Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Check User Logged In Via API or HTTP Link/Query?
xifekobo
New
Is there a way to check via link or api if available if a user is logged in?
Tagged:
0
Comments
No, Vanilla does not currently user proper sessions so there's no server-side indication of who is logged in. The best you can do is look at their last visit time.
https://vanillaforums.org/profile/xifekobo.json
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.
just
https://vanillaforums.org/profile.json
will do
grep is your friend.
What do you mean proper sessions?
HTTP is stateless. Even if the session was stored, it doesn't mean they are "logged on".
Btw using HMAC there is nothing to jackpot on the server.
There is no good reason store the session in tables IMO, it is old hat.
Data wise it does a provide a transient store, but that is nothing to do with authentication
grep is your friend.
Querying their profile.json endpoint is an (insecure) way to check from the user's browser if they (theoretically) have valid cookies for the forum. The question phrasing led me to believe he was attempting server-to-server state checking.
The PHP sense.
We had different interpretations of what the OP asked.
Selectively invalidating sessions or storing data in them without writing to the database are both pretty nice use cases.
thanks. yes. true the second link will tell you -information for yourself if you are logged in, but one already knows that presumably.
the first link with a users name , will provide the info for other users, unless you mean something else that I don't understand.
Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.
Thanks guys for the replies!
I'll take what I can get right now so it's worth a try with @Linc 's solution.
My question is how long will the status change on the json file? I'm guessing about 5mins or as soon as the user logs out?
HTTP is stateless, you can't tell if they are "logged in" unless you are there client anyway. That is becuase there is no such thing as "logged in", only correctly authenticated.
Even who's online plugin is based on constant polling (which is generally a bad idea to put that load on the server).
grep is your friend.
HTTP servers do not have a user state. The protocol is stateless. Each request is separate, but I'm sure you know that anyway. A cookie can be used to authenticate and create and association to data which may be stored in a transient or permanent way.
Sometimes there is transient stored authentication. This is not superior to HMAC IMO. You can combine the unstored authentication with session validation however.
You can do this besides authentication, so it is not dependant on the main authentication. Vanilla also has transient data too through stash.
grep is your friend.