reset user session at login for 5.6.1.2

Permalink
Hi,
I am currently working on a legacy site 5.6.1.2, the owners have asked me to change the behaviour as follows.
Assuming that the user has a valid account and is logged in, if he chooses to exit the browser without logging out when the user returns to the site he will be required to login again, Even if he has the secure page he wants to visit as a shortcut he will be required to resubmit his credentials.
This is a site running both http and https(for secured pages)
I have explored a few possibilities but I have not managed to reproduce the same behaviour that comes from doing a logout. Can anyone advise please?

Thanks
Martyn

FaganSystems
View Replies: View Best Answer
FaganSystems replied on at Permalink Reply
FaganSystems
Bump...

I am still having no success on how to do this, any ideas would be most appreciated..
hutman replied on at Permalink Reply
hutman
I don't think there is any really good way to do this.

I don't know of any way that you will be able to know if a user came to your site from another site, or from another page on the current site.

If you have normal sessions setup if the user exits the browser (closes it completely) their session is reset and they will have to login again though.
FaganSystems replied on at Permalink Reply
FaganSystems
Hi,
The aim here is to make sure that if they have persisted their password for 14 days and then closed the browser while logged in. When they opened the browser they could in theory be returned to the same https state they had before. This is acceptable behaviour,
Because we will have varnish caching running in front of the http site when they initially reload the site they will not be logged in due to the way that varnish is blocking the cached login. If they then go tohttp://thewebsite.com/login we ewant the user to have to login again, We do not want them to go to login which switches to https due to internal routing and then would be immediately logged in. This we feel is a state change too far
The plan is to add in code at the onStart function to wipe any persisted credentials so that they would have to login again.
I hope that makes sense.
hutman replied on at Permalink Reply
hutman
So what exactly information are you asking for if you have this already figured out?
FaganSystems replied on at Permalink Reply
FaganSystems
Hi,
I have far from figured out how to clear the persisted login.
What I want is to get the same behaviour as you get when logging out.
If you are logged in and then log out then you try to return to the site you have to log in again.

I have tried the obvious in clearing the fvt cookie, destroying the session etc on the login onstart but nothing I have tried has meant I have to login to continue in the secure side of the site.

It is possible of course that it is not possible to achieve. So maybe a more fundamentalist understanding of how the logout mechanism is working may be in order.
hutman replied on at Permalink Best Answer Reply
hutman
Have you tried doing

$u = new User();
if($u->isLoggedIn()){
    $u->logout();
}
FaganSystems replied on at Permalink Reply
FaganSystems
when the solution is so simple is the best solution, it works 100%

Thanks