I have an application in which before every release we lock all users. Once locked, user cannot login. But if the user is already logged in and then I lock the user, the user will be able to continue until sessions ends.
I'm trying to have a feature so that when I lock all users, all current active sessions of that app should be logged out or ended.
I have tried looping for all active sessions and executing apex_authentication.logout and passing session ID and app ID for each of them. Somehow if doesn't end session of anybody except the user performing the process.
Given your reference to apex_authentication.logout, I'm assuming that you're dealing with an APEX application. In my experience, you don't worry about ending user sessions or locking users when performing an upgrade on an APEX app. Instead, you change the Build Status of the application to "Unavailable" in the "Manage Service / Application Build Status" page of the APEX workspace. This renders the application inaccessible to all users, immediately. After the upgrade, change the status back to "Available".
Instead of using logout, apex_authentication.logout I'm using apex_session.delete_session. It's not 'really' a logout, but does does the job of stopping current user session.
Refer https://docs.oracle.com/database/apex-18.1/AEAPI/APEX_SESSION.htm#AEAPI-GUID-E37F7000-633D-466C-BA8F-0051EDB7A0CC
Related
For 2 days now, my APEX is timing out every 10 minutes or less and it makes me lose my work!
I've tried to clean browser cookies and all...
Timeout is set in application's Shared components, Security Attributes, Session Management section.
"Maximum Session Length" is measured in seconds. If unset, it defaults to 43200 seconds (which is 12 hours) (for Apex 19.1) so ... check what it is currently set to.
I think that what you are facing is that your killing your previous sessions.
Every time you log in on an APEX application, it generates a session for your user (it's the random numbers in your URL)
If you have another browser tab opened and you request another log-in on the application, then another session is generated and if you go back to the other tab and try anything there, you will be asked to log-in again and if you do, the other session that you just logged-in will be killed.
For each application you log-in, is generated a session id that is saved on cookies of your browser. So just make sure that there's no other window or tab opened of that application already on the same session of your browser (although you can use different browser or incognito mode).
Also, pay attention in any favorite links that you made that links an APEX application. The same thing will happen if you are already logged-in and click on the favorite link that has a session on its URL.
This all can be avoided if you configure "Rejoin Sessions" parameter on the APEX installation enviroment: https://docs.oracle.com/cd/E59726_01/doc.50/e39151/adm_wrkspc002.htm#BABJCGAG
I am new to django i made a registration page and login page now i want a user registered to login to my website when a user is logged in i want to associate a session for user which only dies when he logs out or he closes the browser
now whenever the user loads the page even after a week if the browser is not closed he should be granted access.Now the django is storing sessions in its database but will i be able to authenticate the user as different users have different permissions.can someone suggest any resource for my requirement.
I found what i needed http://gavinballard.com/associating-django-users-sessions/ its by creating a custom model extending the default one.
We created 5 applications based on same schema and all in one workspace now. Actually, initially they were created on different machines. now, we have to authenticate users from AD and depending on user type, have to allow or deny some modules. i have created one pager application which have 5 buttons and can control rendering of buttons according to user logged in but...the problem is, inside the applications, i have restrictions on some reports for some users...now one way was to do that is to create a log in for every application separately and thus every application would exactly know who is logged in. but that would be impractical as we need single-sign-on kind of functionality.
please let me know how to have a single log in page work for all application inside the apex workspace so that every application would know name of the user currently logged in.
for the 5 applications, i actually use No_Authentication authentication scheme. and i use following function initially for my one pager application to render the buttons to user or deny
create or replace function getUserName return varchar2
is
userName varchar2(20);
c owa_cookie.cookie;
begin
c := owa_cookie.get('LOGIN_USERNAME_COOKIE');
userName := c.vals(1);
return trim(userName);
end;
but i cannot user this function obviously in my 5 actual applications.
help is requested please.
bundle of thanks in advance.
Check my answer here on sharing sessions: apex button to call a page in another application
What you need to do further: give each application an authentication scheme. Your non-authenticated applications need authentication too, you could copy the scheme from your main app and subscribe them to the main one, so any changes on the main would be reflected on the subscribed.
Most important: same cookie name in the auth scheme, and pass on the session when you link between applications.
If you want to redirect to your main app for each login that has to be performed, you need to add an application process to the login pages of your 'sub'-apps.
Put this in an On Load - Before Header:
htp.init();
owa_util.redirect_url('f?p=main_app:101'); --redirects
apex_application.g_unrecoverable_error := true; --stops processing
This will redirect to the login page of your main application when a user would land on a login page of your sub-applications.
You can also change the logout url of the authentication scheme. You can refer to your main page app for example.
Then you can use :APP_USER in your applications and skip the cookie method, they're the same.
I'm working on a site that uses Django 1.2.5. It uses the Django authentication backend to log users in and out. This, in turn, uses the Django session framework to set cookies. It appears that cookies set by Django's session backend expire after 2 weeks. I've gotten complaints from users that they are being logged out of their accounts and have to be log back in, and I suspect this is due to the fact that cookies are expiring after 2 weeks. I have SESSION_COOKIE_AGE to 1 year (i.e, 31556926 seconds) but I don't know if that's the best solution to this problem -- I'm not sure if it'll have unintentional side effects.
Is there a way to keep users logged in indefinitely (i.e., keep them logged in until they manually log out)? I haven't found a setting, but any solution (e.g., middleware or the like) would be acceptable.
The only way to extend session life is through longer-lived cookies. Every other method of user identification (e.g. IP + user-agent) suffers from ambiguity and, therefore, has security issues.
I created a simple middleware that updates user session cookies periodically, which eliminates the described problem.
https://github.com/IlyaSemenov/django-everlasting-sessions
I am designing a Service to run under LocalSystem account on Win2000, XP and Vista. It will need access to users registry hives, sometimes for extended periods of time, both when the users are logged-in, and also, when they are not logged-in (IF the profile is local. If the profile is Roaming and not loaded, I will not attempt to load it.)
If the user is logged-on, I can get the Users access token by various means (E.g. from its Explorer process, or by receiving Logon events from the Service Control Manager) then use ImpersonateLoggedOnUser and RegOpenCurrentUser to access the User's hive. However, what are the implications if the User selects LogOff from the start menu while I am impersonating and have his hive open? Will the logoff be prevented? Will my impersonation be terminated?
If the user is not logged on, I can use RegLoadKey to directly open the hive NTUSER.DAT. (Impossible for a logged-on user). But what are the implications of this if the user decides to log-on (I suppose the hive will be locked and the logon either prevented, or may experience difficulty?)
I will be setting up some test projects to explore these ideas however, regardless of their apparent results, these questions are theoretical in terms of what type of problems might, or would, be caused by the user loggin in/out during these actions by the service.
Caveat: ImpersonateLoggedOnUser can ONLY be used either for a logged-on user (token obtained from process or SCM event) OR for a user for which I have the plaintext password to call WinLogon and obtain a token - TRUE / FALSE ? In other words although I have maximum permissions as LocalSystem and am able to change the user's password or even delete the user's account, if the user is not logged-on, it is totally impossible to create a new token to impersonate the user without having the the password?
Apparently, there is some risk of damaging a user's profile if it is already loaded by another process when the user logs in. In that case, the system will try to create a new subdirectory for the user.