Alpha Video Training
Results 1 to 20 of 20

Thread: Persistent login (e.g. users logs in for two weeks)

  1. #1
    Member
    Real Name
    Allan Barnard
    Join Date
    Feb 2013
    Posts
    212

    Default Persistent login (e.g. users logs in for two weeks)

    At present my mobile app requires that a user login with a username
    and password every time they hit the app.

    Most commercial apps allow you log in and stay logged in for a couple of weeks.

    Has anyone determined an easy way to accomplish this without undue coding?


    My app is typically accessed via a Phonegap app on a device rather than
    a simple URL hit.

    Thanks for any community input!

  2. #2
    "Certified" Alphaholic CharlesParker's Avatar
    Real Name
    Charles Parker
    Join Date
    Dec 2012
    Location
    New Orleans, LA
    Posts
    2,060

    Default Re: Persistent login (e.g. users logs in for two weeks)

    Anyone have an answer? Thanks for your input!

  3. #3
    Moderator Peter.Greulich's Avatar
    Real Name
    Peter Greulich
    Join Date
    Apr 2000
    Location
    Boston, MA
    Posts
    11,631

    Default Re: Persistent login (e.g. users logs in for two weeks)

    You can set the session timeout in the WAS itself, or you can code it on startup:
    Session.Timeout - (read-write) The timeout, in minutes, for this session.
    A new value must be specified in whole minutes. The minimum timeout is 1 minute and the maximum is 525600 minutes (365 days).
    The default is 15 minutes.

  4. #4
    "Certified" Alphaholic CharlesParker's Avatar
    Real Name
    Charles Parker
    Join Date
    Dec 2012
    Location
    New Orleans, LA
    Posts
    2,060

    Default Re: Persistent login (e.g. users logs in for two weeks)

    not what were after here, there's no way to "remember me" and we don't know how to code it. I use the usual login component that alpha provides and theres a remember me check box, however in the sample phone gap login panel there isn't a remember me check box. I for one have no clue how to make a username persistently show up on reloading the phonegap app.
    My web interface is perfect and works like you suggest and I set my sesion timeout to about 2 hrs. but again that's irrelevant to the question.
    Any help you be with the remember me option in a UX would be super

  5. #5
    Former Alpha Employee JerryBrightbill's Avatar
    Real Name
    Jerry Brightbill
    Join Date
    Apr 2000
    Posts
    5,171

    Default Re: Persistent login (e.g. users logs in for two weeks)

    The web security does have legacy options to set the login expiration policy to "Defined time after last page access" and "Defined time after initial login". But as you point out, there is no way to for the user to select the remember me option except in a login component. This is by design

    These options are highly discouraged, and may be removed in later Alpha Anywhere versions. There are a couple primary reasons.

    1. The first is security, as it isn't possible to know if the last logged in user is the current user. This is not a significant issue if the security is only being used only for user identification and not for user authentication and access control. There are some resources such as social media that do have a long term login method, typically limited to 2 months. Others, such as user forums, may have a much longer expiration period. In most cases, this is considered very insecure as it allows any user with access to a device to reach the user information of the person who originally signed on using that device.
    2. The second is that session variables can not be used in the application as they are deleted when the user session times out, typically after 15 minutes of inactivity. If any session variables are created at login, they are lost when the session times out. We don't recommend session timeouts greater that 30 minutes and in some systems (such as any falling under government regulation) there may be a legal session limit. For example, any system that contains data that falls under HIPAA regulation can not have a session timeout greater that 30 minutes.
    3. Other systems such as IIS limit all login expirations to the session expiration.


    If all you want to do is identify a user for some period of time, such as saving their name, and you are using a browser, you can create a cookie and place it on the user machine. The cookie can be set for any expiration time, such as 2 months. Every page request will have the value in the cookie until the cookie expires.

    While not recommended, it is possible to store user information in the cookie and automatically log the user into the system. This would require a user id and password. Obviously, this data should be encrypted in the cookie as it is very sensitive. A user defined function could be added to an initial landing page to check for the cookie, decrypt the data, and then use a function such as a5ws_login_user() to log in the user from the values.

  6. #6
    "Certified" Alphaholic CharlesParker's Avatar
    Real Name
    Charles Parker
    Join Date
    Dec 2012
    Location
    New Orleans, LA
    Posts
    2,060

    Default Re: Persistent login (e.g. users logs in for two weeks)

    You guys and your security...obviously you should build and prepare for high security, but why not be able to make it as user friendly as possible and simply customized? I get the HIPAA bs stuff - but we are talking about an app not that's not necessarily rocket science. I know of many an app I sign in and when I reload the app I dont have to sign in again...it just loads.
    Again, add in all the security features you want but why in the world do we all have to suffer the high security measures? Perhaps we are building an app that isnt really that important, might be an app for my website www.adultsheepfinder.us (and yeah I do own that, lol - don't ask!)
    No offense Jerry, I am just pointing out that there are many types of apps that we might want to build, and yeah maybe security isnt as big an issue...

  7. #7
    Member
    Real Name
    Josh Cole
    Join Date
    Jun 2012
    Posts
    678

    Default Re: Persistent login (e.g. users logs in for two weeks)

    Charles,

    The developers of those apps that allow you to stay logged in are most likely using the method Jerry has explained. Create a cookie and store the login info in it. He did offer a solution. If I were Alpha I would not provide an out-of-the-box less secure option. I think it's reasonable to expect that if you want to circumvent best practices as far as security is concerned that it be something you develop and assume total risk for. I know Jay Talbot has created a similar solution for one of his apps so you can accomplish what you want with Alpha, you just have to do some coding. That is just my humble opinion.

  8. #8
    Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,827

    Default Re: Persistent login (e.g. users logs in for two weeks)

    Alan,

    I worked out the process to do what you want. It requires multiple scripts in different places. I will send it to you to test out, then I can provide to others. I don't think security-related scripts should go on this forum so I will provide as a download on IADN.COM.

    For reference, here is what has to happen:

    • On the page that contains the login dialog, if the user logs in capture the userid and password, encrypt and store as a cookie.
    • On all pages where you want user to auto-login, look for the cookie and log them in if it exists
    • Ignore the two above tasks if the user is already logged in
    • On the logout page be sure to destroy the cookie (because the user explicitly logged out) otherwise the user can never logout


    So if the user does not explicitly log out, they are auto-logged in when they return for the life of the cookie, which can be set to any period of time. The feature even survives a server reboot. But of course it only works from the same computer where they initially logged in.

    This is similar to how I built the "Single Sign-on" feature except that does not use a cookie, gets credentials from the LDAP server.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  9. #9
    Member
    Real Name
    Allan Barnard
    Join Date
    Feb 2013
    Posts
    212

    Default Re: Persistent login (e.g. users logs in for two weeks)

    Steve, thanks. I just got back from months on the road (oddly in the SanFran Bay area). I'm firing up all my Alpha apps (a suite of 8+) for a final push to initial release in the next 3 to 4 weeks. A "remember me" feature will be part of our priority. As noted by others, it's a fairly common expectation in modern apps (including many finance related apps). If a workaround wasn't present then I was planning to build my own (as you note, cookie, encrypt, back-end handshake). However, if you have something, I'm all ears! I'll be in touch in the next day or so.

  10. #10
    Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,827

    Default Re: Persistent login (e.g. users logs in for two weeks)

    "oddly in the SanFran Bay area". I resemble that remark! Next time give me a call, I am about 40 minutes out of San Francisco.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  11. #11
    Member
    Real Name
    Josh Cole
    Join Date
    Jun 2012
    Posts
    678

    Default Re: Persistent login (e.g. users logs in for two weeks)

    Steve,

    I'll test out your solution as well if you're willing to share it twice?

    Thanks

  12. #12
    Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,827

    Default Re: Persistent login (e.g. users logs in for two weeks)

    I will send it along. I tested it on a spare machine and stayed logged in all day long even though my server session expiration is 6 hours. One thing I noted, you have to structure your application such that all required session variables will re-populate as necessary when you return to the machine. That is because technically, my browser DID logout when my session expired, but upon refreshing the browser the cookie provided credentials and I was re-logged. So, really this is not a "stay logged in" solution. It is an "automatic re-login" solution where the cookie determines the life.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  13. #13
    Member
    Real Name
    Allan Barnard
    Join Date
    Feb 2013
    Posts
    212

    Default Re: Persistent login (e.g. users logs in for two weeks)

    I would have expected an "auto login" process. When a persistent connection is dropped or doesn't exist in the first place, your options are either to have no security and a simple session ID (which generally doesn't happen any more) or you have re-authorize, generally in conjunction with a session ID if there is ongoing session work.

    So it sounds reasonable and expected Steve. Thanks.

  14. #14
    Member
    Real Name
    Allan Barnard
    Join Date
    Feb 2013
    Posts
    212

    Default Re: Persistent login (e.g. users logs in for two weeks)

    Steve,

    Thanks much for the code. After cleaning up some other tasks I finally managed attempt
    to install your code.

    I realized only then that it was geared for login/logout components in actual A5W pages
    rather than in a mobile UX environment.

    Ultimately I'll have to come up with an elegant and secure solution (or Alpha / Phonegap will).

    Or... I'll have to make the first page hit by the Phonegap app be an A5W page.

    For now I'll leave it. When I get a solution set up for UX components I'll post it back here.

    Thanks again,

    Allan

    Quote Originally Posted by Steve Wood View Post
    I will send it along. I tested it on a spare machine and stayed logged in all day long even though my server session expiration is 6 hours. One thing I noted, you have to structure your application such that all required session variables will re-populate as necessary when you return to the machine. That is because technically, my browser DID logout when my session expired, but upon refreshing the browser the cookie provided credentials and I was re-logged. So, really this is not a "stay logged in" solution. It is an "automatic re-login" solution where the cookie determines the life.

  15. #15

    Default Re: Persistent login (e.g. users logs in for two weeks)

    Hey guys, may I have the code to provide "automatic re-login" code as my bus got exhausted of log in again and again for one page.
    Could any one share with me the code or any instruction for that ?

    Mo

  16. #16
    Member
    Real Name
    Allan Barnard
    Join Date
    Feb 2013
    Posts
    212

    Default Re: Persistent login (e.g. users logs in for two weeks)

    Mo,

    You might want to clarify specifically what your situation is. The answer varies accordingly.

    Specifically:

    • Only desktop users?
    • Only browser users?
    • Only mobile users via PhoneGap-wrapped apps?
    • Some combination of the above?


    If you have a desktop app (old-style Alpha constructions) then I can't speak to it as I'm only
    in the browser/mobile space. I would imagine you could simply set your security considerations
    to allow continuous login for a specified period (as you can with mobile/browser).

    If you are using security managed by a webserver (true for both browser-based and mobile-based apps)
    then you can do this:

    • open your project
    • open the web-projects window
    • at the top, choose the option "Web Security", which will open a window
    • then choose the "Web Security Configuration"
    • you will get another window... this one with several TABS at the top
    • choose the "Login Options" tab and adjust the "login expiration policy" and the "login expiration time"
    • see the example below



    The challenge
    • The normal method for login control is accomplished through "session variables"
    • If the server bounces or the session dies, your login information and any variables you maintain to manage the login process will vanish
    • the noted example (earlier in this post) is outside of session variables and works with a cookie on the browser
    • which means... it works great for cases (e.g. desktop) or mobile (browser access, not PhoneGap) where cookies are enabled
    • but... this method DOES NOT WORK for PHONEGAP apps because phonegap does not enable cookies for its execution of components.


    The ultimate solution
    • as of today (Oct 30th, 2014) there is not a good solution for Alpha-centric persistent login from a PhoneGap app
    • you can't use stored (offline) LISTS or variables to store the login or password because they would still be accessible to a reasonable hacker
    • you CAN achieve a similar effect by storing logins/passwords in a standard table and then encrypting and decrypting the password on the server side (only passing an encrypted version back to the Phonegap app)
    • however... this question has come up enough that some efforts are currently underway at Alpha to address it with a built-in solution.
    • Note: that information comes from another user here on the forum who (along with myself) are directly affected by mobile-centric persistent logins.
    • Finally... if your app is consumer-centric (not corporate in nature) then you can engage the built-in Facebook and Google+ (or other social media) options introduced in September 2014.


    Whether we have useful code or techniques to share depends on whether you are using A5W pages, UX components accessed from a browser, or UX components in a PhoneGap app.

  17. #17

    Default Re: Persistent login (e.g. users logs in for two weeks)

    Parkjammer,

    Thanks for heaps of information you published here,
    My issue is about "Only browser user" and I have tried that solution you have recommended. but still I have problem when I close the browser and open it and want to go to the web site it still ask me about the username and passwords, that is my problem . I want to keep log in even I close the browser.

    You recommendation works properly for the closing the a tab of a browser . if the browser is still up (even with no page) after try to go to the web site it log in automatically without any problem.
    Could you help me to find it out is it my bad to how I reconfigured the application or is there any other way to close the browser and open it and log in automatically like many websites like Facebook or yahoo and etc.

  18. #18
    Member
    Real Name
    Allan Barnard
    Join Date
    Feb 2013
    Posts
    212

    Default Re: Persistent login (e.g. users logs in for two weeks)

    I have a set of mobile components (UX components) that I can
    access either via browser or via PhoneGap apps.

    My settings are those that I noted in my prior post. I have set
    my "expiry time" to "1 day" at present (may be two weeks later on).

    I open a browser, log-in, and then kill the browser (all open browser
    sessions are killed... nothing is left running).

    When I launch a new browser I remain logged in when I hit the
    same site (an A5W page that launches a UX).

    If you have set the expiry method and the expiry time as I noted
    prior, then the other thing you may want to do is clear your browser
    cache (including downloaded apps and cookies) and the completely
    exit your browser.

    Then try it again.

    I haven't done more than this and it has worked for me.

    (Allan)

  19. #19
    Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,827

    Default Re: Persistent login (e.g. users logs in for two weeks)

    I posted my auto-login code here: http://msgboard.alphasoftware.com/al...371#post682371

    I know it works because it has been running fine since I first sent it to Allan. I later tweaked it to only auto-login from my office IP address.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  20. #20
    Member
    Real Name
    Allan Barnard
    Join Date
    Feb 2013
    Posts
    212

    Default Re: Persistent login (e.g. users logs in for two weeks)

    Quote Originally Posted by Steve Wood View Post
    I posted my auto-login code here: http://msgboard.alphasoftware.com/al...371#post682371

    I know it works because it has been running fine since I first sent it to Allan. I later tweaked it to only auto-login from my office IP address.

    Steve can correct me if I am wrong, but I believe Steve's code is designed for situations where you are using A5W pages (for example, an Alpha-based website).

    In my case, I'm using a single and completely empty A5W page to launch the initial UX component and then all other actions are UX components.

    Therefore, the only thing I needed to do was ensure the web security settings are set up as noted in my prior posts.

    Certainly, if you are in a pure A5W environment, Steve's is the better and more controlled method.

    Allan

Similar Threads

  1. Login users against transaction in a table
    By Niyi Alagbe in forum Application Server Version 10 - Web/Browser Applications
    Replies: 0
    Last Post: 08-21-2011, 09:07 AM
  2. What Happens When Users Logs On?
    By MichaelCarroll in forum Application Server Version 10 - Web/Browser Applications
    Replies: 3
    Last Post: 02-04-2011, 11:21 AM
  3. How can I track when a user logs off (other than using the WAS log)?
    By Jay Talbott in forum Application Server Version 10 - Web/Browser Applications
    Replies: 2
    Last Post: 02-03-2011, 05:44 PM
  4. allowing users to log in for two weeks (use cookies??)
    By Jay Talbott in forum Application Server Version 8
    Replies: 1
    Last Post: 05-28-2008, 06:25 PM
  5. My Thoughts on this weeks posts
    By Keith Rohatyn in forum Alpha Five Version 5
    Replies: 1
    Last Post: 07-23-2002, 04:28 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •