New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a query to get customer information instead of using session #2359

Open
wants to merge 3 commits into
base: master
from

Conversation

Projects
None yet
3 participants
@TomPradat
Contributor

TomPradat commented Feb 22, 2017

Resolve issue #2358

@roadster31

This comment has been minimized.

Contributor

roadster31 commented Aug 10, 2017

I suggest to implement this check in the getCustomerUser() method of SecurityContext, and cache the result for the current request, and do the same for the admin user, as discussed in #2089.

What do you think ?

@roadster31

This comment has been minimized.

Contributor

roadster31 commented Sep 4, 2017

@TomPradat any update ?

@TomPradat

This comment has been minimized.

Contributor

TomPradat commented Sep 4, 2017

As said in #2089, why not deleting the session of the user when changed or deleted ? We have or should have events fired when a user changed. Let's just kill the session if the user is deleted or the user is an admin. Also with this pr we make sure that is user change information he gets the right information in his profile view

@zorn-v

This comment has been minimized.

Contributor

zorn-v commented Sep 4, 2017

For "delete session of the user" you must find file in local/sessions with that session on server and delete it.
And just imagine a module that keep sessions in another place (in some db for example).

You must store all sessions (ids) of all users somewere to properly destroy them.
Do you really think it is good sollution ?

@TomPradat

This comment has been minimized.

Contributor

TomPradat commented Sep 4, 2017

Well we could have a table with the session ids associated to users and have an interface to destroy sessions so that you can store the sessions wherever you want.

@zorn-v

This comment has been minimized.

Contributor

zorn-v commented Sep 4, 2017

Do you really think it is good sollution ?

AFAIR you also must invalidate it on client for "things go right"

@TomPradat

This comment has been minimized.

Contributor

TomPradat commented Sep 4, 2017

I don't understand your last comment. But i think this could be a good solution instead of having more and more checks on every request that are usefull 1 out of 10 000 or so. This is the most logical way to do it from my point of view. This is the delete/change user action which should lead to disconnecting the user, not checking at each user request if he is still in the database and hasn't changed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment