Here's the scenario, I have 2 user which is the Employee and Resident.
The Employee has an account on our website wherein they can see all the Residents' documents and they can select those documents so that the Resident can fill it up.
BTW the Resident doesn't have an account on the website. The only way they can fill up the said documents is by sending an email to them which contains an API or through a device that will be given to them onsite and has a login session of an Employee.
How can I prevent the Resident from navigating through other pages (Go back) once the device is given to them because the Employee cannot always monitor the Resident's action.
Thanks.
Edit: So what I've done previously is I have separate accounts for these users but after thinking thoroughly, an account for the Resident is unnecessary specially when they're too old to use devices. Logging in/out between Resident and Employee just to fill up documents will double up the process.
I'm thinking if it's good to save a session like
$session = $_SESSION['fillUp'];
whenever the Employee picks a document for Resident filling it up, then upon saving the document (which the Employee can only do) the form will then ask for a security code to be input by the Employee so that the document will be saved and unset the session.
Having that session checked on every other page except the document page if it exists will redirect the Resident to the document thus preventing navigation when filling up a document.
// Check session 'fillUp' for every controller except controller sign
public function beforeAction($action)
{
if (Yii::$app->controller->id != 'sign') {
$session = Yii::$app->session;
// session 'fillUp' contains the url of the document to be signed
if ($session->has('fillUp')) {
$this->redirect($session->get('fillUp'));
}
}
}
You will never stop people from using the browser's default navigation options. Whether than be browser back buttons, or swiping to navigate backwards. I've seen people in user experience testing sessions swipe to navigate backward by mistake.
Instead of trying to lock the door, we need to deal with what happens on the previous page(s) should they achieve the back navigation. Let's deal with the posibility that it may happen.
There are two pieces to what you're trying to achieve.
The first is to stop the browser from caching the previous page(s). This means any back navigation will trigger a request to the server to get the information.
We can stop this by adding headers to the page content of sensitive pages:
Send cache control: no-cache, pragma: no-cache and expire: -1 headers.
The second part is to decide what to do if somebody does navigate back, and the server gets a request for that page again.
You certainly want to mark the session as 'resident' on the first hit of the resident page. From there if the session has a 'resident' marker in the session, you may choose to show a warning with a link back to the page they should be visiting, or simply redirect them back to it without intereaction. Personally I think the warning with a link is clearer and will stop confusion.
Related
I've seen a lot in coding in my life, but nothing like this yet.
Does someone have an idea what practice/tool this is, or keywords relating to it?
My first guess was something related to kerberos/kdc, but doesn't seem true.
I have a webserver serving http with unknown/lost source code.
Behaviors:
When loading the pages for the first time, the webserver request a 301 reload to a certain kdc server (see url below) and sets two permanent cookies with identical values (PRXY_ID,PRXY_SN), and one session-temporary when visiting the login page (LOGIN)
Every time when loading the login page, form element id's (like username/pw) change in no visible pattern. My guess was that either the server randomly assigns these, and keeps track in a session-database with the the translations to the actual internal element id, or it is somewhat encrypted with the login-cookie, which is server-assigned - but since this cookie stays the same during the session reloads and not the id's, it would have to be salted before encrypted.
For every page load, the server attached certain query parameters to its url:
sample.com/kdcs/s56/HOME?SH=410488;SPP=353555;R=322450
The server keeps track of the transaction order. For example you can't send a logout post request, without first loading the profile page, with its logout button visible.
I'm grateful for any help on this.
A short tutorial in W3schools about PHP Sessions writes the following:
When you work with an application, you open it, do some changes, and then you close it. This is much like a Session. The computer knows who you are. It knows when you start the application and when you end. But on the internet there is one problem: the web server does not know who you are or what you do, because the HTTP address doesn't maintain state.
Session variables solve this problem by storing user information to be used across multiple pages (e.g. username, favorite color, etc). By default, session variables last until the user closes the browser.
So; Session variables hold information about one single user, and are available to all pages in one application.
I would like to ask you if there is something similar in Zoho Creator. The reason why I am asking is because I have an application with 3 pages (each page has an embedded form). Each page redirects to the other (1st Page -> 2nd Page -> 3rd Page) and passes data through them via openurl. The final result is an HTML Page with the data of these 3 Pages (they have a unique ID).
Let's say that I am in the second page and for some reason (electricity blackout, do another job and close the browser) I want to escape from the application and the next time to continue from the same point, is there any way to do that??
I can suggest you next way
On first page generate unique session Id for the user and pass this id as a parameter to next page in URL. You can crypt in this id pointer to record from first form for example..
I've binged a lot for this stuff, but couldn't find direct ANSWER,
I've searched for this here,
But
I am still beating my head against the wall trying to implement,
How do I do update query after session expired?
I'm not talking about explicit clicking "Logout" button
Here's basic SQL structure:
CREATE TABLE auth_users (
email varchar(40) NOT NULL,
password varchar(40) NOT NULL,
online ENUM('1') DEFAULT NULL <-- HERE, it updates to 1 when user logged in, it updates back to NULL when user explicitly clicks on LOGOUT
) type=MyISAM;
Class Hierarchy:
interface {
function login();
function logout();
//calls after succes authorization
function set_as_online();
//calls from within logout() method
function set_as_offline();
}
BUT IT DOES NOT UPDATES BACK TO NULL WHEN USER CLOSES HIS BROWSER,
For example,
Assume we have two users: User-A, User-B
User A logged successfully, now User-B can see User-A as ONLINE user.
If User-A forget to click "LOGOUT" and would close his browser,
user-B still can see User-A as ONLINE. That's the problem.
For example,
Facebook handles this very well,
Assume your friend just closed the browser (i.e his session does not exists anymore),
then somehow you can see him as OFFLINE
What am I doing wrong? Incorrect approach of handling offline/online users?
Another approach is needed here i think. Don't set a online/offline flag, but a 'last_seen' timestamp. Ie. with every request update the record to the current timestamp. If you want to know if the user is online, just do:
if($current_time - $last_seen_time < $session_expire_limit) {
// online
} else {
// offline
}
Otherwise you'd need a cronjob of some sort to automatically reset the online flag in your database after a certain time, but then still you'd need a last_seen column.
// edit
i don't know exactly how facebook does it, but it could be one of the following; for the chat and notify functionality facebook opens up a 'stream', which is in fact a little ajax call which is kept alive by the server (btw, this ajax call is refreshed every 40 seconds). Possibly this stream is used to track online users. Another option, but less likely, is that an event is attached to the window.unload event. This is less likely because a page refresh, a clicked link to another facebook page etc. is also triggering the event. This would mean that every time an internal facebook link is clicked the event should be unbinded from the browser.
Can't think of another way atm, just some suggestions. Unfortunately those are quite labor-heavy to implement, I assume my suggestion above (before the edit) should be suitable for a common website.
I am not sure how facebook controls this stuff but i can suggest you from the top of my head how i would approach this matter.
I would add a new field on your auth_users table of type Date that will represent the session_expiry_time .
Then inside your html pages you should implement some silent ajax code that will call a dummy php page on the server (the interval is something very important because you have to balance performance and functionality). This dummy page will update the session_expiry_time of the user in
the auth_users table.
Therefore, in any given time, checking a user's session_expiry_time against current time will determine if the user is online or not.
http://de2.php.net/manual/en/features.connection-handling.php
you can with register_shutdown_function() und connection_aborted() your intend achieve
Use a simple JavaScript on the page
In the body tag
The callLogoff() should be replaced with the JavaScript function that calls log off.
Try it.
My application is JavaScript and jQuery up front, PHP in the back. I'd like to implement a URL- or parameter-based session management system so my users can save/share their results. Most of the solutions I've seen involve cookies, but I want anyone (e.g. anyone my user gives a link to) to be able to open up exactly where the user left off.
Example:
User A goes to www.my.url and interacts with the page. Variables are set (mostly via jQuery) et al. User A then decides he wants to share what he sees with user B. He clicks a button and is issued a URL.
User B gets the link from user A and goes to www.my.url?session=[randomness] or www.my.url/?[randomness] (either would be okay). User B picks up exactly where User A pressed the button to issue the link. User B continues to interact with the page.
User A goes to the same URL and picks up where he pressed the button. He then interacts with the page. User A's and user B's sessions do not share anything and the actions of one do not have any bearing on the other - each "real" user session is strictly a sandbox again after the URL is passed and delivered.
User A and B both go to www.my.url (without a session identifier) and get the 'factory' startup as User C does.
Also none of these user actions have to (or probably will) happen concurrently. I can use file-based or mySQL for session (and content) serialization. Currently using CSV for 'factory' reference data (search base) and no need to jump to a DB.
Does anyone know of a practical all-up example here? Or a set of tutorials to help me get started? Is 'session management' really what I'm asking for or is it just serialization via URL(ish)? Is there a better way to search/ask for what I need?
Thank you, any help is appreciated here as this shareable aspect will be huge for my application.
The current app I'm building is a collaboration app that holds several users in a "team" or company that can access a set of projects. Each project has it's own documents.
I want to protect team users from running in to each other and so I have built a system where documents are locked by the first user to access them. The document is then unlocked when any of the following occur:
The user closes the document
The user signs out and destroys his/her session
The user left without signing out but the session garbage collection unlocks the document
All this works well but one thing is left to fix...
I need to know when the user leaves a project without unlocking the document (basically just leaves the page), since he can walk in to another project and edit another document.
My only option I thought of so far is by catching the http referrer in my base controller class (CodeIgniter MVC) and do a search on the url to see if it matches a project... Then unlock the document.
This is not a strong option though since the http referrer variable is unpredictable.
What would you do? (The same user being in the same document in two windows is an issue that can be ignored)
One way around it would be using the window.onUnload Javascript event to signal back to the server the page is being left. It would be best to use AJAX on the current page to communicate since most browsers will block a pop-up these days.
Keep a reference to the document they're currently editing in your session, and then when a document is open, check and see if it's different? If so, unlock the previous one?