2

Current app:

The app I'm working on has a single User entity.

Users can be "member" or "manager" using a boolean attribute stored in database (is_manager).

All the users connect trough the same routes (/login) and are redirected depending on the attribute is_manager.

Here is my problem:

The client want to be logged as a "member" in one tab and an other user "manager" in an other tab of the same browser. Not several "members"/"managers" at the same time in the same browser.

How can I acheive it with Symfony 3.3 ? Based on my idea the session ID should depend on the attribute is_manager but I'm not really sure of it and don't know how to do it with Symfony.

Any help will be really appreciated!

Julien
  • 407
  • 6
  • 16
  • not really possible. how would it know which tab is which session? I had this issue, what I did was make a page where you can "switch passports", basically switch role and see different homepage based on the type of user currently logged in as – delboy1978uk Oct 25 '18 at 15:02
  • Have a look at https://stackoverflow.com/questions/368653/how-to-differ-sessions-in-browser-tabs. Short answer: you can't really do what you're asking for, and using html5 SessionStorage probably isn't what you want, but it's the closest you can get. – Chris Lear Oct 25 '18 at 15:07
  • Well, a single user can be logged in at a time on the same application on the same browser window. Tell the client to go incognito for the other one. – nice_dev Oct 25 '18 at 15:07
  • 1
    Tell them to open an additional private browser window, and login using the other account in there. That’s pretty much the only thing they can do, other than writing their own browser that provides the (rather absurd) functionality they are asking for. – misorude Oct 25 '18 at 15:07
  • Tell him to open an incognito page, problem solved – Jaquarh Oct 25 '18 at 15:37

2 Answers2

2

You could use User switching to almost solve this problem. Instead of logging in as member or manager, they login as a user with the role ROLE_ALLOWED_TO_SWITCH. You can then provide links to the page they want to see with an added attribute ?_switch_user=member_user or ?_switch_user=manager_user. Both those users have to exist and need the correct permissions.

This may not be perfect, for example you have to maintain 3 different users for 1 account and you have to make sure they don't accidentally perform actions after switching the role, but that is the best way I can think of, to support this kind of switching.

dbrumann
  • 16,803
  • 2
  • 42
  • 58
0

You need to tune up your user management system. You can put some vars in your session saying to your system to behave un some way (manger or user) but if it must depend on the open tab, then the best approach that I can think of, is using the url. Put some kind of token (secured one, of course) on the url that tells your system how to deal with that user.

On this approach, if the user closes the tab, it becomes automatically logged out, at least in one of it's roles.

So you can do a standard login process, set the session for the manager role (the more privileged one) and the build and present a link to the user to he non manager versión. That url contains the mentioned token, and if he closes the tab and wants to recover the tab, it should go to the manager versión and follow the link again.

Carlos
  • 1,411
  • 15
  • 21