1

I have the following requirement in a webapp2 application. When a user leaves his machine or browser, that user's previous authentication session should be terminated.

I am able to do this when a user logs in from a different machine, by storing the remote_addr in the User object at login. When the user's session is requested I check the remote_addr from the request against the user's remote_addr at login.

I am not happy with this solution, as it will not work when the user is behind a proxy server and also, it will not work when the user uses different browsers.

Does webapp2 store a session id somewhere, so I can use that to see if the user has logged on in a new session?

Hans Then
  • 10,935
  • 3
  • 32
  • 51
  • Session cookies should be deleted when the browser is closed (and don't persist across browsers) - so as long as you set a session cookie correctly (or webapp2 does) and then you check this on every request to identify a user, you should have your desired behaviour. I'm afraid I'm not familiar enough with webapp2 to give specific help on that! – Stu Cox Sep 23 '12 at 23:23
  • @stu, you should put this in an official answer, as I think you have provided me with the key to solving my problem. – Hans Then Sep 25 '12 at 08:07
  • Maybe you could post an answer yourself with more specific details of how you solved it related to webapp2, for the sake of anyone who stumbles across this question? – Stu Cox Oct 01 '12 at 17:10

3 Answers3

0

Make modification to what you already do: when user logs in, create unique/random token and store it in the user object and set a cookie in the browser with it. When user's session is requested, check that the two tokens (from the request cookie and user object) match and if not, burn the session.

It's just the same but instead of remote_addr use a random token that you generate and set as cookie on login.

Nas Banov
  • 28,347
  • 6
  • 48
  • 67
0

When you open a website for the first time in a browser session a site session is created.

When he logs in you just store the session id in the database. You need to have a nice table with active logins. You can also set a cookie in his browser if you want to keep him logged in if he closes and restarts the browser later. Obviously if the cookie exists modify the session id to the one in the cookie.

Cookies are not shared between browsers so in this case if he logs in from a new browser you changes the session id in the active logins table.

Also you need to have a small ajax that checks if current session is still active every 5 min or so and logs him out if not.

transilvlad
  • 13,974
  • 13
  • 45
  • 80
-1

http://webapp-improved.appspot.com/api/webapp2_extras/sessions.html tells about "session id".

See also Nick Johnson's answer at webapp2-for-authentication-and-login,
and example implemantation for a datastore using ndb library.

Community
  • 1
  • 1
thoku
  • 1,120
  • 9
  • 27
  • If it was in the documentation I would have found it. I want to retrieve the session id, so I can compare it, but the documentation does not help here. – Hans Then Sep 23 '12 at 00:09