1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Logged In Cookie 0.1

Distinguish logged in users with a reliable cookie.

  1. RastaLulz

    RastaLulz Well-Known Member

    RastaLulz submitted a new resource:

    Logged In Cookie - Distinguish logged in users with a reliable cookie.

    Read more about this resource...
    def, Nuno, HWS and 1 other person like this.
  2. RoldanLT

    RoldanLT Well-Known Member

    After installing this addon, all my login users will automatically be logout? and need to login again?
  3. RastaLulz

    RastaLulz Well-Known Member

    They won't be logged out per se, but they'll appear logged out on the first request, as the page will be rendered as a guest as they won't have "xf_logged_in" set. But on that first request the cookie will be set (assuming they're logged in), so they'll be logged in normally on the next request, whether they attempt to login, or click another link/reload.
    maszd, eva2000 and RoldanLT like this.
  4. RoldanLT

    RoldanLT Well-Known Member

    Installed now on my Forum, and works as expected (y).

  5. eva2000

    eva2000 Well-Known Member

    very nice :D
    RoldanLT likes this.
  6. Nuno

    Nuno Active Member

    The next step would be a bypass to the thread and media counters so we could update our views.
    With nginx/apache there is a way to archive this using SSI and an external file/mod to simulate varnish esi:

    <!–# include virtual=“/viewscounter/thread/123”  –>

    <!–# include virtual=“/viewscounter/media/123”  –>
    At this time I only cache the front page, forums and members because of this ...
    I'm not a knowledge xf developer so it's hard for me to do this! :)
  7. HWS

    HWS Well-Known Member

    By default the view counters are also updated only every 15 minutes or so, they are not live. If you renew your cache every 5 or 10 minutes (which is very recommended) you do not need to exempt the view and media counters.
  8. Nuno

    Nuno Active Member

    But if the page is cached those views wont be counted since there is no phl/mysql work, only registered members will be counted.
  9. HWS

    HWS Well-Known Member

    Oh, I misunderstood you. Please disregard my former post.
    Nuno likes this.
  10. RoldanLT

    RoldanLT Well-Known Member

    Why is thread view really important with you guys? :)
    Xon likes this.
  11. Mouth

    Mouth Well-Known Member

    Any feedback on experience with this? Did users notice? Did it cause a stir? Did you advise first?
    maxicep likes this.
  12. RastaLulz

    RastaLulz Well-Known Member

    From what I gathered, they just assumed they were logged out for whatever reason, and hit the login button at the top, and attempted to sign in normally. No one mentioned it, and when I asked, they simply stated they logged back in, and that was that.
  13. maxicep

    maxicep Active Member

    So, everyone advice that add-on for big boards ?
    Did you see any incompatibility with other add-ons, especially redis caching ?
  14. RoldanLT

    RoldanLT Well-Known Member

    TheComputerGuy and HWS like this.
  15. def

    def Member

    So simple it should be built in option of XF! Thank you!

    I try to use it with Varnish but for some reason logged_in cookie isnt dropped (all other cookies are, only session cookie stays).

    So I am logged out, but the cookie is there, and guest page isnt cached.

    Once I switch off varnish out of the loop and request goes directly to http server the cookie is deleted.

    So it looks like this cookie isnt unset "at" logout, but "at" first request after logout. Is that correct? Any hint?

    If thats correct, thats a pitty, because I would have to uncache "/" in order to allow cookie unset...

    Weird, now I see other cookies are also not dropped and I cannot logout... I am playing with configuration, must have broken something...
  16. def

    def Member

    @RoldanLT hmmm seems logout doesnt work at all... I cannot figure it out, why cookies are not dropped :( Have you had similar issue with NGinx caching? Varnish gurus out there?
  17. def

    def Member

    Ok, got it.

    vcl_backend_response had wrong order for POST method handling (simply it was after no-cache rules, but should be before). Learning every day :)

    Works fine, testing.

    Thanks @RoldanLT !
    RoldanLT likes this.
  18. RoldanLT

    RoldanLT Well-Known Member

    No problem on my Nginx fastcgi_cache setup :).
  19. def

    def Member

    May I request a feature? :)

    Can the logged_in cookie contain a salted/keyed hash (HMAC) of user cookie instead of "1"?

    Its easy to imagine DDOS attack with clients that have logged_in cookie set to 1, then every request goes straight to backend.

    If instead of "1" it contains a hash of user cookie, I could validate the authenticity of the cookie (assuming key/salt is not known to the attacker) in the caching layer, without the need of passing it to the backend.

    What do you think? I found Nginx mod that tries to implement similar approach - Lua Resty HMAC, maybe you could use it too in your scenario.


    Here is header example:

    Queue and RoldanLT like this.

Share This Page