-
-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Duplicate user sessions #3451
Comments
SessionTokens are now Revocable that means that a user gets a new token each time one of the following actions takes place: signup, login, upgrade. If a user is logged-in, the last token will have the following property: createdWith.action = login. Now as far as i tested some cases, if you delete (e.g. calling destroy for that token via cloud, or manually deleting it), the next time the user will try to use the app, the response will be "invalid token", and the user will be logged out.
|
@fott1 but lets say we need to implement password validation before the user modifies his account information in the application. And we ask the user to supply his password then perform a login with the provided password and the existing user's username. Eventually this action over time will create many unusable session and the Session class with then have thousands of garbage sessions. How do you propose a way around this ? |
@georgesjamous this has actually been fixed in #4143, effective in parse-server versions 2.6.1 and up. Must have missed this issue when we applied the change. Here's the changelog for that release as well. If you can't upgrade to that version of parse you can check out the diff and apply a hotfix as needed, but we recommend you upgrade if possible. |
@montymxb we just updated to "parse-server": "2.6.5" Check out the screenshot that I have included, sessions are being created for the same user-intallationid. We submitted multiple user logins on iOS simulating the time where the user requires to verify his credentials. |
what do you use to validate the passwords? The documented options of a beforeSave call? Can you provide more context with code please? |
We are login in the user normally on the device for password validation. (iOS)
also in Cloud code we have completely remove beforeSave and afterSave on '_User' class. This is our server configuration regarding sessions and email verification.
|
Can you provide the logs when running with VERBOSE=1 for those calls that make duplicated sessions? I have trouble understanding how this is possible, given the tests and code we have in place to prevent it in the 1st place. |
We just wanted to know at what point in lib/Rest.Write.js in parse-server the new session token is created. Its being created in
Hope this makes sense to you since at our stage we still don't have a clear grasp about the internal of parse-server, we are still messing around with it and learning. Current User Session Token just before calling login is
|
So basically you're calling login over and over, because you want to validate that the user is able to provide a valid password, even though the current user is currently logged in in the app, and you expect the session to stay the same or a new session to be created? I may suggest you use shorter sessions, and upon app launch check if the session is still valid, if not valid, you just have to re-present the login controller. |
Sometimes you need to verify the user's credentials even though the user is It doesn't matter if a new session is created or the session is still the same, our concern is only that over time with thouthands of users, _Session class could get massive very quickly. What I do expects, and I think it would be better over time that if either, In the end Each Installation-User must only have one _Session object. |
I managed to write a test that encompasses this particular use case that was obviously overlooked. |
@flovilmart Is there anyway an admin user can remotely log out another user. For example, admin approve certain things for user and user cannot see the update until they sign out and sign in again. How to overcome this situation? |
You can log a user out by deleting it’s session object. |
Was this issue resolved? Having the same problem in 2.7.4 |
The issue was closed 6 months ago, please open a new issue filling the issue template as much as you can, all information is critical to get us quickly on it! Thanks! |
Thanks for the quick response, will do |
…y#4337) * Adds failing test for parse-community#3451 (on multiple logins) * Factor sessionDestruction as part of Session creation flow in RestWrite * nits
Hi,
I'm using the iOS SDK.
I have a simple login screen with one username textfield, one password textfield and one login button.
So far, when I tap the button, the user gets logged in with no difficulty.
The only thing I find weird is if the user taps the login button multiple times, a new session object is created for each tap in the mongo database. (so far, I'm just testing things, so the login view controller doesn't disappear, therefore the user is free to tap the login button time and time again).
All the session objects related to the same user have the same installationId and I thought that the previous sessions would be destroyed.
How could I destroy the previous sessions upon logging in if those sessions have the same userId / installationId pair ?
Steps to reproduce
Please include a detailed list of steps that reproduce the issue. Include curl commands when applicable.
the server
Expected Results
One session object with the latest userid/installationid would exist in the database as per the documentation:
"Sessions represent an instance of a user logged into a device. Sessions are automatically created when users log in or sign up. They are automatically deleted when users log out. There is one distinct Session object for each user-installation pair; if a user issues a login request from a device they’re already logged into, that user’s previous Session object for that Installation is automatically deleted"
Actual Outcome
A new session object is created every time with no limit.
Environment Setup
Server
Database
The text was updated successfully, but these errors were encountered: