#22 ✓resolved
James B. Byrne

Manually logged out session is still counted as logged in.

Reported by James B. Byrne | January 2nd, 2009 @ 03:15 PM

There is an inconsistency in the manner by which active user sessions are reported. The Authlogic::Session::Base destroy method removes the session thus:

     # File lib/authlogic/session/base.rb, line 160
160:       def destroy
161:         errors.clear
162:         @record = nil
163:         true
164:       end

However, sessions are counted as logged in so long as the session.last_request_at value is within the interval of logged_in_timeout seconds of the report time. I believe that a log out action itself will update the last_request_at value.

This leads to the case where for logged_in_timeout seconds after a user has logged out, that session is nonetheless reported as being logged in, at least for active record session stores.

Should there be an explicit session_terminated attribute in addition to the last_request_at which is set by the destroy method? Then the logged_in method could check for either timeouts or terminations when deciding what to report as logged in.

Comments and changes to this ticket

  • Ben Johnson

    Ben Johnson January 2nd, 2009 @ 03:28 PM

    • State changed from “new” to “resolved”

    Doing something like that is going over the top, not to mention keeping that field up to date would present problems if people had multiple active sessions. It's just not worth it. The logged_in and logged_out methods provided are just for useful information, they are not meant to be dead accurate by the second. It's mean to be "people logged in within the past 10 minutes or so". You should never base any access logic on this. It was just some fun information I threw in there because I could and to show the power of moving the session maintenance login into its own domain.

    One thing you could do is add a last_logout_at field and maintain that. I just feel like its unnecessary and promotes using this information for business logic, when it never should. The logged in / logged out status should be based on the credentials passed by the user, either by session or cookie.

  • James B. Byrne

    James B. Byrne January 5th, 2009 @ 10:51 AM

    I suppose that I am missing something obvious and fundamental here, but surely an application can maintain a pool of active sessions and simply expire/terminate entries in that pool. So that, rather than scanning the users table for the last recorded request time, one just counts the sessions in the pool and reports the total number of active sessions rather than the number of active users. Or does this approach present a significant scaling issue?

    It seems to me that it is the number of sessions that is significant in any case.

  • Ben Johnson

    Ben Johnson January 5th, 2009 @ 11:33 AM

    What are you trying to accomplish by doing this?

  • James B. Byrne

    James B. Byrne January 5th, 2009 @ 03:05 PM

    Just to count the number of open/active sessions and identify whose they are. I thought that adding a session-terminated attribute to the session model was a convenient way of flagging a manually logged out session as stale even if the timeout had not expired. I never envisaged maintaining an active session count in the users table, or anywhere else.

    I am not trying to alter the design of anything. Rather I am exploring the concept of "logged in" as it applies to web applications. In the environment that I come from, user sessions are statefull and the determination of who is logged in is definitive. I was expecting something similar in this environment and, perhaps naively, am considering ways in which this might be done within the limits of a stateless environment.

    At some point in my current project, which deals with federal tax transactions, I will probably need to be able to show if and when a session was terminated manually.

  • Ben Johnson

    Ben Johnson January 5th, 2009 @ 03:21 PM

    I understand, I just think it adds an unnecessary layer of complication for a feature that would rarely be used, I would imagine you would be one of the few, if not the only person to use this. Also, multiple computers can be logged in as the same user, and I do not think a user's session should depend on any columns in the database other than the persistence token.

    If you want, create a plugin for authlogic that does this and maintains a logged_out_at column in the destroy method of the session and see how it works. You could redefine the logged_in? and logged_out? logic to include that column as well as a 10 minute activity expiration. This should be as easy as creating a plugin for ActiveRecord.

  • James B. Byrne

    James B. Byrne January 5th, 2009 @ 03:32 PM

    I am not sure that I understand then how sessions and the concept of a logged out user works. If I have two sessions, and I am not active on one of them for more than the timeout value, but I am active on the other, then are both sessions considered active by authlogic?

  • Patricia04

    Patricia04 April 19th, 2019 @ 01:56 AM

    If it were me I would clear the session on log out and create a bool in it called HasLoggedOut then set this to true. Then if this bool exists in session you know they logged out Upsers

  • nuwul

    nuwul July 20th, 2019 @ 02:10 AM

    Log in and the log out are the two basic things in which the system can get in and out with the basic of the information. The tickets and the ticket forum have the proper way of building the blueskyresumes reviews for the proper blue sky at counting.

  • dmitriy smith

    dmitriy smith December 3rd, 2019 @ 04:28 AM

    The problem is obvious. I guess you should write to support and ask them for help. We do the same each time we have problems with speedy paper website. It is simple and effective.

  • Shields

    Shields February 18th, 2020 @ 06:36 AM

    The steps were prepared based on the real experience with finding out the root cause of unexpected users’ logouts in my Spring MVC web application. Users’ claimed that they were being logged out during continuous usage of application. I was trying to reproduce those unexpected logouts on my own but it resulted in failure McDVOICE

  • jackstar

    jackstar May 28th, 2020 @ 01:23 AM

    Nice information and thanks for sharing this to us. McDonald's is looking for your valuable feedback. McDonalds Survey focuses in particular on food quality, service of quality, customer satisfaction, easy ordering, store ambience, employees.

  • nopsizerde

    nopsizerde July 21st, 2020 @ 05:51 AM

    I have been checking out a few of your stories and i can state pretty good stuff. I will definitely bookmark your blog 블로그 댓글 수동

  • ruhina

    ruhina December 30th, 2020 @ 06:14 AM

    Just to count the number of open/active sessions and identify whose they are. I thought that adding a session-terminated attribute to the session model was a convenient way of flagging a manually logged out session as stale even if the timeout had not expired. I never envisaged maintaining an active session count in the users table, or anywhere else. https://portallogin.live/jabirufun-login-13260

  • merlin pendragon
  • nidimoy

    nidimoy June 12th, 2021 @ 03:02 AM

    The commitment to serve customers and employees is reflected through greatpeople.me Kroger serves to cherish this portal and make it all the more transparent for its users

  • www.lowes.com/survey
  • john smith
  • Paulojimmathew

    Paulojimmathew August 9th, 2021 @ 11:08 PM

    Strategic goals, Team work and Communication is the key with our industry. Following tracks may also lead us to success. Its always been grateful for the opportunity

  • Mylincoln Portal
  • Mylincoln Portal

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.

People watching this ticket