The following warnings occurred: | ||||||||||||||||||||||||
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
|
Issue removing sessions - Printable Version +- UserSpice (https://userspice.com/forums) +-- Forum: Support Center (https://userspice.com/forums/forumdisplay.php?fid=23) +--- Forum: UserSpice 4.3 and Below (https://userspice.com/forums/forumdisplay.php?fid=26) +--- Thread: Issue removing sessions (/showthread.php?tid=1139) Pages:
1
2
|
Issue removing sessions - clansing - 09-11-2018 Found that there is nothing removing sessions from us_user_sessions when you enable session management/recording. I made a modification to users/logout.php to correct the issue in my instance, just FYI RE: Issue removing sessions - mudmin - 09-11-2018 Nice! @brandin might have a thought on that, but care to share your code? Also, when you edit the "core" user files like that, it makes it hard to deal with updates because our updates will overwrite the modifications you make. There are 2 files in usersc/scripts called just_before_logout.php and just_after_logout.php that let you add these types of modifications without editing a userspice file. If there are other changes you made and want help with that, let us know! RE: Issue removing sessions - Brandin - 09-11-2018 We don't want sessions ever removed from this table. We always want to track this. I suppose on logout we may want to remove it from the table, but this would be the only instance. Removing it in the middle of a session would force a user out. That is what happens when you use the "Kill All Sessions" from the admin_manage_sessions page. There is also a bug in the code that will cause random timeouts, if you want the fix for this let me know. Brandin. RE: Issue removing sessions - clansing - 09-11-2018 Sorry I misspoke, I didnt really mean removed from the table... I meant marked as completed/ended. There isn't anything marking them complete. I understand about editing core files... but had no choice because the logout page as is doesn't get the settings which is required to know if sessions being managed. Had a couple other instances so far where had no choice, keeping a log at the moment of such changes. Think it would be good for the logout page to include header.php and navigation.php even too in case the user doesn't wish to redirect at all. I am definitely interested in the other fix. PHP Code: <?php RE: Issue removing sessions - Brandin - 09-11-2018 I suppose on logout we can mark the sessions ended which would be done in the column UserSessionEnded and EndedTime I believe (I'm not looking at the table right now.) There also should be a function that performs this, you would be able to use this function in your logout script from the manage_sessions or admin_manage_sessions page. Just remember that even companies like Facebook and Twitter don't remove old sessions until they are officially destroyed (user actually pressed logout or was forced out remotely) and that is what we are trying to accomplish. Thank you, Brandin. RE: Issue removing sessions - clansing - 09-11-2018 Yes, see the code I posted... I found and used the function killSessions And yeah I understand... there has to be something on explicit logout that marks them completed though. Otherwise the users 'active' sessions just keep piling up. RE: Issue removing sessions - Brandin - 09-11-2018 Even on explicit logout-it may not be something you want to do. These Session Management tools are a good way to spot unauthorized access to your account. Especially if you use US for a project that requires a bit more security oversight. If you hide these on explicit logout, someone could login to an account unauthorized, and as long as they logout the chances of anyone noticing while reviewing the page would be slim. Brandin. RE: Issue removing sessions - clansing - 09-11-2018 Okay I guess I just don't understand then when they get mark completed/ended if not on explicit logout. If every session ever created stays active until I as admin go to the dashboard and manually end them, I am not seeing the value in the feature. And for my users looking at their sessions it will be confusing why they have so many active sessions despite having logged out (it was for me). I mean they are not actually active sessions... once explicitly logged out there will no longer be any use of/reference to that session. I can view completed ones same as active ones, so I wouldn't say they are hidden. And if every session stays active without manually intervention.. I wont notice anything odd either.... and really would have to turn the feature off. Thanks for your time today RE: Issue removing sessions - Brandin - 09-11-2018 I guess you just need to consider what the feature was built for-tracking and intervention of sessions. I can go into Facebook right now and look at a portion of the security titled "Where You Are logged In" and I can guarantee at least 40/50 are no longer actually logged in (app uninstalled, new phone, closed browser, private browsing) so many reasons. In this case, Facebook removes ones that you logout from, but it never removes it because the session expired or anything like that. It only removes it on one of these two cases: -You explicitly logout -You end all sessions The only one we are lacking is the former which you have developed a solution for. I am just trying to instill in you the reasoning behind this feature and what you should use it for from our perspective, and that this information can be valuable. RE: Issue removing sessions - clansing - 09-11-2018 (09-11-2018, 05:06 PM)Brandin Wrote: I guess you just need to consider what the feature was built for-tracking and intervention of sessions. I can go into Facebook right now and look at a portion of the security titled "Where You Are logged In" and I can guarantee at least 40/50 are no longer actually logged in (app uninstalled, new phone, closed browser, private browsing) so many reasons. In this case, Facebook removes ones that you logout from, but it never removes it because the session expired or anything like that. It only removes it on one of these two cases: Okay... misunderstanding then... I have been speaking solely to ending the session on explicit logout. Seemed you were trying to say that may not be desired and I was trying to say it is a requirement. So we on the same page. Thanks again. You said you have some other fix? Can I have it? |