lindleycb / meteor-stale-session Goto Github PK
View Code? Open in Web Editor NEWStale session and session timeout handling for meteorjs
License: MIT License
Stale session and session timeout handling for meteorjs
License: MIT License
Cool package, super easy setup. A lot of my router hooks have Meteor.user checks, and updating the Meteor.user collection causes them to fire. This would probably be resolved if the inactivity was tracked in a seperate collection object other than Meteor.user.
Just a thought. Was a problem for me, but if MDG ends up creating a non-reactive internal router option then I suppose this won't be a problem. I can probably redefine some route rules so this isn't such an issue for me. Nice package though!
It would be good to have an automated test for this
I currently have the following flags set in my app's .json
file. Even with staleSessionInactivityTimeout
set to ~30 days and staleSessionForceLogout
set to false, I notice that about every couple of days I am automatically logged out. What's the logic behind that?
Note I am using Chrome 54.0.2840.100 (64-bit) with default cache settings. I also have multiple AWS instances running different versions of my app (all sharing the same user db). So switching between instances is seamless since I only have to login once.
Note: I do notice that after switching between instances that under Chrome at Chrome -> Settings -> Advanced Settings -> Content Settings -> Cookies -> All cookies and site data -> <my_app> -> Local Storage
changes upon every instance switch. Maybe that's related (e.g. session cookie)?
"public" : {
"env" : "prd",
"staleSessionInactivityTimeout" : 2628000000,
"staleSessionHeartbeatInterval" : 180000,
"staleSessionPurgeInterval" : 60000,
"staleSessionActivityEvents" : "mousemove click keydown",
"staleSessionForceLogout" : false
}
Thanks!
I'm testing the use of this package (which seems to be just what my security group wants us to have - thanks!) but when the session is purged from the server the client doesn't seem to know about it and allows the user to continue using the app until it makes a call to the server to do something and then most of the time it just appears to hang (at least to a user). I was thinking about enhancing the client.js so that it kept track of the last activity and when the client hit the timeout threshold it redirected the browser to the login page. I know this could be overridden by js on the client, but I don't care about playing nice with hackers, but for regular users when the timeout was hit they would be back at the login page. An additional enhancement might be to put up a warning a minute or two before to prompt them to do something so the timeout is extended.
Thoughts?
thanks,
stephen
If a user logs in and closes the browser before the heartbeat interval has elapsed they never get a heartbeat registered and thus never get logged out. I've fixed this for now by calling heartbeat in an onLogin
callback, but I'm kind of thinking this is something the package should take care of. I was also wondering if it might be better to use debounce
on the event handler rather than a setInterval
.
I can do a pull request when I get some spare time, just wanted to put this out there for now in case anyone else runs into this.
Could you please help me wrapping my head around the following scenarios?
Is there a possibility where I can inform the server that the client has been active in the meanwhile, before he kicks him out? I thought about calling Meteor.logout()
if this.userId
is set, but activityDetected
is not, in https://github.com/lindleycb/meteor-stale-session/blob/master/client.js#L20. Do you think this would be a good approach? Another option would be if you call the heartbeat
method with a timestamp. Then you could ensure that the next timestamp needs to be heartbeatInterval
away from the last (with some margin). Since the system now saves the requests if the connection is down and tries to resend as soon as it's available, this could work ... what do you think?
After adding this package to an app, the regular Meteor Accounts package loginButtons template still shows the Sign out button, but clicking it has no effect. No errors are shown in the console. The dropbown menu closes, but that's all.
Meteor version is 1.2.0.2
Has anyone seen this before and resolved it?
On a desktop, this package will detect mouse movement... is there any way to detect similar activity on a mobile device, ie, finger swipes of the page?... If a user is active, but not clicking buttons that cause meteor activity, It is timing out, but the same thing on a desktop would have mouse movement and thus would not time out...
In the README:
As it currently stands, (meteor 0.6.6.3)
Hi guys,
I love the package, it is really simple to use and lightweight.
Just one thing that I have been unable to do, is hook on to the timer interval being set at startup.
I would like to add a notification countdown modal to display time left until automatic log out, however we are overwriting the Meteor.logout() method and I had hoped that Stale Session was using it but unfortunately that approach has failed.
Is there any way to latch on to Stale Session to create such a countdown display (ie. "30 seconds left")
Thank you and kind regards,
Chris
in Meteor.startup(function () { …
i have added Accounts.validateLoginAttempt(function(attempt) { …
with a console.log( attempt.type …
it result the unattended reconnect is of type “resume”
this occur ramdomly once in a while
as it is a major security concern i wonder how other people do ? 🚑
i'm not alone to find that bug see https://forums.meteor.com/t/47412
thx
If an application wants to allow users to disable this on a per-user basis it's currently not possible. Something like this would be helpful
meteorStaleSession.disableForUser(userId);
which could update the user document with a property that signals not to include them in the auto logout interval, so this query could be updated from
Meteor.users.update({heartbeat: {$lt: overdueTimestamp}},
{$set: {'services.resume.loginTokens': []},
$unset: {heartbeat:1}},
{multi: true});
to something like this
Meteor.users.update({heartbeat: {$lt: overdueTimestamp}, staleSession: { enabled: { $eq: true }}},
{$set: {'services.resume.loginTokens': []},
$unset: {heartbeat:1}},
{multi: true});
Thanks for this session management plugin, I was looking to see if there is a way to always log the user off if they close the current browser and to terminate all their sessions ?
This package was working great for me until I added this:
if (!this.userId) {
console.log("subscribing without being logged in, from: " + this.connection.clientAddress + " denied!");
return;
}
to the top of my Meteor.publish function.
Once I added these lines (as a security check so that you coudn't subscribe to publications when logged out)... it seems that when I get to a stale session state, the websocket is severed, but my app still functions, but it can't get to the server any more... I suppose I'll have to put this code into a demo to explain better... but hoping you might know off hand what the issue is.
In the Network tab of the inspector in Chrome, I see a second websocket show up once the session "times out" ie. becomes stale. But the app doesn't show that I'm logged out.
But, without the check for this.userId in the publish, it does work fine, and the user is shown the login screen and they are "logged out" of the app automatically.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.