Home » U++ Library support » U++ MT-multithreading and servers » A few questions about Skylark sessions
| Re: A few questions about Skylark sessions [message #38702 is a reply to message #38698] |
Mon, 07 January 2013 23:24   |
|
|
Hi again Peter 
| Peter wrote on Mon, 07 January 2013 22:17 |
At some point A deletes B from database while B is still logged in. What should happen next? The obvious idea is that B should get logged out as soon as he gets deleted from database, otherwise we'd have an inconsistency such that B would be still "logged in" (his session variable ".LOGGED" set to 1/true/etc.) while he'd be physically removed from database.
How can this problem be solved? My only idea is to check at the beginning of every request handler if the user is still in the database. The test would be based on a unique id value - users table primary key. Session variable would be initialized to this unique id as soon as the user logs in.
|
I think it should log the user out as soon as possible just as you say. The trick about his session variables is that you should delete that too. For that you must know his session id, which is the tricky part. If you use a database in your project, I would definitely advise you to use it to store sessions as well (you just have to set up SkylarkSessionConfig::table to a name of the table) and then you can easily access all the sessions and find&delete the one corresponding to the deleted user (especially when session format is set to JSON). If you use the default setting for sessions, they are stored in files and those are much harder to cope with, but in theory, if you know the correct session id, you can delete the corresponding file in SkylarkSessionConfig::dir and achieve the same result - user being effectively erased. Perhaps you could just store the session id of each user when they log in, so you can retrieve it later in case you need to tamper with his session.
| Peter wrote on Mon, 07 January 2013 22:17 |
What about even trickier case - while B is logged in, A alters some of B's data (login, password or even unique id)? What's the expected behaviour then? Should B remain logged in or not?
|
As a user, I would expect that nothing happens and that I can still use the web as any other logged in user. Changing the unique id is probably not very good idea in any scenario I can imagine, but changing anything else (even the login) should just work as long as you use the unique id to reference the user everywhere or, in other words, if you don't store the changed data anywhere.
Anyway, I think that this might be quite common situation. Perhaps there should be some functions to allow modifications of other users cookies. At least DeleteCookie(String id), to allow logging user off in certain situations. It should be fairly easy to implement, do you want to try? 
Best regards,
Honza
|
|
|
|
Current Time: Sat Jul 05 16:24:34 CEST 2025
Total time taken to generate the page: 0.03807 seconds
|
Members
Pages
Help
Register
Login
Home
