Re: [web2py] Re: prevent multiple session at the same time

2018-04-03 Thread Anthony
On Tuesday, April 3, 2018 at 10:20:41 AM UTC-4, AlighaThor wrote:
>
> I would do not perform the database check in every request (and I think 
> Massimo did'nt mean that :)), only during the the second (or more) attempt 
> to log in with the same user. 
>
> Let's say you have the X user logged in. You stored the uuid in the 
> auth_user.uuid field as mentioned. Then in another session there is an 
> attempt to log in with those same credentials. You generate a second uuid, 
> and validate that new uuid against the older stored in the user record.
>
> If the auth_user.uuid field is blank, there have been no session with that 
> user. So you proceed to log in.
> If it exists, but it is different from the stored one, the user is already 
> logged in, so you must prevent the second one.
>

That is a possible alternative approach, but could create problems. Someone 
can log in on one machine and not explicitly log out. It will then be 
impossible to log in from any other machine at least until login expires on 
the first one. If you allow extended logins (e.g., 30 days), you would have 
to wait 30 days. Massimo's approach avoids this problem by letting the 
second login take precedence and force the first login to become 
invalidated.

Anthony 

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [web2py] Re: prevent multiple session at the same time

2018-04-03 Thread AlighaThor
I would do not perform the database check in every request (and I think 
Massimo did'nt mean that :)), only during the the second (or more) attempt 
to log in with the same user. 

Let's say you have the X user logged in. You stored the uuid in the 
auth_user.uuid field as mentioned. Then in another session there is an 
attempt to log in with those same credentials. You generate a second uuid, 
and validate that new uuid against the older store in the user record..

If the auth_user.uuid field is blank, there have been no session with that 
user. So you proceed to log in.
If it exists, but it is different from the stored one, the user is already 
logged in, so you must prevent the second one.

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [web2py] Re: prevent multiple session at the same time

2018-03-15 Thread Manuele Pesenti



On 12/03/2018 15:08, Anthony wrote:


What if I cache on disk the result of a function that returns the
session id and I check if it corresponds to the real value?


Not sure what you mean. Where does the session ID produced by the 
function come from, and how is the "real value" defined? What are you 
suggesting different from Massimo's approach.


Anthony


Hi Anthony,
thanks for your replay, I read the message from Massimo now and I 
realize that I misunderstood something... Massimo said to create a uuid 
and store it in database. I thought that `session.id` could be used 
instead and it could be considered as a "real value" or better as the 
real current session identifier. That's the check I was thinking about:


if session.id != cache.disk('session_id_%s' % user.id, lambda: 
session.id, time_expire=3600):

    auth.logout()

On the other hand I'm not sure that not to perform a database select 
query on every request but use the filesystem it's a better choice. Is it?


Cheers
    Manuele

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups "web2py-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [web2py] Re: prevent multiple session at the same time

2018-03-12 Thread Anthony
On Monday, March 12, 2018 at 7:23:26 AM UTC-4, Manuele wrote:
>
> Il 07/03/18 15:51, Anthony ha scritto: 
> > Be aware, that will require a database select on every request. If you 
> > want to minimize the database hits, you could also store in the 
> > session the time of the last database lookup, and then only check the 
> > database every X minutes (the tradeoff being that it could take up to 
> > X minutes to disable the first session after the second session has 
> > begun -- if you must ensure zero overlap of sessions, then you'll have 
> > to do the database check on every request). 
>
> What if I cache on disk the result of a function that returns the 
> session id and I check if it corresponds to the real value?


Not sure what you mean. Where does the session ID produced by the function 
come from, and how is the "real value" defined? What are you suggesting 
different from Massimo's approach.

Anthony

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [web2py] Re: prevent multiple session at the same time

2018-03-12 Thread Manuele Pesenti
Il 07/03/18 15:51, Anthony ha scritto:
> Be aware, that will require a database select on every request. If you
> want to minimize the database hits, you could also store in the
> session the time of the last database lookup, and then only check the
> database every X minutes (the tradeoff being that it could take up to
> X minutes to disable the first session after the second session has
> begun -- if you must ensure zero overlap of sessions, then you'll have
> to do the database check on every request).

What if I cache on disk the result of a function that returns the
session id and I check if it corresponds to the real value? In this case
how can I force to logout all other user logged in with the same
username? I would prefer to give precedence to the last one who login.

Cheers

    Manuele

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [web2py] Re: prevent multiple session at the same time

2018-03-07 Thread Manuele Pesenti

Thanks a lot Massimo! As precious as ever.
:)

    M.


On 07/03/2018 07:02, Massimo Di Pierro wrote:

it is possible.

when a user first logs in, store a uuid in the session and write it in 
the database (in a new custom field in the auth_user table). When a 
request arrives if the uuid in the session does not match the uuid in 
the database call auth.logout()


--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups "web2py-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.