Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Check User Logged In Via API or HTTP Link/Query?

Is there a way to check via link or api if available if a user is logged in?

Comments

  • LincLinc Detroit Admin

    No, Vanilla does not currently user proper sessions so there's no server-side indication of who is logged in. The best you can do is look at their last visit time.

  • Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.

  • x00x00 MVP
    edited October 2016

    @Linc said:
    No, Vanilla does not currently user proper sessions so there's no server-side indication of who is logged in. The best you can do is look at their last visit time.

    What do you mean proper sessions?

    HTTP is stateless. Even if the session was stored, it doesn't mean they are "logged on".

    Btw using HMAC there is nothing to jackpot on the server.

    There is no good reason store the session in tables IMO, it is old hat.

    Data wise it does a provide a transient store, but that is nothing to do with authentication

    grep is your friend.

  • LincLinc Detroit Admin
    edited October 2016

    Querying their profile.json endpoint is an (insecure) way to check from the user's browser if they (theoretically) have valid cookies for the forum. The question phrasing led me to believe he was attempting server-to-server state checking.

    @x00 said:
    What do you mean proper sessions?

    The PHP sense.

    @x00 said:
    Even if the session was stored, it doesn't mean they are "logged on".

    We had different interpretations of what the OP asked.

    @x00 said:
    There is no good reason store the session in tables IMO, it is old hat.

    Selectively invalidating sessions or storing data in them without writing to the database are both pretty nice use cases.

  • RiverRiver MVP
    edited October 2016

    thanks. yes. true the second link will tell you -information for yourself if you are logged in, but one already knows that presumably.

    the first link with a users name , will provide the info for other users, unless you mean something else that I don't understand.

    Pragmatism is all I have to offer. Avoiding the sidelines and providing centerline pro-tips.

  • Thanks guys for the replies! =) I'll take what I can get right now so it's worth a try with @Linc 's solution.

    My question is how long will the status change on the json file? I'm guessing about 5mins or as soon as the user logs out?

  • @River said:

    thanks. yes. true the second link will tell you -information for yourself if you are logged in, but one already knows that presumably.

    the first link with a users name , will provide the info for other users, unless you mean something else that I don't understand.

    HTTP is stateless, you can't tell if they are "logged in" unless you are there client anyway. That is becuase there is no such thing as "logged in", only correctly authenticated.

    Even who's online plugin is based on constant polling (which is generally a bad idea to put that load on the server).

    grep is your friend.

  • @Linc said:
    Querying their profile.json endpoint is an (insecure) way to check from the user's browser if they (theoretically) have valid cookies for the forum. The question phrasing led me to believe he was attempting server-to-server state checking.

    HTTP servers do not have a user state. The protocol is stateless. Each request is separate, but I'm sure you know that anyway. A cookie can be used to authenticate and create and association to data which may be stored in a transient or permanent way.

    Sometimes there is transient stored authentication. This is not superior to HMAC IMO. You can combine the unstored authentication with session validation however.

    @x00 said:
    Even if the session was stored, it doesn't mean they are "logged on".

    We had different interpretations of what the OP asked.

    @x00 said:
    There is no good reason store the session in tables IMO, it is old hat.

    Selectively invalidating sessions or storing data in them without writing to the database are both pretty nice use cases.

    You can do this besides authentication, so it is not dependant on the main authentication. Vanilla also has transient data too through stash.

    grep is your friend.

Sign In or Register to comment.