#22 ✓resolved
James B. Byrne

Manually logged out session is still counted as logged in.

Reported by James B. Byrne | January 2nd, 2009 @ 03:15 PM

There is an inconsistency in the manner by which active user sessions are reported. The Authlogic::Session::Base destroy method removes the session thus:


     # File lib/authlogic/session/base.rb, line 160
160:       def destroy
161:         errors.clear
162:         @record = nil
163:         true
164:       end

However, sessions are counted as logged in so long as the session.last_request_at value is within the interval of logged_in_timeout seconds of the report time. I believe that a log out action itself will update the last_request_at value.

This leads to the case where for logged_in_timeout seconds after a user has logged out, that session is nonetheless reported as being logged in, at least for active record session stores.

Should there be an explicit session_terminated attribute in addition to the last_request_at which is set by the destroy method? Then the logged_in method could check for either timeouts or terminations when deciding what to report as logged in.

Comments and changes to this ticket

  • Ben Johnson

    Ben Johnson January 2nd, 2009 @ 03:28 PM

    • State changed from “new” to “resolved”

    Doing something like that is going over the top, not to mention keeping that field up to date would present problems if people had multiple active sessions. It's just not worth it. The logged_in and logged_out methods provided are just for useful information, they are not meant to be dead accurate by the second. It's mean to be "people logged in within the past 10 minutes or so". You should never base any access logic on this. It was just some fun information I threw in there because I could and to show the power of moving the session maintenance login into its own domain.

    One thing you could do is add a last_logout_at field and maintain that. I just feel like its unnecessary and promotes using this information for business logic, when it never should. The logged in / logged out status should be based on the credentials passed by the user, either by session or cookie.

  • James B. Byrne

    James B. Byrne January 5th, 2009 @ 10:51 AM

    I suppose that I am missing something obvious and fundamental here, but surely an application can maintain a pool of active sessions and simply expire/terminate entries in that pool. So that, rather than scanning the users table for the last recorded request time, one just counts the sessions in the pool and reports the total number of active sessions rather than the number of active users. Or does this approach present a significant scaling issue?

    It seems to me that it is the number of sessions that is significant in any case.

  • Ben Johnson

    Ben Johnson January 5th, 2009 @ 11:33 AM

    What are you trying to accomplish by doing this?

  • James B. Byrne

    James B. Byrne January 5th, 2009 @ 03:05 PM

    Just to count the number of open/active sessions and identify whose they are. I thought that adding a session-terminated attribute to the session model was a convenient way of flagging a manually logged out session as stale even if the timeout had not expired. I never envisaged maintaining an active session count in the users table, or anywhere else.

    I am not trying to alter the design of anything. Rather I am exploring the concept of "logged in" as it applies to web applications. In the environment that I come from, user sessions are statefull and the determination of who is logged in is definitive. I was expecting something similar in this environment and, perhaps naively, am considering ways in which this might be done within the limits of a stateless environment.

    At some point in my current project, which deals with federal tax transactions, I will probably need to be able to show if and when a session was terminated manually.

  • Ben Johnson

    Ben Johnson January 5th, 2009 @ 03:21 PM

    I understand, I just think it adds an unnecessary layer of complication for a feature that would rarely be used, I would imagine you would be one of the few, if not the only person to use this. Also, multiple computers can be logged in as the same user, and I do not think a user's session should depend on any columns in the database other than the persistence token.

    If you want, create a plugin for authlogic that does this and maintains a logged_out_at column in the destroy method of the session and see how it works. You could redefine the logged_in? and logged_out? logic to include that column as well as a 10 minute activity expiration. This should be as easy as creating a plugin for ActiveRecord.

  • James B. Byrne

    James B. Byrne January 5th, 2009 @ 03:32 PM

    I am not sure that I understand then how sessions and the concept of a logged out user works. If I have two sessions, and I am not active on one of them for more than the timeout value, but I am active on the other, then are both sessions considered active by authlogic?

  • Thanos123

    Thanos123 November 16th, 2018 @ 01:14 AM

    There are the many function for find and scanned documents windows 10 this is the update to all windows users visit here http://documentswindows10.com and save the all update and information to batter working thanks.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.

People watching this ticket

Pages