In Bahmni, when we are trying to see all the logged in Users using Openmrs/Administration/Maintenance/View Logged In Users, no users are being displayed. The API call made is /openmrs/admin/maintenance/currentUsers.list Any idea if this was working earlier? Is there any other way to get currently logged in users in Bahmni/Openmrs
The User Login is considered for LoggedInUsers only when the user has logged in from /openmrs ui. Hence even though there is active session through Bahmni, still it is not considered. Hence the intended behavior doesn’t exist
We use the REST end point to login. Is there a gap in webservices rest vs OpenMRS interface?
If so, then we should raise it, even better fix it.
@pramidat , alternatively, you can always get details from Tomcat. Remember we use embedded tomcat, and tomcat will have APIs to see sessions. So options are
- Fix any gap in Bahmni if its in our control.
- Fix the WebServices rest if there in lies the issue
- Fix using Tomcat APIs
- Tomcat has ability to register Interfaces for AccessLog. I wrote one such interface plugins in my previous life!
- Tomcat has JMX support.
- You can even register Session Listeners (HttpSessionListener) and do fancy things.
So you have tons of choices for resolution. Choose wisely.
My pick - 1 or 2 (obvious)
Peeking at the code, it looks like OpenMRS’s entire “Logged In Users” functionality is implemented via the legacy UI:
In other words it ignores logins from REST and from the Reference Application (in addition to Bahmni).
I think the correct fix would be to move this functionality into openmrs-core so that all distributions can leverage it. This would require some refactoring since the current implementation is built around HTTP Sessions and the ServletContext, and openmrs-core doesn’t usually touch these.
The quickest fix from the Bahmni perspective is probably to try to call the utility methods in CurrentUsers when people log in and out (since Bahmni does include the legacy ui module).
Absolute necroposting here, but this is still a problem.
Here’s a related ticket, also extremely old and extremely unresolved: https://issues.openmrs.org/browse/RA-552
how do you suggest we resolve this?
It doesn’t work in the latest, but it seems like it hasn’t worked for more than two years now.
if we use the demos version http://demo.openmrs.org/openmrs/admin/maintenance/currentUsers.list
we will get this :
I think the problem is that if you use Webservices REST APIs, then it does not show.
cc @angshuonline @bistenes is this still a bug to fix according to the screenshot provided by @achilep above , tried to reproduce the same and it seems logged in users can be seen as expected unless am getting it differently thanks
@bistenes the PIH EMR uses a separate log-in page than the reference app, so it’s entirely possible something was baked directly into the Ref App login page… we could potentially steal it for the PIH EMR login page.
Going to revive this topic once more!
We ran into this issue on the GSoC security project while trying to implement an “expire all active user sessions after a password change” feature.
We’re thinking of implementing a login/logout filter that tracks all active user sessions, similar to what exists here: openmrs-module-legacyui/SessionListener.java at cf00ec9c92f815ed5976c1541d8286014d6e99dc · openmrs/openmrs-module-legacyui · GitHub
@bistenes / @mogoodrich would implementing in openmrs-core be appropriate? I figure if it’s implemented in core the same feature could be used to fix the original active user list issue from this thread.
cc @jnsereko (the engineer who has been primarily working on this)
This is absolutely an appropriate feature to implement in core.
I have created an issue about this [TRUNK-6049] Migrate Logged In Users management into core - OpenMRS Issues I hope this is still needed. If yes, then, please @ibacher i request you to kindly, make it ready for work.
I have been looking into my past work. Close all user sessions after password change and on logout but i think its not working because of MM-918 [WIP]: Authentication bug after password change by jnsereko · Pull Request #64 · openmrs/openmrs-module-adminui · GitHub
I also think this might be of help when i am working on the anti-CSRF token implementation
Thank you so much