I have created 2 Custom File CustomA and CustomB
Activate the Logout Concurrent users from the Advance Securtiy
Now on the Browser1 I open the page and I can access all the table, customA, customB
at the same time I open the site on another computer browser2 and can access all
in this case I go to broser1 and I can access the customA, CustomB only means I can access all the custom file
i check the
echo CurrentUserID() // I get the value
var_dump(Session()); // I get the value
if (isLoggedIn()) { // it is showing as login
echo "check login";
}
it continuoues working if i stay in the custom file as soon as i go to any table it will show “Session logou” and unable to access the custom file also
here my concern is that if the session already logout then why this custom file are still accessable. Please kindly help to block this issue.
Note that HTML is stateless, the page only knows the server status (e.g. user to be logged out) when you reload the page or load another page. The server cannot log user out itself if the user stays on the client side.
After the session is logout I can access all the Custom file after relaoding the page also. I can go to CustomA and CutomB any custom file until I go to a table or view. If I once go to a table or view then I can not access teh CustomA or CustomB file
Make sure your Custom Files use Include Common Files so that they are part of the web application and protected by Advanced Security. If you tried to include files yourself like this topic, they are standalone files and you need to handle security yourself, that’s another reason why you should not do that anymore.
Are you sure your custom files are protected by User Level Security? If they allow Anonymous access, user can still access the page as Anonymous User even they have logged out. If you have reloaded the page, and you have really logged out, then you should not be able to see CurrentUserID() (unless your pages are cached). However, note that if you have “Remember me” enabled, and you did not log out explicitly, your identity and login status (being auto logged in with the identity) can still be recovered from cookie on reload.
Yes it is confirmed that I am using Include Common Files
Anonymous can not access the custome file, it can be access by the session expried user only if they stay to any custom file. If they once go to any other page except custom file then they will not allow to use back the custom file until a fresh new login
Yes the “Remember me” option is enabled.
as you say that “can still be recovered from cookie on reload” why this effect only on custom file and not on any other like table, view, customview, changepassword page etc.
So in this case how can we handled it for security reason.
If it is “Remember me” working, then note that it is meant to recover identity, you are being logged in again using the identity “remembered” by cookie. There is no security issue. If it is “Remember me”, it works with all other protected pages. However, note also that if you have really logged out successfully, the remember me cookie is cleared, there should be no remember me cookie. You may check HTTP response headers in your browser’s Network panel and see if there is remember me cookie sent when you reload the page. You better also enable Debug and check the log file for more info when you reload the page.