Hi, When session is used:
As was rightly pointed out last year in this thread: http://groups.google.com/group/ape-project/browse_thread/thread/ea4f2cecbb330029/c86309d9710d59f4?lnk=gst&q=Ape+Session+Handling#c86309d9710d59f4 if one authenticates a user when he connects to APE server the first time, we do it in the hook on CONNECT. However, if the user logs out from PHP, logins again with a different username, connects to APE, then CONNECT is not sent but SESSION. Which means that the user will not be authenticated. I tried a few workaround but nothing seems to work: 1) in Ape.registerHookCmd("session",..), I'd like to return false, or [004,BAD_SESSID] or anything that would prevent the old session to be accepted, but there seems to be now way to prevent the hook to do anything valuable. Is there a way? 2) I tried delete (info.user) in Ape.registerHookCmd("session",..) but is does not help 3) I might also try to delete the session in Ape.registerHookCmd("session",..) but it is a known fact that the server can't kill a session before the 45 seconds. I am still wondering why there is this limitation. It makes me crazy. Many cases would be easily solved if this feature existed. Of course, I can certainly use clearsession on the client side before every connection. To force the client to use CONNECT. But 1) that's not pretty 2) a hacker can easily remove this clearsession to get access to the unauthenticated session... Any thoughts on this? Many thanks. Nicolas. -- You received this message because you are subscribed to the Google Groups "APE Project" group. To post to this group, send email to ape-project@googlegroups.com To unsubscribe from this group, send email to ape-project+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/ape-project?hl=en --- APE Project (Ajax Push Engine) Official website : http://www.ape-project.org/ Git Hub : http://github.com/APE-Project/
