View Logged In Users is empty

In Bahmni, when we are trying to see all the logged in Users using Openmrs/Administration/Maintenance/View Logged In Users, no users are being displayed. The API call made is /openmrs/admin/maintenance/currentUsers.list Any idea if this was working earlier? Is there any other way to get currently logged in users in Bahmni/Openmrs

The User Login is considered for LoggedInUsers only when the user has logged in from /openmrs ui. Hence even though there is active session through Bahmni, still it is not considered. Hence the intended behavior doesn’t exist

1 Like

We use the REST end point to login. Is there a gap in webservices rest vs OpenMRS interface?
If so, then we should raise it, even better fix it.

@pramidat , alternatively, you can always get details from Tomcat. Remember we use embedded tomcat, and tomcat will have APIs to see sessions. So options are

  1. Fix any gap in Bahmni if its in our control.
  2. Fix the WebServices rest if there in lies the issue
  3. Fix using Tomcat APIs
  4. Tomcat has ability to register Interfaces for AccessLog. I wrote one such interface plugins in my previous life!
  5. Tomcat has JMX support.
  6. You can even register Session Listeners (HttpSessionListener) and do fancy things.

So you have tons of choices for resolution. Choose wisely. :slight_smile:

My pick - 1 or 2 (obvious)

1 Like

Peeking at the code, it looks like OpenMRS’s entire “Logged In Users” functionality is implemented via the legacy UI:

In other words it ignores logins from REST and from the Reference Application (in addition to Bahmni).

I think the correct fix would be to move this functionality into openmrs-core so that all distributions can leverage it. This would require some refactoring since the current implementation is built around HTTP Sessions and the ServletContext, and openmrs-core doesn’t usually touch these.

The quickest fix from the Bahmni perspective is probably to try to call the utility methods in CurrentUsers when people log in and out (since Bahmni does include the legacy ui module).

2 Likes

Absolute necroposting here, but this is still a problem.

Here’s a related ticket, also extremely old and extremely unresolved: https://issues.openmrs.org/browse/RA-552

1 Like

how do you suggest we resolve this?

1 Like

The problem is in which version of the reference application? cc @bistenes @angshuonline @darius @pramidat

It doesn’t work in the latest, but it seems like it hasn’t worked for more than two years now.

this is what i have . @bistenes

if we use the demos version http://demo.openmrs.org/openmrs/admin/maintenance/currentUsers.list

we will get this :

I think the problem is that if you use Webservices REST APIs, then it does not show.

1 Like

cc @angshuonline @bistenes is this still a bug to fix according to the screenshot provided by @achilep above , tried to reproduce the same and it seems logged in users can be seen as expected unless am getting it differently thanks

1 Like

Oh interesting. @mogoodrich or @mseaton , do you know why this doesn’t work in PIH EMR? Is it connected to what @angshuonline said about the REST API?

2 Likes

@bistenes the PIH EMR uses a separate log-in page than the reference app, so it’s entirely possible something was baked directly into the Ref App login page… we could potentially steal it for the PIH EMR login page.

2 Likes

Going to revive this topic once more!

We ran into this issue on the GSoC security project while trying to implement an “expire all active user sessions after a password change” feature.

We’re thinking of implementing a login/logout filter that tracks all active user sessions, similar to what exists here: openmrs-module-legacyui/SessionListener.java at cf00ec9c92f815ed5976c1541d8286014d6e99dc · openmrs/openmrs-module-legacyui · GitHub

@bistenes / @mogoodrich would implementing in openmrs-core be appropriate? I figure if it’s implemented in core the same feature could be used to fix the original active user list issue from this thread.

cc @jnsereko (the engineer who has been primarily working on this)

2 Likes

This is absolutely an appropriate feature to implement in core.

4 Likes

Hello @ibacher

I have created an issue about this [TRUNK-6049] Migrate Logged In Users management into core - OpenMRS Issues I hope this is still needed. If yes, then, please @ibacher i request you to kindly, make it ready for work.

I have been looking into my past work. Close all user sessions after password change and on logout but i think its not working because of MM-918 [WIP]: Authentication bug after password change by jnsereko · Pull Request #64 · openmrs/openmrs-module-adminui · GitHub

I also think this might be of help when i am working on the anti-CSRF token implementation

Thank you so much