|
»
»
« Return to Thread: Programmatically detecting login or logout events
Re: Programmatically detecting login or logout events
by David Smith-2
::
Rate this Message:
> Martin the problem is that even when you invalidat the session... the
> browser itself still knows that the user is cool...
> So TC will send it a new session ID and it will return the info
> without even asking the user to logon as such...
I can see this happening ONLY if the user is authenticating via BASIC
auth or using a front end like Apache Httpd to perform authentication.
With Form authentication, this behavior would not happen. With form
auth, the user would be redirected to the login page before a secured
page ever received another request from that user.
--David
Alan Chaney wrote:
>
>> Martin the problem is that even when you invalidat the session... the
>> browser itself still knows that the user is cool...
>> So TC will send it a new session ID and it will return the info
>> without even asking the user to logon as such...
>>
>
> Please indicate the part of the Tomcat code which makes the above
> behavior happen. I quote from the Servlet 2.4 spec.
>
> "If the user is authenticated using form login and has created an HTTP
> session, the timeout or invalidation of that sessions leads to the
> user being logged out in the sense that subsequent requests must be
> re-authenticated." (SRV.12.5.3.1 Login Form Notes)
>
> so I don't think what you say is correct.
>
>
>> Even when a user opens a new page in the browser... it knows they
>> "still" cool
>> Until the browser is closed they logged on ;)
>> And there is no direct "the browser is gone event"... browsers are
>> stateless yada yada
>
> This isn't actually correct. Invalidating the session on the server
> means that the browser's record of the session is as though the
> session never existed. Tomcat will no longer 'associate' session state
> with the session Id provided by the browser and all the state in the
> session is lost (unless persisted by an application.)
>
> request.getRemoteUser() will return null because the browser and
> server can no longer agree on a sessionID, this is as other
> contributors have said the 'logged out' state.
>
> The standard servlet authentication mechanisms will redirect any
> furtheraccess to protected pages to the selected login mechanism as
> soon as the session is invalidated.
>
>>
>> if request.getRemoteUser() has the users name... they on... you dont
>> know when they off
>>
>> but you can track the user... either you have that in every page and
>> if you get a name you record time page url...
>> or you can stick that in a filter... which sits in front of all your
>> pages, so you dont have to doctor every page on a site...
>>
>> You know when they in... you dont know when they gone..
>
> It is true that unless you have some javascript code which
> specifically generates an event to say that the browser is logged out
> AND the network connection is still valid, you don't actually know
> that the browser has 'gone'. However, you can easily generate a
> session timeout event.
>
> I have actually implemented user state logging (detect log in event,
> detect navigation events and detect either manual logout or session
> timeout and it works fine. It is driven entirely from looking at the
> state of 'getRemoteUser' and the session timeout event.
>
> Regards
>
> Alan Chaney
---------------------------------------------------------------------
To start a new topic, e-mail: users@...
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...
> browser itself still knows that the user is cool...
> So TC will send it a new session ID and it will return the info
> without even asking the user to logon as such...
I can see this happening ONLY if the user is authenticating via BASIC
auth or using a front end like Apache Httpd to perform authentication.
With Form authentication, this behavior would not happen. With form
auth, the user would be redirected to the login page before a secured
page ever received another request from that user.
--David
Alan Chaney wrote:
>
>> Martin the problem is that even when you invalidat the session... the
>> browser itself still knows that the user is cool...
>> So TC will send it a new session ID and it will return the info
>> without even asking the user to logon as such...
>>
>
> Please indicate the part of the Tomcat code which makes the above
> behavior happen. I quote from the Servlet 2.4 spec.
>
> "If the user is authenticated using form login and has created an HTTP
> session, the timeout or invalidation of that sessions leads to the
> user being logged out in the sense that subsequent requests must be
> re-authenticated." (SRV.12.5.3.1 Login Form Notes)
>
> so I don't think what you say is correct.
>
>
>> Even when a user opens a new page in the browser... it knows they
>> "still" cool
>> Until the browser is closed they logged on ;)
>> And there is no direct "the browser is gone event"... browsers are
>> stateless yada yada
>
> This isn't actually correct. Invalidating the session on the server
> means that the browser's record of the session is as though the
> session never existed. Tomcat will no longer 'associate' session state
> with the session Id provided by the browser and all the state in the
> session is lost (unless persisted by an application.)
>
> request.getRemoteUser() will return null because the browser and
> server can no longer agree on a sessionID, this is as other
> contributors have said the 'logged out' state.
>
> The standard servlet authentication mechanisms will redirect any
> furtheraccess to protected pages to the selected login mechanism as
> soon as the session is invalidated.
>
>>
>> if request.getRemoteUser() has the users name... they on... you dont
>> know when they off
>>
>> but you can track the user... either you have that in every page and
>> if you get a name you record time page url...
>> or you can stick that in a filter... which sits in front of all your
>> pages, so you dont have to doctor every page on a site...
>>
>> You know when they in... you dont know when they gone..
>
> It is true that unless you have some javascript code which
> specifically generates an event to say that the browser is logged out
> AND the network connection is still valid, you don't actually know
> that the browser has 'gone'. However, you can easily generate a
> session timeout event.
>
> I have actually implemented user state logging (detect log in event,
> detect navigation events and detect either manual logout or session
> timeout and it works fine. It is driven entirely from looking at the
> state of 'getRemoteUser' and the session timeout event.
>
> Regards
>
> Alan Chaney
---------------------------------------------------------------------
To start a new topic, e-mail: users@...
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...
« Return to Thread: Programmatically detecting login or logout events
| Free embeddable forum powered by Nabble | Forum Help |
