how to log out a specific user if that user is logged in?

[Bendanpa]

I am using Play built-in secure module. I want to let a admin user log
out a specific user if that user is logged in. Any suggestion?

Thanks,
Bendanpa

[Brian Nesbitt]

Hmm......  tough one since the fact that they are logged in is stored in the cookie on their computer and the requests are stateless.

Only thing I can think of is you need to store the userId (ie. unique identifier) of the user the admin wants to logout and each time a user makes a request, check to see if this a user that needs to be logged out and then proceed to kick them out.  You can't just do it on login because they may already be logged in... you have to check everyone on every request.  Probably use a @Before if you can.

Are you using a DB with a user table/document?  Since you are probably loading a user object (from DB or cache) with each logged in request anyway, maybe add a shouldLogout field and check that for every request and logout if its true, then set back to false depending on the business rule.  Then in your admin just set this flag to true for the particular user.

You could also use some datastore (depending on your current systems and requirement for durability the following would all work: java in memory HashMap, Redis, Cache, Datastore (memory table in mysql for speed)) and store a list of unique ids and check that list which each request.  Just make sure its fast whatever it is!  (ie. use something that has O(1) access, not O(N))

Thats all I got !

[DanInDC]

Presumably you have a logout() method? Do whatever that method is
doing...

But it sounds like you don't or it's broken. I'd fix that problem
first.

[Brian Nesbitt]

There is a logout() method that comes with the secure module.  Basically it just deletes the session cookie and remember me cookie.  The problem really isn't how to logout out the user, its saving the user the admin wants to kick out and then determining (on each request) if this is a user to kick out, while maintaining good app performance.

[Aishwarya Singhal]

i think storing the logged in users in database could help. do a
uniqueness check before inserting a record and delete on logout. the
only catch is that you would have to base it on an assumption of
timestamps to capture inactivity since people may not explicitly
logout at times (just close browser window) and you wont want them to
get prevented from logging in again :-)

Best regards

[grandfatha]

If it is urgent and you dont care about other users losing their
"rememberme"-status, then just change the secret key. This way the
signed cookie will be invalid next time any users tries to visit the
site.


If you need to be user-specifc, there is not much you can do, as the
very basic secure module was not designed with this requirement in
mind. If you need this functionality, you need to create your own
module that does this.

[Dominik Dorn]

attention: if you encrypt your users password using the Crypto.sign()
method, this will break all user passwords too!

> --
> You received this message because you are subscribed to the Google Groups "play-framework" group.
> To post to this group, send email to play-fr...@googlegroups.com.
> To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.
>
>

--
Dominik Dorn
http://dominikdorn.com
http://twitter.com/domdorn

Skripten, Mitschriften, Lernunterlagen, etc. findest Du auf
http://www.studyguru.eu !

[Dominik Dorn]

I don't know how you're application is built, but mine looks up the
current logged in
user on every request from the db using the session['username'].

in that user object you could store a property, lets say authToken
that gets read when the user logs in and is also stored in the
session.

you then create a @Before annotated method in your parent controller
that checks if the session['authToken'] matches the authToken in the
retrieved user object, if it does, proceed, if it does not, destroy
the session.

there's a hook in the secure module to do custom stuff after a user is
authenticated.. thats where you can put the authtoken into the
session.

so to log a user out, you'd simply have to generate a new authToken
for that user.

quite easy to do and works with the stateless way of play.

just keep the authToken short as its transfered on every request with
the cookies... a two digit number would do fine.

[Brian Nesbitt]

That's the same as just storing a user.kick field in the db and setting it to true and proceed to kick the user except it doesn't have to be sent back and forth on all requests.  There is already a session key that is sent and returned, no need for yet another authToken?!?

[Gaëtan Renaudeau]

2011/10/12 Bendanpa <bend...@gmail.com>

I am using Play built-in secure module. I want to let a admin user log
out a specific user if that user is logged in. Any suggestion?

You could put an incremental number n on each User (in the model).
To logout someone, you just need to increment this value n on the user model.

• On login, you put this number n in the session (of course, in extra of something to identify him like user.id)

• On logout, you clean the session
• To know if someone is logged : you check if the session contains the user identifier (like user.id) and if the number n stored is equals to the user.n number in the model. If not, you clean the session and redirect the user to the login page.
  

 
Using the secure module, you have to reimplement some security method to make it works ;)

Thanks,
Bendanpa

--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To post to this group, send email to play-fr...@googlegroups.com.
To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.

--
Gaëtan Renaudeau
--------------------------
http://twitter.com/greweb - http://blog.greweb.fr - http://gaetanrenaudeau.fr

[Bendanpa]

Thanks all for the suggestions.

my own idea in mind is to first get the session object of the specific
user (suppose the admin user knows the specific user's username). Then
just clear that session.

But I don't know how to get that user's session, and that will be the
headache. also I don't know even if the admin user got the user's
session can the admin user clear another user's session?

Anyone knows how to get a specific user's session object?

Thanks,
Bendanpa



On Oct 12, 1:52 pm, Gaëtan Renaudeau <renaudeau.gae...@gmail.com>
wrote:
> 2011/10/12 Bendanpa <benda...@gmail.com>

>
> > I am using Play built-in secure module. I want to let a admin user log
> > out a specific user if that user is logged in. Any suggestion?
>

> You could put an incremental number *n* on each User (in the model).
> To logout someone, you just need to increment this value *n* on the user
> model.
>
>    - On login, you put this number *n* in the session (of course, in extra

>    of something to identify him like user.id)
>

>    - On logout, you clean the session
>    - To know if someone is logged : you check if the session contains the
>    user identifier (like user.id) and if the number *n* stored is equals to
>    the user.*n* number in the model. If not, you clean the session and

[green]

Unlike some other framework, e.g. .net and JEE, Play doesn't really have a Session object. Instead Play applied the stateless model and the Session object in Play is cookies maintained at client side, i.e. the browser of the end user. It's not possible to delete the user session directly. But probably you could achieve the effect by creating a @Before filter:

public class SessionChecker extends Controller {

    @Before public static void validateSession() {

        String username = session.get("username");

        if (null == username) return;

        User user = user.findByName(username);

        if (null == user) return;

        

        if (!user.loggedIn) Secure.logout();

    }

}

In any other controllers that needs check if user logged out by admin you needs:

@With(SessionChecker.class)

public class MyController extends Controller {...}

In your admin controller you could do something like this:

public static void logout(String username) {

    User user = User.findByName(username);

    notFoundIfNull(user);

    user.loggedIn = false;

    render();