A place for users and developers of the Xataface to discuss and receive support.
by samhans » Thu Mar 01, 2012 8:49 am
hair Steve and all;
can i restrict the users in my xataface application that users can login only from one console a time.
i.e suppose a user A logged in from one computer. and tries to log in from another computer get error that user is already logged in.
hope somebody could help?
thanks in advance
-
samhans
-
- Posts: 96
- Joined: Fri Feb 10, 2012 1:22 am
by shannah » Thu Mar 01, 2012 10:11 am
You could keep a list of logged in users and their associated IP addresses. Add a check in the beforeHandleRequest() method to make sure that the user is logged in from the same address you have in the list. If not, you just call session_destroy() and redirect back home with a message of some kind.
-Steve
-
shannah
-
- Posts: 4457
- Joined: Wed Dec 31, 1969 5:00 pm
by ADobkin » Thu Mar 01, 2012 10:15 am
I think this would require a change (i.e. custom code) to how Xataface works with sessions by default. I would start with one of the triggers in the Application Delegate Class: http://www.xataface.com/wiki/Application_Delegate_ClassSpecifically, one of these should do what you want:
-
ADobkin
-
- Posts: 195
- Joined: Mon Oct 22, 2007 7:31 pm
- Location: Atlanta, GA, USA
by ADobkin » Thu Mar 01, 2012 10:22 am
Steve beat me to the punch. The only thing I would add is to beware of tracking users by IP address unless they all have permanent static addresses. Otherwise, if they are mobile or using DHCP, their address could change unexpectedly, making it difficult to manage users in your application. This could lead to users getting logged out while they are in the middle of editing a form, which causes them to lose the data they entered. Xataface briefly worked that way in version 1.3rc3, and it was a big problem for us.
-
ADobkin
-
- Posts: 195
- Joined: Mon Oct 22, 2007 7:31 pm
- Location: Atlanta, GA, USA
by ADobkin » Thu Mar 01, 2012 10:31 am
One other thing to consider if you track by IP address: Multiple users could be connecting from the same address, depending on how your network is set up and where the Xataface server is. For example, if your clients are on the same shared network with a single Internet IP address using NAT and the server is hosted externally, then all connections would be coming from the same IP address. This is a typical scenario for most small networks.
-
ADobkin
-
- Posts: 195
- Joined: Mon Oct 22, 2007 7:31 pm
- Location: Atlanta, GA, USA
by shannah » Thu Mar 01, 2012 10:34 am
It actually still works this way (logs you out if you are accessing from a different IP address) by default. In 1.3rc3 it just showed an error message that was a pain - whereas now it just logs you out. You can disable this behaviour by adding - Code: Select all
disable_session_ip_check=1
To the beginning of the conf.ini file. That restriction is a little different, though, than limiting a user from being logged in from separate IPs. The default restriction only applies to a single session. You cannot access the same session from different IPs. But you can log in from multiple IPs on different machines - each would have its own session. To restrict it so that each user can only have one session you need to either maintain a list of username/IP addresses. -Steve
-
shannah
-
- Posts: 4457
- Joined: Wed Dec 31, 1969 5:00 pm
by shannah » Thu Mar 01, 2012 11:06 am
- Code: Select all
Multiple users could be connecting from the same address
This is a good point. You may want to instead track the session id associated with each user. http://ca2.php.net/manual/en/function.session-id.phpIf a user tries to access and the session id doesn't match the current one on file, then you would need to decide what to do. You could either disallow the connection, you could log the previous user out (destroy the session file for the other connection), or give the user an option of some kind.
-
shannah
-
- Posts: 4457
- Joined: Wed Dec 31, 1969 5:00 pm
by samhans » Thu Mar 01, 2012 6:38 pm
Steve can we do by this way that block the user to log in. if he was not logged out from another computer.
-
samhans
-
- Posts: 96
- Joined: Fri Feb 10, 2012 1:22 am
by shannah » Fri Mar 02, 2012 11:29 am
Yes. You could do everything inside the beforeHandleRequest method. - Code: Select all
if ( userIsAlreadyLoggedIn() ){ session_destroy(); redirectUserToAnErrorPage(); } else { storeUserSessionIdInLookupTable(); }
-
shannah
-
- Posts: 4457
- Joined: Wed Dec 31, 1969 5:00 pm
by samhans » Fri Mar 02, 2012 7:21 pm
hai Steve, could you tell.how could i save the logged in user and his ip address in my database . and destroy in when he logs out.
-
samhans
-
- Posts: 96
- Joined: Fri Feb 10, 2012 1:22 am
by samhans » Fri Mar 02, 2012 7:53 pm
Steve i had stored the username and ip address in my database but stuck in how to destroy it.
help required .
-
samhans
-
- Posts: 96
- Joined: Fri Feb 10, 2012 1:22 am
by shannah » Sat Mar 03, 2012 9:16 am
Use the after_action_logout trigger
-
shannah
-
- Posts: 4457
- Joined: Wed Dec 31, 1969 5:00 pm
by ADobkin » Sat Mar 03, 2012 4:05 pm
Maybe this should be a separate topic, but I've had some code in the after_action_logout trigger in my Application Delegate class for a long time, and it almost never gets called. I think the reason is because the session automatically times out after a while, so users don't bother to click the logout button.
Is there an easy way to trigger when an idle session times out? One thought I had was to run a cron job that checks for active/idle/expired sessions, but I haven't gone down that road yet.
-
ADobkin
-
- Posts: 195
- Joined: Mon Oct 22, 2007 7:31 pm
- Location: Atlanta, GA, USA
by shannah » Sat Mar 03, 2012 4:33 pm
That's a good point. You may need to keep expiry times in the lookup table that would allow you to log in if the user hasn't made any requests for some period of time.
Suppose you could use the session_id to track down the session files but this would be dependent upon the session module used by PHP so it could be a little tricky to make robust.
If a session times out automatically then there are no triggers that would alert you to this event. You just have to infer it from a lack of connections in the recent past.
-
shannah
-
- Posts: 4457
- Joined: Wed Dec 31, 1969 5:00 pm
Return to Xataface Users
Who is online
Users browsing this forum: No registered users and 16 guests
|