Relying on session timeouts seems to be a a problem in using UserKit, at least with the UserManager.activeUsers() method.
If a user logs in and thier session invalidates how does the UserManager know that they lost thier session? Technically they are not logged in becuase next time they hit a page they will be asked to login again as a new user. BUT the function active users will report them as an active user? Is there a hook somewhere for my code when a session is destroyed? I see where the task is setup to sweep the session in application, but I don't want to touch that. I usually put the user object in the session store, this way an function like activeUsers could be called against the sessions rather then the userManager. I like the idea of a the User cache in the manager, my app will initially have 1500 users, but I imagine only 50 or so will use it regularly. Thanks for the help, -Aaron ----- Original Message ----- From: "Chuck Esterbrook" <[EMAIL PROTECTED]> To: "Aaron Held" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, October 11, 2001 3:14 PM Subject: Re: [Webware-devel] UserKit > At 02:56 PM 10/11/2001 -0400, Aaron Held wrote: > >Are any of the timout functions in the UserManager classes > >(cachedUserTimeout()) implemented? > >They do not seem to be used anywhere. > > > >Also what is External ID used for? For an I was planning to map - > >User.name = email address > >User.SerialNum = User.SerialNum (= primary key of DB) > >User.ExternalID = employeeID > > > >(I know its Alpha so thats why I think the functions are not used) > > You're correct that the timeouts are not used. They are mostly important > for sites that have a huge number of users. More moderate sites could rely > on WebKit session timeouts instead (assuming you are using WebKit). So far > UserKit users haven't felt the burden of 10,000 simultaneous users so no > one has implemented the time outs. > > The idea behind externalId is that you could safely use it externally to > refer to a user. Safely means that 1. it would be hard for someone to guess > (and therefore impersonate another user) and 2. would not reveal private > information about the user. This basically means an opaque, lengthy > randomized id. I believe UserKit already provides that. > > And here's an example application of it: If the user chooses a "[ ] > Remember me" checkbox when signing in, you would store their externalId in > an indefinite cookie. Using their employee id for this would be bad for > several reasons. 1. If I get access to someone's machine I can discern > their employee id by looking at their cookies. 2. If I already know their > id, I can impersonate them by editing my cookies file. 3. If ids are easily > guessed (perhaps they are consecutive) I can easily impersonate random > employees. > > -Chuck > > > _______________________________________________ > Webware-devel mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/webware-devel _______________________________________________ Webware-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-devel
