and app2 and he is working only on app1. if you fire a pixel from his browser to app2 every http request he made on app1, he suppose to be alive on app 2 as well.
I think that if you fire the pixel every 2 minutes between the applications app1,2 and 3 you can save the session alive between the apps.
I have done this twick in PHP application, it wans'nt so easy, but it is doable.
*pixel - it is a hidden http request that runs a script in the serverside. can do it via ajax, img, script src="", iframe and more.
You should be able to store a lastActivity timestamp in localStorage
User activity in any tab updates the lastActivity timestamp
Whenever the timer expires in any tab it should check the lastActivity value before prompting the user. If lastActivity is older than timeout, prompt the user. If not, adjust the remaining time to show prompt
The simplest thing would be to associate the sign-in session with a shared domain. Say you have app1.domain.com, app2.domain.com, app3.domain.com, BUT you have the SSO take place on domain.com, and they all share that session cookie. This is just a matter of setting the domain on the session cookie-- I believe you can do this in the configuration. Anyway, this pretty easy to do, so if this works with your problem, go for it. (Maybe there's some tricky way to do this without that domain hierarchy, but I'm not sure what it is.)
If that isn't workable, you may need a different way to store sessions. My first thought would be to put the sessions in the database. With these, you can synchronize and centrally manage the timeouts. This may require a little bit of custom code-- but it shouldn't be that much.
Not sure this is applicable, but I wrote my thoughts on implementing timeout on the client side as well.
Modified code in javascript to fire ajax request to server and finding the latest activity.
If latest activity is less than 10 mins then there is no logout.