Fork me on GitHub
#clojure-uk
<
2018-04-12
>
danm08:04:38

eyup

☀️ 4
🦆 8
chrjs08:04:43

Mornin’

👋 4
yogidevbear09:04:44

Is that a disco dancing man @mccraigmccraig? 🕺

mccraigmccraig09:04:23

🕺 slack is unfortunately not explicit about the exact manner of dancing the man is indulging in @yogidevbear , but were it up to me, i would choose disco

🙂 4
maleghast09:04:00

Morning All!

maleghast09:04:36

Just a very quick question, in case any of you have a solid answer... How would you kill a session in a tabbed browser when all the tabs for a site were closed, without an explicit logout action? (i.e. public computer close all windows, walk away and someone else cannot re-open the tabs and be logged in)

3Jane09:04:30

clear the cookies

3Jane09:04:10

if you don’t want to nuke all the cookies, you can generally find cookies set by the specific url if you dig into it

3Jane09:04:44

…or do you mean as the owner of the site? then you’d use a session library with session invalidation after a certain time period

3Jane09:04:43

But as a user, if it’s a public computer, nuke all the cookies.

3Jane09:04:25

…You can also use incognito browsing mode when you start your browsing session, that’ll automatically clear everything up, including your history!

Aleksander10:04:16

morning everyone!

maleghast10:04:56

@lady3janepl - Yeah, I am talking about as the site owner / operator, how could one use code to kill that session.

mccraigmccraig10:04:14

@maleghast if your get your client to hold open a websocket, you can clear the session on the api-side when the websocket connection drops

maleghast10:04:25

(i.e. assume that the user is not disciplined enough to log out themselves)

mccraigmccraig10:04:40

which will also drop the session if there are network outages, which may be too inconvenient

maleghast10:04:43

@mccraigmccraig - that's an interesting idea 🙂

3Jane10:04:43

then the standard solution is session timeout

maleghast10:04:05

I was just going to ask if there was any way to mitigate patchy network, but you answered that 🙂

3Jane10:04:53

yeah, depending on what your expected user is, I’d be worried about sessions dropping for mobile users

maleghast10:04:01

@lady3janepl - as in cookie lifespan? Unless it's < 60seconds there's a lot of scope for another user to re-open the tabs and be logged in.

maleghast10:04:21

@mccraigmccraig - I do not believe so (I am really__ asking for a friend)

3Jane10:04:30

not a cookie lifespan, because you can’t rely on those - when you store session data on server side, you check the time of last access

maleghast10:04:53

@lady3janepl - Ah, I see what you mean. Ok, that makes sense.

mccraigmccraig10:04:55

if it's an SPA then it's easy - you can just keep the auth token in volatile storage, so auth is required on every reload

3Jane10:04:56

and yes, it’s not immediate since it’s user-error-tolerant so it’s not really a substitution for users logging out on a public computer

maleghast10:04:11

Could tie it up with a token refresh window based on activity etc.

maleghast10:04:28

@mccraigmccraig - Yeah, that's a great idea

maleghast10:04:40

unfortunately, not an SPA

3Jane10:04:53

you could do what banks, github, etc do and require a password confirmation for a logged-in user to execute extra sensitive actions

maleghast10:04:03

Also a possibility

mccraigmccraig10:04:04

(the websocket solution also only works on an SPA)

mccraigmccraig10:04:18

if it's not an SPA you are left with timeouts

mccraigmccraig10:04:44

i haven't done anything that isn't an SPA for so long... i almost forget they exist

3Jane10:04:10

Also: what are you trying to protect against?

maleghast10:04:20

I had in my head that there is / was a way to run code (JavaScript) on window close events, but I can't get any good answers out of Google, apart from deprecated jQuery stuff.

3Jane10:04:32

…I was gonna say

3Jane10:04:41

you can’t rely on anything that runs in user browser for security, really

maleghast10:04:59

@lady3janepl - User closes browser / tabs and walks away, another person re-opens the tabs and is logged in. On a public / shared computer.

mccraigmccraig10:04:38

js on window-close is flakey anyway - if there are real security concerns then you need a threat model, and probably something like @lady3janepl’s suggestion of additional auth for sensitive ops

3Jane10:04:56

and/or 2FA

maleghast10:04:59

Yeah, I am starting to think that

3Jane10:04:30

running a script on page close is dependent on noone setting up the browser in a malicious way for the user

maleghast10:04:00

My bank does that - to send money to a "new" payee there is a 2FA component that would negate the ability of a bad actor creating a new payee and draining my account, unless they had my token device / and or me with a gun to my head.

3Jane10:04:03

that’s why I asked what you’re trying to protect against - it’s who the “another person” is. for non-sensitive data it’s probably too much effort, and for sensitive data it’s not enough protection.

mccraigmccraig10:04:06

most bank sites manage to disable browser nav or page-reload though - how do they do that ?

3Jane10:04:43

you can disable things in browser via javascript but obvs that has the same problem of code running in a potentially malicious environment

maleghast10:04:47

@mccraigmccraig - HSBC doesn't, it just has notices everywhere saying don't use the browser buttons or the site will log you out.

mccraigmccraig10:04:05

right - that is enough isn't it ?

3Jane10:04:10

it used to be much more popular that pages would disable copy-paste for example, or add extra text to the buffer, back when people were more concerned about having their content stolen

3Jane10:04:14

oh! the other thing

maleghast10:04:17

They have tokens on links / events and if you don't click on a link to navigate you get dumped.

3Jane10:04:27

what’s it called… something like xfrs

maleghast10:04:00

csrf protection - cross-site request forgery protection

3Jane10:04:38

yeah but the token generating thing was called something specifically

3Jane10:04:59

yeah, single-use tokens basically 🙂 but that doesn’t protect you against someone reopening a cached tab

3Jane10:04:25

(I think?)

maleghast10:04:48

no it doesn't

mccraigmccraig10:04:55

just make it an SPA already

😂 16
maleghast10:04:04

not my call, sadly 😞

maleghast10:04:22

(not my job / business either, so not too upset about not being the arbiter of all choices)

danm12:04:24

I'm so glad I mostly don't have to worry about frontend...

mccraigmccraig12:04:26

SPA frontend is not so much different from backend @carr0t - non-SPA frontend is painful

Rachel Westmacott13:04:43

I really enjoy the front end stuff that I get to do.

mccraigmccraig13:04:33

what are you using for it @peterwestmacott?

Rachel Westmacott13:04:53

UIs for managing data

Rachel Westmacott13:04:06

plotting the odd graph

mccraigmccraig13:04:07

i meant what platform for your frontends... cljs, reagent, rum etc

Rachel Westmacott13:04:39

I had a look at re-frame - because all the cool people are using it and saying it’s awesome for larger projects

Rachel Westmacott13:04:53

so I tried to create a re-frame project as a side-project

Rachel Westmacott13:04:13

but it quickly looked like a massive time-sink, for very little benefit over reagent

Rachel Westmacott13:04:38

now, it may just be that none of my SPAs are big enough so far to be worth the extra complexity

Rachel Westmacott13:04:12

or it may be that I was too tired and/or stupid when I was investigating it to quickly grok it’s pattern

Rachel Westmacott13:04:18

but I found it initially confusing

Rachel Westmacott13:04:27

I might take another look soon though.

mccraigmccraig13:04:11

ha, maybe... i've never found it to be a time-sink - mostly it just enforces a discipline and convention that you would want anyway, but most probably better thought out than a home-rolled solution would be

mccraigmccraig13:04:49

but it's got quite a bit more in it now than it used to have (with all the effects stuff) so maybe the cognitive load has increased

Rachel Westmacott13:04:55

I don’t doubt that it’s well thought out - I just didn’t understand it, and without having internalised the ‘thought-out-ness’ it feels gratuitously complicated

Rachel Westmacott13:04:42

I suspect that its patterns are a good solution to things that I mostly solve with developer discipline.

Rachel Westmacott13:04:12

To be clear, I do mean to go back to it, and I do expect it to be good.

mccraigmccraig13:04:00

at its core there are 3 things [1] single global source of state [2] views (= reagent components) subscribe to parts of that state and [3] state evolves only by reducing events (with handler fns) on to the global state

mccraigmccraig13:04:24

that's basically it... but there are a bunch of conventions and detail on top of that to make it happen which can probably be confusing (subscription layers, interceptor chains, effects, all the talk of dominos)

mccraigmccraig13:04:50

i don't think it's perfect though - event handlers don't compose well, meaning that it doesn't help you abstract complex interactions between client and server in the way that you can by (say) composing promise-producing fns

thomas13:04:59

I have found re-frame not particular straight forward either coming from reframe TBH.

thomas13:04:37

I have done two small projects with it (the "same" functionality actually)

mccraigmccraig13:04:48

coming from reframe or reagent @thomas?

thomas13:04:04

mind you... I think re-frame-10x looks very good.

thomas13:04:14

coming from reagent (doh)

thomas13:04:23

reagent -> re-frame

maleghast13:04:05

I am pretty sure that I will need to adopt re-frame, but in order to hit productivity goals in the short-term I have kicked adopting it down the road a little and while I realise I may__ be storing up pain for myself, Reagent on its own is so productive and I don't have to grok the (well thought out) wrappers over the top that re-frame uses.