I am working on a website admin cp with PHP as a back end technology and in the same time I am fixing some responsive issues.
So I am logged in to the admin panel But when i toggle different devices such as Galaxy, Nexus Iphone or even responsive mode to test the responsive look or fixes that i have done i find myself logged out and redirected to login page and also i see things that shouldn't appear before login such as admin menu but it is not accessible in other words it's half logged in and half not.
cashing is not disabled.
session id is the same i can see it.
I really can't get my head around it!
Is that something normal in the browser which means every device is independent from the whole browser?
Or i'm doing something wrong?
Finally and after several hours of reviewing my code and debugging every single thing I came up with a solution to my problem :
my hypothesis in the question that the devices are independent
from each other is quite correct because every device has a different
HTTP_USER_AGENT
You can try it like this :
echo $_SERVER['HTTP_USER_AGENT'];
Toggle different devices on the browser and see the result .
So as for sessions best practice based on stack overflow and many other resources it is a good practice to save $_SERVER['HTTP_USER_AGENT'] in a session and later on check the session after login which means the logged in user is exactly the user coming from that browser
And that's what i was doing i was checking for the user login session and the user agent session
And that's what was causing the problem so when i toggle different devices the HTTP_USER_AGENT gets changed so the session doesn't match and therefore i get logged out automatically.
Related
I am sure someone has run across this issue before, I just haven't been able to find anything on it anywhere. Anyway here is the scenario.
I have a PHP website that a user will login, then their account id is set as a session variable, then once they are in it basically acts as a single page app. The session account id is for tracking their activities as they do different things throughout the app.
The site will be accessed primarily on mobile devices. I have PHP that sets the session timeout length, then using JS, gives them a popup warning a couple minutes before the timeout ends. Then after the end of the timeout, using a meta refresh, it redirects them back to the login page.
On a desktop, this all works like it is supposed to. On mobile, it is behaving differently. On a mobile device, a user may login, do some stuff on a page, then without logging out, put their phone in their pocket and not come back to it for a couple hours. When they open up the browser it keeps them on the page they were on, but the JS was obviously not running during the time their phone was sleeping, or whatever else they were doing in the interim. The meta refresh as well also does not work as expected, but the session is still timed out. So when they open the app back up, and try to do stuff, I am getting errors in the DB saying that id cannot be empty.
I can use ajax to check if their session still exists on every click of a button, but for speed of the app I would prefer not to do that.
Has anyone else ran into this and found a solution for automatically logging out people on single page apps viewed on a mobile device?
So I am working on a site that requires a login against an MySQL database with "remember me" functionality. I got that fine (based off of Jaspan's page). What I am a little fuzzy on is the use of sessions to track user movement. I'm not worried about their history on the site. I've looked around on the interwebs and especially SO, but I haven't really found what I'm looking for. Perhaps I'm just not using the right keywords to search. Anyway... as I said, I have the actual login process, and a cookie is set up with the triplet for the "remember me" functionality. But how do I track the authenticated status while the user is browsing the website? The logged-in user should be able to browse the secure area of the website, or the scripts should output special data, without the website having to check the "remember me" triplet against the database every page load. I thought to do something like $_SESSION['authed']==true, and every page load would check the session value, but I suspect that isn't a very secure way to go about this. I have observed that if I set $_SESSION['authed']==true, close the browser, open the browser, and go to the site again, it still says authed=true. Now, I DO understand that the session variables are stored on the webserver, not in the browser's cache. However, I can't see the big picture enough to know the right way to go about this.
I thought to do something like $_SESSION['authed']==true, and every page load would check the session value
Yes, that's what you do.
but I suspect that isn't a very secure way to go about this
It's perfectly fine. You establish a session, which means you send a unique cookie to the user. That is your security. The fact that you have a session at all is your security. Then you simply record the fact whether the user is "logged in" or not in that session.
I have observed that if I set $_SESSION['authed']==true, close the browser, open the browser, and go to the site again, it still says authed=true.
Yes, cookies don't necessarily expire when the browser is closed. Each cookie has a specified expiration time, they can persist however long you want. Even cookies without an expiration time aren't necessarily immediately discarded when the browser is closed. That may have been the default behaviour of browsers a few years ago, but isn't necessarily true anymore.
I'm writing a webapp in PHP that remembers if a user is logged in. It sets a cookie and if that cookie is present and validated, the user doesn't need to login.
It works properly from a desktop, but on the iPhone, as soon as I close the tab and relaunch it, the cookie is gone.
Is there something I'm missing? I can't see why cookies would be removed when tabs are closed. It would defeat the purpose of many of them.
Actually, I figured it out. I set the cookie to only work over secure connections, but one of the URLs in my iPhone's history was not secure.
Hi i have two wordpress sites, that are almost identical but have different domains.
What i need to make is when you login on one site of wordpress that it would login with same username and password on other site.
I know this could have some security issues, but this does not matter i just need to make this task.
I know the principals, how it should work, one page in login request other to login user with same username or other way around when you go into one site it checks if user is logged in in other one.
But how to do so in code ? php, wordpress, cookies ?
Ideas ? Functions ? How to send request by php ?
Thank you
Edit : Users are synchronized on both sites, user should not be able to see anything about second login. How to send such url request via php ? User logins in in one site by entering username and password it is automatically logged to other, if he come to second site he is already logged in.
RIP Steve Jobs !
Either you add the login and password to the URL to the other site or out could use an iframe or popup to open the other site for login, having the other site setting its cookie.
It all depends on how the user is intended to switch between sites.
Should there be links or might they open the sites independently?
Added solution.
One site could possibly redirect the user after login to the other site with a link that does the login, then the other site immediately redirects back to the original site.
This way you will not have problem with blocking 3:d party cookies.
But you will need to make a special login page for the redirects.
It's a lot easier to put one site in charge of logins in a master-slave relationship. Otherwise you get into a mess with conflicting lists and no audit trail.
Have you considered one of the plugins that work with the various auth servers like Google etc.? Then the sites may not need to talk to each other.
There's this from the wordstack site: https://wordpress.stackexchange.com/questions/3924/synchronize-wordpress-user-accounts-across-multiple-domains-and-installations-wit
EDIT:
There's this to get started.
http://willnorris.com/2009/03/authentication-in-wordpress-28
Maybe you could write a quick json server on each, accessible by the other. I've done
similar in a dozen lines of code or so (but not with wordpress). Let me know if you want more info.
Apologies if this question is already posted. I didn't find the answer i was looking for when searching through the related questions.
I have a login system I've just created that works with Facebook. Once the user logs in with their Facebook info and then I create profile in my database for them. I start a session upon successful login and store the user's id in that session. This setup so far has worked fine, but I've recently noticed if I try to login to the site on another browser (1xChrome, 1xIE, so on...) at the same time it wont let me. How can I fix this problem? I would like the user to be able to not only log into multiple browsers on the same computer at the same time, but if they stay logged in at home be able to still log in from another computer.
Any help is greatly appreciated!
Thanks!
EDIT: Yes I'm interested in allowing user's to log into multiple browsers as in 1xChrome, 1xIE, 1xSafari, etc. I should've been more clear. sorry.
You may want to do some more research into cookies.
Your users should not be able to use multiple instances of the same browser (for example, 4 Internet Explorer windows) to log in.
Your users SHOULD be able to use different browsers (ie 1 x IE, 1 x Firefox, 1 x Chrome or any of the above browsers + 1 with Private Browsing/Incognito/etc enabled).
The reason for this is because the cookie storage is different. You could technically use different Firefox profiles, too, I think...
... but to get back to your question - you might want to learn more about Cookies and their function in sessions.
The session should not be terminated, unless you do a check and terminate it yourself. An issue could be the actual facebook login. If facebook does not allow multiple logins(i think it does not), your first browser session will be getting an expired session( if you check on the facebook login status ), and this could cause your script to refresh the state of the first client (again, if you handle it like that).