Mailing List webobjects-dev@wocommunity.org Message #37
From: Morris, Mark <webobjects-dev@wocommunity.org>
Subject: Re: [WO-DEV] Re: [EXTERNAL] [WO-DEV] Re: Question about (not allowing) multiple simultaneous logins
Date: Thu, 4 Feb 2021 19:04:57 +0000
To: WebObjects & WOnder Development <webobjects-dev@wocommunity.org>

Hi Leigh,

 

Sure!

 

The checkAccess() method is included in Wonder’s ERXComponent, which we subsclass for our common component superclass. It’s called automatically from multiple places in the request-response loop (appendToResponse(), invokeAction(), and takeValuesFromRequest()).

 

If you don’t use ERXComponent but have a custom common superclass for your WOComponents, you could basically implement checkAccess() yourself, by using Wonder’s implementation as a guide. (Or just go ahead and change your superclass from WOComponent to ERXComponent, since it includes quite a few nice features.)

 

We have a LoginEntry entity which includes the WO session ID. I check that the most recent successful entry in that table for the user matches the current session. We have a pretty busy set of applications, so for performance purposes I set a timestamp each time I do that fetch and compare before any subsequent fetches, so that I don’t check twice for the same session within the same 60 seconds. Also, it’s critical (for us anyway) that the LOGIN_ENTRY table is indexed on username and login date.

 

Hope this helps, and feel free to reach out for any additional questions!

 

Regards,

Mark

 

From: WebObjects & WOnder Development <webobjects-dev@wocommunity.org> on behalf of Leigh Kivenko <webobjects-dev@wocommunity.org>
Reply-To: WebObjects & WOnder Development <webobjects-dev@wocommunity.org>
Date: Thursday, February 4, 2021 at 8:01 AM
To: WebObjects & WOnder Development <webobjects-dev@wocommunity.org>
Subject: [WO-DEV] Re: [EXTERNAL] [WO-DEV] Re: Question about (not allowing) multiple simultaneous logins

 

Thanks all for the responses.

 

I think Mark’s suggestion is the approach one would have to take to avoid the scenarios described by others regarding locking users out: i.e., to invalidate previous sessions with a new login as opposed to denying new logins.

 

Mark, I’m going to pass this on to our dev team. Please excuse my lack of knowledge, but is checkAccess() a method provided by WebObjects or would that be a custom piece that you’ve written / we would need to write? The good news is we already track sessions in our database, but other than tracking logins/logouts, there is no connection between sessions stored within WebObjects and the sessions in our DB. So the question is where would we inject code during the login process to update our DB to deactivate previous sessions and where would we inject code that would be executed for each subsequent request to check the DB that the session hasn’t been deactivated by a new login?

 

Any additional guidance on this would be very much appreciated.

 

 

 

 

 

 

Leigh Kivenko | Chief Technology Officer
t. 416-479-0523  |  e. leighk@portfolioaid.com

PortfolioAid | website  |  linkedin  |  twitter

166 Pearl Street, Suite 200, Toronto, ON M5H 1L3

2020 WealthTech100 Company  |  2020 WP Awards Service Provider of the Year (finalist)

This e-mail may be privileged and confidential. If you received this e-mail in error, please do not use, copy, or distribute, but advise me immediately
(by return e-mail or otherwise), and delete the e-mail. PortfolioAid is committed to taking all reasonable measures to safeguard your confidential client
information. When sending attachments and/or screenshots to the PortfolioAid Help Desk or other PortfolioAid personnel, we kindly remind you to omit,
redact or securely protect any personally identifiable client information (e.g. name, address, SIN, date of birth, etc.)

 

 

From: WebObjects & WOnder Development [mailto:webobjects-dev@wocommunity.org]
Sent: Wednesday, February 03, 2021 11:47 AM
To: WebObjects & WOnder Development <webobjects-dev@wocommunity.org>
Subject: [WO-DEV] Re: [EXTERNAL] [WO-DEV] Re: Question about (not allowing) multiple simultaneous logins

 

We do something like this for some apps. The trick that allows it to be a robust setup for us is, instead of denying the new login, to only allow the most recent login. In other words, if they log in to a second window, the next action they try in the earlier window will return a message saying they’ve been logged out because of a new login.

 

Of course, we have to store in the database the most recent login info. (I use checkAccess() and a local timestamp to limit checking to every minute or so, just to limit DB calls.)

 

Hope this helps!

-- Mark

 

From: WebObjects & WOnder Development <webobjects-dev@wocommunity.org> on behalf of Christoph Wick <webobjects-dev@wocommunity.org>
Reply-To: WebObjects & WOnder Development <webobjects-dev@wocommunity.org>
Date: Wednesday, February 3, 2021 at 8:38 AM
To: WebObjects & WOnder Development <webobjects-dev@wocommunity.org>
Subject: [EXTERNAL] [WO-DEV] Re: Question about (not allowing) multiple simultaneous logins

 

Security First: External email, use caution clicking links or opening attachments

I once had a similar requirement. I came pretty far by

1. implementing a lock in the database
2. making sure to remove the lock during logout
3. overriding Session's terminate() method, e.g.

public class Session extends ERXSession {

@Override
public void terminate() {
if (!isTerminating()) {
database.removeLockFor(currentUser);
super.terminate();
}
}

}

 

On 3. Feb 2021, at 15:15, Jesse Tayler <webobjects-dev@wocommunity.org> wrote:

 


That’s an unusual request so without understanding why someone would require such a thing, the basic implementation is going to have the same properties...

You’ll need a toggle in your central store (database) for that user. This toggle must reliably know if there is a session open, and this you’d likely toggle in session awake and asleep when you have an authenticated user.

Of course, you’ll run into the possibility that your session is stuck, lost to the user (like, if you left a session open on your phone and have no idea, you’d get locked out which in most cases is a critical failure of your service!) or otherwise you ever lose track of that “off” part then your user would be locked out indefinitely and so on.

I think to understand how to approach that, you’d need serious details around the definition and purpose of the requirements because on the face of it, that’s just an idea that has serious consequences and it’s hard to imagine a value to balance that weight.




On Feb 3, 2021, at 9:05 AM, Leigh Kivenko <webobjects-dev@wocommunity.org> wrote:

Hello,
Our application is currently built with WebObjects/WOLips and in some capacity, Wonder.

We are being asked to not permit multiple simultaneous logins for the same user (i.e., on different computers or using different browsers on the same computer).

Has anyone ever implemented something like this? Is there something that WebObjects provides out of the box or do we really need to build our own custom implementation?

Thanks,




Leigh Kivenko | Chief Technology Officer
t. 416-479-0523  |  e. leighk@portfolioaid.com

PortfolioAid | website  |  linkedin  |  twitter
166 Pearl Street, Suite 200, Toronto, ON M5H 1L3

2020 WealthTech100 Company  |  2020 WP Awards Service Provider of the Year (finalist)

This e-mail may be privileged and confidential. If you received this e-mail in error, please do not use, copy, or distribute, but advise me immediately
(by return e-mail or otherwise), and delete the e-mail. PortfolioAid is committed to taking all reasonable measures to safeguard your confidential client
information. When sending attachments and/or screenshots to the PortfolioAid Help Desk or other PortfolioAid personnel, we kindly remind you to omit,
redact or securely protect any personally identifiable client information (e.g. name, address, SIN, date of birth, etc.)



#############################################################
This message is sent to you because you are subscribed to
 the mailing list <webobjects-dev@wocommunity.org>.
To unsubscribe, E-mail to: <webobjects-dev-off@wocommunity.org>
To switch to the DIGEST mode, E-mail to <webobjects-dev-digest@wocommunity.org>
To switch to the INDEX mode, E-mail to <webobjects-dev-index@wocommunity.org>
Send administrative queries to  <webobjects-dev-request@wocommunity.org>

 

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster