search

Alfresco / alfresco-community-repo

Community Content Service Repository
https://www.alfresco.com/it/ecm-software/alfresco-community-edition
GNU Lesser General Public License v3.0
142 stars 82 forks source link

Concurrent user login -session logout #2944

Open spomytkin opened 1 month ago

spomytkin commented 1 month ago

https://github.com/Alfresco/alfresco-community-repo/blame/f3e0c43f3b32de6c4a6644e8b42679825783f98f/repository/src/main/resources/alfresco/repository.properties#L563

Trying to solve problem opposite from https://hub.alfresco.com/t5/alfresco-content-services-forum/concurrent-user-login-session-logout/td-p/306991 for some reson there no way to post qustion to this forum ( post apear to requre "Choose a board" and it's empty) so asking here: Original question was “How to prevent the same user login in different systems in the alfresco or how to inform the user that another system trying to login using the same user?” I need users automatically logged out of their previous session when a new login attempt is made. per documentation "authentication.ticket.useSingleTicketPerUser=true" should just do, but new browser session doesn’t cause logoff (e.g. if I open a new anonymous window it ask for login and both sessions keep logged in). Configuration - plain Alfresco version 6.1.0 (e.g. no SSO)

jottley commented 1 month ago

Not an indication that I can answer the question yet...but for clarification: You would like to invalidate any previous/current session for a user when that user logs in elsewhere and a new session is created. Is that correct?

iwkse commented 1 month ago

Yes, it should be exactly like that. Having a single session per user.

jottley commented 1 month ago

So I think what you maybe after is this https://github.com/Alfresco/alfresco-community-repo/blob/9f6ef99ef5c1ee1e91e462c99509cab7088857f2/repository/src/main/resources/alfresco/authentication-services-context.xml#L640

This is deprecated so no direct way to set the property except to modify the bean in the xml. The code is still in place. You would get a warning when it is set to true. It doesn't work in a cluster as it just removes the ticket from the in-memory cache. But I believe that it will remove the ticket for the existing session when a new attempt to validate the ticket occurs.

iwkse commented 1 month ago

Wouldn't this recreate the ticket after each call instead of being a ticket per user?

spomytkin commented 1 month ago

correct. invalidate any previous/current session and Idealy indicate reson in UI (e.g. log off message).

"oneOff"

jottley commented 1 month ago

Then it might not be an OTB solution. Looking at the code I am not sure that I see a configurable way to achieve it.

spomytkin commented 1 month ago

Then it might not be an OTB solution. Looking at the code I am not sure that I see a configurable way to achieve it.

I see in https://github.com/Alfresco/alfresco-community-repo/blob/9f6ef99ef5c1ee1e91e462c99509cab7088857f2/data-model/src/main/java/org/alfresco/repo/security/authentication/InMemoryTicketComponentImpl.java#L203

if(useSingleTicketPerUser) { ticket = findNonExpiredUserTicket(userName); }

Would you mind a quick conversation - to make sure there is no OTB and if so, discuss potential enhancement (shouldn't be terribly hard to check on login if there is already a session for a given user and invalidate it)? It would be simpler if we could look at the code you are referring to and discuss solution.

I’m on EST and my google account (gmail, etc.) same as github profile - spomytkin.