The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Issue removing sessions
#1
Found that there is nothing removing sessions from us_user_sessions when you enable session management/recording.

I made a modification to users/logout.php to correct the issue in my instance, just FYI
  Reply
#2
Nice! @brandin might have a thought on that, but care to share your code?

Also, when you edit the "core" user files like that, it makes it hard to deal with updates because our updates will overwrite the modifications you make.

There are 2 files in usersc/scripts called just_before_logout.php and just_after_logout.php that let you add these types of modifications without editing a userspice file.

If there are other changes you made and want help with that, let us know!
  Reply
#3
We don't want sessions ever removed from this table. We always want to track this. I suppose on logout we may want to remove it from the table, but this would be the only instance. Removing it in the middle of a session would force a user out. That is what happens when you use the "Kill All Sessions" from the admin_manage_sessions page.

There is also a bug in the code that will cause random timeouts, if you want the fix for this let me know.

Brandin.
  Reply
#4
Sorry I misspoke, I didnt really mean removed from the table... I meant marked as completed/ended.  There isn't anything marking them complete.

I understand about editing core files... but had no choice because the logout page as is doesn't get the settings which is required to know if sessions being managed.  Had a couple other instances so far where had no choice, keeping a log at the moment of such changes.

Think it would be good for the logout page to include header.php and navigation.php even too in case the user doesn't wish to redirect at all.

I am definitely interested in the other fix.



PHP Code:
<?php
require_once '../users/init.php';
require_once 
$abs_us_root.$us_url_root.'users/includes/header.php';

if(
file_exists($abs_us_root.$us_url_root.'usersc/scripts/just_before_logout.php')){
require_once 
$abs_us_root.$us_url_root.'usersc/scripts/just_before_logout.php';
}

if(
$settings->session_manager == && isset($_SESSION['kUserSessionID'])) {
  $sessions = ['kUserSessionID' => $_SESSION['kUserSessionID']];
  killSessions($sessions,$admin=false);
}

$user->logout();

if(
file_exists($abs_us_root.$us_url_root.'usersc/scripts/just_after_logout.php')){
require_once 
$abs_us_root.$us_url_root.'usersc/scripts/just_after_logout.php';
}else{
Redirect::to($us_url_root.'index.php');
}
?>
  Reply
#5
I suppose on logout we can mark the sessions ended which would be done in the column UserSessionEnded and EndedTime I believe (I'm not looking at the table right now.) There also should be a function that performs this, you would be able to use this function in your logout script from the manage_sessions or admin_manage_sessions page.

Just remember that even companies like Facebook and Twitter don't remove old sessions until they are officially destroyed (user actually pressed logout or was forced out remotely) and that is what we are trying to accomplish.

Thank you,
Brandin.
  Reply
#6
Yes, see the code I posted... I found and used the function killSessions

And yeah I understand... there has to be something on explicit logout that marks them completed though.  Otherwise the users 'active' sessions just keep piling up.
  Reply
#7
Even on explicit logout-it may not be something you want to do. These Session Management tools are a good way to spot unauthorized access to your account. Especially if you use US for a project that requires a bit more security oversight. If you hide these on explicit logout, someone could login to an account unauthorized, and as long as they logout the chances of anyone noticing while reviewing the page would be slim.

Brandin.
  Reply
#8
Okay I guess I just don't understand then when they get mark completed/ended if not on explicit logout.  If every session ever created stays active until I as admin go to the dashboard and manually end them, I am not seeing the value in the feature.  And for my users looking at their sessions it will be confusing why they have so many active sessions despite having logged out (it was for me).  I mean they are not actually active sessions... once explicitly logged out there will no longer be any use of/reference to that session.

I can view completed ones same as active ones, so I wouldn't say they are hidden.  And if every session stays active without manually intervention.. I wont notice anything odd either.... and really would have to turn the feature off.

Thanks for your time today
  Reply
#9
I guess you just need to consider what the feature was built for-tracking and intervention of sessions. I can go into Facebook right now and look at a portion of the security titled "Where You Are logged In" and I can guarantee at least 40/50 are no longer actually logged in (app uninstalled, new phone, closed browser, private browsing) so many reasons. In this case, Facebook removes ones that you logout from, but it never removes it because the session expired or anything like that. It only removes it on one of these two cases:
-You explicitly logout
-You end all sessions

The only one we are lacking is the former which you have developed a solution for. I am just trying to instill in you the reasoning behind this feature and what you should use it for from our perspective, and that this information can be valuable.
  Reply
#10
(09-11-2018, 05:06 PM)Brandin Wrote: I guess you just need to consider what the feature was built for-tracking and intervention of sessions. I can go into Facebook right now and look at a portion of the security titled "Where You Are logged In" and I can guarantee at least 40/50 are no longer actually logged in (app uninstalled, new phone, closed browser, private browsing) so many reasons. In this case, Facebook removes ones that you logout from, but it never removes it because the session expired or anything like that. It only removes it on one of these two cases:
-You explicitly logout
-You end all sessions

The only one we are lacking is the former which you have developed a solution for. I am just trying to instill in you the reasoning behind this feature and what you should use it for from our perspective, and that this information can be valuable.

Okay... misunderstanding then... I have been speaking solely to ending the session on explicit logout.  Seemed you were trying to say that may not be desired and I was trying to say it is a requirement.  So we on the same page.  Thanks again.

You said you have some other fix?  Can I have it?
  Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)