Skip to first unread message
Yarin
Aug 21, 2012, 1:22:42 PM8/21/12
to web...@googlegroups.com
Is it possible to clear a session for a single user?
Currently, if we need to block user access, we must delete the user record or set registration key = "blocked", and then clear session for the entire site. Is there a better way?
Khalil KHAMLICHI
Aug 21, 2012, 1:31:04 PM8/21/12
to web...@googlegroups.com
I believe if you store sessions in db (which is very easy and out of the box if you opt for it), you can delete entry of user from it to disconnect him instantly, without affecting other users.
this table has a name like : web2py_session_YourApplicationName
Regards
this table has a name like : web2py_session_YourApplicationName
Regards
On Tue, Aug 21, 2012 at 6:22 PM, Yarin <ykes...@gmail.com> wrote:
Is it possible to clear a session for a single user?Currently, if we need to block user access, we must delete the user record or set registration key = "blocked", and then clear session for the entire site. Is there a better way?
--
Yarin
Aug 21, 2012, 1:44:25 PM8/21/12
to web...@googlegroups.com
Khali- I've never seen a session table in web2py before. Neither basic app nor wizard-generated nor welcome app have one- where have you seen this?
Khalil KHAMLICHI
Aug 21, 2012, 2:30:59 PM8/21/12
to web...@googlegroups.com
pretty easy just after db definition example :
db = DAL('postgres://postgres:Nour@localhost/asterisk')
add this line :
session.connect(request, response, db, masterapp=None)
refresh and look inside database for a table called : web2py_session_YourAppNameHere
db = DAL('postgres://postgres:Nour@localhost/asterisk')
add this line :
session.connect(request, response, db, masterapp=None)
refresh and look inside database for a table called : web2py_session_YourAppNameHere
--
Niphlod
Aug 21, 2012, 2:40:51 PM8/21/12
to
the relevant book section is http://web2py.com/books/default/chapter/29/13#Sessions-in-database
However, file sessions of db won't "save you".
You are in the need of having to know the relationship between session and user_id. Every app has different requirements, so you could implement the logic to store somewhere the relationship and not having to scan them all.
Web2py doesn't expose that relationship because:
a) sessions are created also for not registered users
b) one registered user can have multiple sessions (one in chrome, the other in firefox), even in multiple devices (desktop, nettop, tablet, cell phone, etc) and they are considered (rightfully) valid.
However, file sessions of db won't "save you".
You are in the need of having to know the relationship between session and user_id. Every app has different requirements, so you could implement the logic to store somewhere the relationship and not having to scan them all.
Web2py doesn't expose that relationship because:
a) sessions are created also for not registered users
b) one registered user can have multiple sessions (one in chrome, the other in firefox), even in multiple devices (desktop, nettop, tablet, cell phone, etc) and they are considered (rightfully) valid.
Yarin
Aug 21, 2012, 2:55:13 PM8/21/12
to web...@googlegroups.com
Perfect- this will get me there- thanks both
On Tuesday, August 21, 2012 2:40:31 PM UTC-4, Niphlod wrote:
On Tuesday, August 21, 2012 2:40:31 PM UTC-4, Niphlod wrote:
the relevant book section is http://web2py.com/books/default/chapter/29/13#Sessions-in-database
However, file sessions of db won't "save you".
You are in the need of having to know the relationship between session and user_id. Every app has different requirements, so you could implement the logic to store somewhere the relationship and not having to scan them all.
Web2py doesn't expose that relationship because:
a) sessions are created also for not registered users
b) one registered user can have multiple sessions (one in chrome, the other in firefox), even in multiple devices (desktop, nettop, tablet, cell phone, etc) and they are considered (rightfully) valid.
On Tuesday, August 21, 2012 7:22:42 PM UTC+2, Yarin wrote:
Khalil KHAMLICHI
Aug 21, 2012, 2:59:14 PM8/21/12
to web...@googlegroups.com
You are right without some additional work to map users to session IDs its useless,
but there are many ways from there :
for example every user must have his own IP you can easily map a user to an ip upon login for example by using :
but there are many ways from there :
for example every user must have his own IP you can easily map a user to an ip upon login for example by using :
auth.settings.login_onaccept = lambda func: usr_connect() #this function logs IP of user to some table
auth.settings.logout_onlogout = lambda func2: usr_disconnect() #this function deletes Ip of user from table
On Tue, Aug 21, 2012 at 7:40 PM, Niphlod <nip...@gmail.com> wrote:
the relevant book session is http://web2py.com/books/default/chapter/29/13#Sessions-in-database
file sessions of db won't "save you".
You are in the need of having to know the relationship between session and user_id. Every app has different requirements, so you could implement the logic to store somewhere the relationship and not having to scan them all.
Web2py doesn't expose that relationship because:
a) sessions are created also for not registered users
b) one registered user can have multiple sessions (one in chrome, the other in firefox), even in multiple devices (desktop, nettop, tablet, cell phone, etc) and they are considered (rightfully) valid.
On Tuesday, August 21, 2012 7:22:42 PM UTC+2, Yarin wrote:
Is it possible to clear a session for a single user?Currently, if we need to block user access, we must delete the user record or set registration key = "blocked", and then clear session for the entire site. Is there a better way?
--
Anthony
Aug 21, 2012, 3:18:19 PM8/21/12
to web...@googlegroups.com
You could have a function that goes through each session file and looks for auth.user.id, and if it matches the id of the blocked user, delete the file. For some ideas on the logic for processing through all the session files, see http://code.google.com/p/web2py/source/browse/scripts/sessions2trash.py.
Another option is to include something like this in your app:
if auth.user and db.auth_user[auth.user_id].registration_key == 'blocked':
[code to logout user and either clear the session or delete the session file]
The downside of that is it involves a database hit on every request for logged in users. You could reduce the db hits by only running the check if the requested function is one that requires login.
Anthony
Reply all
Reply to author
Forward
0 new messages