Gelmiş geçmiş en büyük porno sitemiz olan 2pe de her zaman en kaliteli pornoları sunmayı hedefledik. Diğer video sitemiz olan vuam da ise hd porno ağırlıklı çalışmalara başladık.

Hybrid View

  1. #1
    Ext User
    Join Date
    Jul 2008
    Posts
    38
    Vote Rating
    0
    mikecx is on a distinguished road

      0  

    Default Session Handling

    Session Handling


    I had what I thought might be a good idea for session handling and wanted to get a response and see what people thought and how it might be best implemented.

    1.) User logs in, this contacts the server, creates a session object on the server, and the server sends back a session ID and timeout-time.

    2.) Ext.JS stores the session id and timeout(CookieProvider?). Every time a click on done on the page it checks against the timeout and every time a server call happens it always returns a new timeout time.

    Then, you set a threshold time. If it's within that threshold time you pop open a window asking if they want to stay connected and it updates the server/client time. If it's past the time a modal login box asks them to re-login granting them a new session ID and updated session window.

    Now, what i'm really asking is what would be the best way to do this? It seems like it would involve an override to the ajax calls and store loading calls (with a param like checkSession: true that will then always look in the return for a sessionTimeout value), and then attaching an event to the click.

    Am I way off base or does this sound like a good way of dealing with the Session Handling problem? I'm not entirely new with Ext.JS but knowing the proper way to start on a project should help me get to the end faster.

  2. #2
    Sencha - Community Support Team Condor's Avatar
    Join Date
    Mar 2007
    Location
    The Netherlands
    Posts
    24,246
    Vote Rating
    82
    Condor has much to be proud of Condor has much to be proud of Condor has much to be proud of Condor has much to be proud of Condor has much to be proud of Condor has much to be proud of Condor has much to be proud of Condor has much to be proud of

      0  

    Default


    Some notes:
    1. You could use the Ext.Ajax requestcomplete event to update the timeout (if your server sends a new timeout with every requests).
    2. Use Ext.TaskMgr to schedule a timeout task. Remember that javascript timing is not really accurate!

  3. #3
    Ext User skaue's Avatar
    Join Date
    Sep 2008
    Location
    Troms
    Posts
    191
    Vote Rating
    0
    skaue is on a distinguished road

      0  

    Default


    I'm not sure what the normal session timeout time is in your application, but I think it is like 20 minutes on our application. So if the user does not load some page from our server for a time of 20 minutes, the users times out and needs to login again. UNLESS the user has checked for "remember me" which in that case just automagically (the new and popular word for automatically) logs the user in without any login-prompt.

    Regardless, you have an interesting idea. My first reaction was to pass the current timeout value (server session timeout value) to the client and have the client register a timeoutevent (setTimeout(...)). This event could mask the entire UI and display a login-dialog when the session has timed out. I mean, we are probably talking about a user who has left the desktop (smoke? lunch? toilet?). His session is timed out and he/she MUST login again.

    The way I see it, the user has deliberately chosen not to be "remembered", has left the desktop for several minutes without using the application and a new login is due.

    Maybe this answer is "way off" ;-)
    Webdeveloper from Norway

  4. #4
    Sencha User harley.333's Avatar
    Join Date
    Mar 2007
    Posts
    286
    Vote Rating
    4
    harley.333 is on a distinguished road

      0  

    Default


    I handle session timeout like this:

    1. User logs into system; session is created. SessionID is stored in cookie; sessionTimeout is stored in JS variable; a 'timeout' is created to log the user out at the sessionTimeout duration.
    2. An 'interval' is created to send a "RememberMe" message to the server every minute.
    3. All activity (mouse-click or key-stroke) resets the 'timeout.'
    4. After no activity for the duration of (sessionTimeout - 30 seconds), a modal dialog is displayed with a 30 second countdown. The user can click the "Keep Working" button or let the application close down.

    Notice there is one 'timeout' and one 'interval.'

    The interval is used to keep the server's session alive. This is necessary because the application is heavy on data-input. A user could easily spend more than 20 minutes on a single screen without hitting the server. So, it's important to keep the server's session alive. The user would be really ticked off if they just spent 30 minutes on a screen and when they pressed 'Submit,' they found out they had been logged out.

    This works well for our applications. The bandwidth savings that ExtJS has given us is much greater than the extra "RememberMe" traffic. However, we are not creating applications with 1000's of concurrent users.

  5. #5
    Ext User
    Join Date
    Nov 2007
    Location
    Centreville, VA
    Posts
    58
    Vote Rating
    0
    mmusson is on a distinguished road

      0  

    Default


    Be careful with how you store the session id on the client. A mistake I commonly see is treating the session id like it is a secure piece of information. It is not. You should protect it as carefully as you would protect the password.

  6. #6
    Ext User
    Join Date
    Jul 2008
    Posts
    38
    Vote Rating
    0
    mikecx is on a distinguished road

      0  

    Default


    Quote Originally Posted by mmusson View Post
    Be careful with how you store the session id on the client. A mistake I commonly see is treating the session id like it is a secure piece of information. It is not. You should protect it as carefully as you would protect the password.
    How would you suggest storing this data then? Obviously the Cookie won't work, easy to read, the session variables, still snoopable if someone wants, and in the POST request being the worst idea of all.

    I'm not really up on what all today's common web security practices are.

  7. #7
    Ext User skaue's Avatar
    Join Date
    Sep 2008
    Location
    Troms
    Posts
    191
    Vote Rating
    0
    skaue is on a distinguished road

      0  

    Default


    Obviously, if security is really important and you're afraid of session cookies getting "lost", I'd start off by applying SSL. Encrypted traffic between client and server, and encrypted cookies, will make it more difficult to spoof session cookies. Thats the easiest way to increase security.

    I liked harleys approach. I liked it so much that if he'd be willing to share the clientside code, I'd offer my hands
    Webdeveloper from Norway

  8. #8
    Ext User
    Join Date
    Jul 2008
    Posts
    38
    Vote Rating
    0
    mikecx is on a distinguished road

      0  

    Default


    I think harley has a good approach for his application but it doesn't really work all that well for mine. One of the applications are expected to eventually roll out to over 1,000 people and then more looking to the future which could end up being multiple thousands of small packets hitting the server every minute.

    For right now i've just set it up as Condor suggested (with a few tweaks). At application load I set a default session length of 10 minutes. I then send a request to the server to get the current session ending time minus 15 minutes (these are really long sessions, I can spare 15 minutes at the end to make sure server sync errors don't happen). I have an Ext.TaskMgr that checks every 10 seconds to see if the current time is past the end session time.

    At 5 minutes before the user is going to timeout, I give a modal window allowing them to just click to keep their session. If they do I update the end timer, if they don't at the end I hide the modal window and pop-up a new one saying they've been logged out with the only option being going back to the login screen (this is an application that ties into something else, no direct user/pass combination).

    It's not exactly optimal but it's how the company I work for makes me do things. Until they aren't paying the bills I have to do things the wrong way .