I'm working on a community networking site where users session never expires (unless log out button is pressed). Along with that I've wordpress cms integrated for blogging hosted in sub domain.. I use js to trigger login and logout on wordpress site.. Means when users login to main (non- wordpress) site, they are also automatically logged in to wordpress site.. Here now the problem is, after certain period of time or when browser is closed, the wordpress site automatically logged out from the system-leaving only main website in session, and that will need users to logged out from main website and again re-login just to trigger back the wordpress login...
I'd just want wordpress to never automatically (even if the windows is closed) logout unless logout button is pressed.. I used the following function which doesn't seems to work..
function change_wp_cookie_logout( $expirein )
{ return 1555200; // 6 months in seconds
}
add_filter( 'auth_cookie_expiration', 'change_wp_cookie_logout' );
I've tried with different similar tactics but doesn't get it working..
Thanks in advance
I'd recommend you to check about cookies, in my humble opinion that would be the best approach to persists the user data for a long term. You could use the cookies to restore their data in a new session using some key information. Basically, whenever they close the browser the session will expire (disconnected by the server), but if you have cookies on their end, you could check in server side when a new session is requrested if does it exist a cookie and based on the info you had store there, you can restore the info necessary on their web session.
You can read more about on oficial page:
https://en.support.wordpress.com/cookies/
Related
I am developing an application in which security plays main role. When I am trying to login with username and password, other login on any other system with same username should be deactivated.
How can I do this? When I google this issue I am not getting any related ideas.
I logged in from my home and when I login to my system from office my
personal system session should be destroyed
In terms of specifically "personal session being destroyed" would mean remotely clearing your home browser history (to delete sessions/cookies etc).
Which is possibly not necessary (depending on security level you need), or better to just have remote access to your PC.
A solution if you do not actually need to destroy "home" sessions.
A basic method would be something like:
Upon successful login, script sets a local session ID and stores it in the DB.
Each page/section within the secure area checks your local session ID with the one in the DB.
If match, you are shown the page, otherwise redirected to the login page.
Every time you successfully login, it resets the session stores in the DB, so when logging in at work you would not be logged in at home as sessions no longer match.
Your Scenario
You login in at home, a session is created and the session ID is stored in the database and referenced in your local browser (cookie by default).
Each secure area page will check if the users local session ID matches the one in the database.
At home, currently, it does.
You go to work, go to login page (which finds no session/cookie so allows you to try to login).
When you login successfully, the script will set a new session and session ID, update the database with that new session ID.
Now when you browse the secure area at work the scripts check your local session ID and database and they match up, so can see the secure stuffs.
At home, someone tries to browse your logged in area and the local session ID no longer matches the one stored in DB, as it's now the session ID you set from logging in at work.
So they are redirected to login page.
Security Note
This is just a basic example, and while the above will work, it is not a perfectly secure "login system" in itself. Best practice of having a secure login system is already covered in many other questions/answers/tutorials (ie using HTTPS, IP log, browser data check, timestamp + auto logout, etc).
I'm working on a Symfony 1.4 project and I would like to do:
a log in the backend of the items added by the moderator and
the time of login and logout of moderators.
I use "sfDoctrineGuardLoginHistoryPlugin" for the history of login and logout .
This plugin uses a listener on the session state change and checkout the database login or logout status But the problem when the moderator leaves the page open a long time and does not touch anything or when he closes the browser so there is no action recorded in the database
is there any solution in (php or Node Js or Ajax ...) to know when the user's session went off ?
There's nothing in Symfony 1.4 for this that I'm aware of.
One potential workaround could be to ensure you're updating some kind of last_active timestamp whilst a moderator is using the website in addition to the login and logout times. The updating could be done using a filter, for example.
This would then allow you check if the user has logged out OR was last active > 30 minutes ago, basically emulating a scenario where the user has just closed the browser window or allowed the authenticated session to expire without logging out.
I just started using Ratchet (http://maker.github.io/ratchet/) and it's great. However, a big issue I'm having is that the user has to click the logout button (which is actually an anchor <a>) twice in order for the logout to actually occur.
I'm intending this as an app to be saved to the iPhone homescreen, where it can be launched as a fullscreen webapp. Normally, sessions aren't maintained when such a web app is closed (it's sandboxed as opposed to regular Safari). I'm 99% certain that this click-twice-to-logout issue is because I am using not only a PHP session but also a cookie in order to make it so that the user will remain logged in after closing the full screen web app (as per the second answer in this post).
My logout script is as follows:
// logout.php
<?php
session_start();
setcookie(session_name(),"",time()-3600);
$_SESSION = array();
session_destroy();
header('Location: /');
?>
I thought this issue might have something to do with Ratchet's push.js, but even if I set the logout link with data-ignore="push", the current page just reopens in Safari (which is annoying on its own, because if the user has it saved to their home screen, I want it to run only within that full screen interface), and I still have to tap logout once more.
The issue also does not appear to be a problem of running it as a full screen web app, as I have the same issue accessing it via Safari.
Any pointers?
I believe I solved the issue. From that link I had posted before, I had inserted the following code into all of my main PHP pages:
$cookieLifetime = 365 * 24 * 60 * 60; // A year in seconds
setcookie(session_name(),session_id(),time()+$cookieLifetime);
I don't fully understand this, but I get that it's basically creating a cookie which allows the session to be maintained even when the app is run in iOS's sandboxed full-screen web app mode. I was able to fix the issue by removing this code from my login.php script while keeping it on every other page of my app. logout.php remains as before. Now, my saved-to-home-screen full screen web app will keep the user logged in, even if the iPhone is restarted. They are also able to logout with a single tap of the logout button instead of twice.
I'm in the process of setting up various authentication methods on a project I'm working on, and the common OAuth 2.0 framework that Google and Facebook use seems pretty awesome. Reading the example Facebook gave though, I stumbled across something that seemed strange to me.
If you look at the bottom of that facebook page, you can see an example in PHP. In their process, they first set a random string to $_SESSION['state'], then redirect the user to the facebook authentication page, which then sends the user back to the original page, where they compare the state string to what's supposedly stored in the session variable. Maybe I'm missing something here, but don't you lose all session data if the user leaves your site? How does this work? How is your session data maintained even though you leave the site?
The session data stays until you close the browser or logout from your app. The session state could be getting saved on the server or on the browser in a cookie. Either way, the session data is available to you once facebook redirects back to your site.
You don't lose your session data, when user leaves your site.
So, we check state value after user is redirected back to our website from facebook.
I logged into an online forum created by using PHP and was browsing some topics in the web site.
Since the weather was hot, I got to have a bath and left my computer idle for a short while. When I came back to my computer, I pressed a "Add Post" icon.
But When I pressed to submit the new topic,the web site redirected me to the Log in page, I gussed my cookie might have been expired. And then after I logged into the web site again, my new post was created. I am wondering how they do this. What is the method and technique they used?
Did they store my new post to a new cookie or session first when they found that my cookie was expired?
You could do that by storing the post's content into a cookie and once you log the user in, check the cookies that you have set. If you have a cookie set with the content you would create a post with, create the post and remove the cookie. This should work with sessions as well. All depends on how you set your login system.