I am sure someone has run across this issue before, I just haven't been able to find anything on it anywhere. Anyway here is the scenario.
I have a PHP website that a user will login, then their account id is set as a session variable, then once they are in it basically acts as a single page app. The session account id is for tracking their activities as they do different things throughout the app.
The site will be accessed primarily on mobile devices. I have PHP that sets the session timeout length, then using JS, gives them a popup warning a couple minutes before the timeout ends. Then after the end of the timeout, using a meta refresh, it redirects them back to the login page.
On a desktop, this all works like it is supposed to. On mobile, it is behaving differently. On a mobile device, a user may login, do some stuff on a page, then without logging out, put their phone in their pocket and not come back to it for a couple hours. When they open up the browser it keeps them on the page they were on, but the JS was obviously not running during the time their phone was sleeping, or whatever else they were doing in the interim. The meta refresh as well also does not work as expected, but the session is still timed out. So when they open the app back up, and try to do stuff, I am getting errors in the DB saying that id cannot be empty.
I can use ajax to check if their session still exists on every click of a button, but for speed of the app I would prefer not to do that.
Has anyone else ran into this and found a solution for automatically logging out people on single page apps viewed on a mobile device?
Related
I am working on a website admin cp with PHP as a back end technology and in the same time I am fixing some responsive issues.
So I am logged in to the admin panel But when i toggle different devices such as Galaxy, Nexus Iphone or even responsive mode to test the responsive look or fixes that i have done i find myself logged out and redirected to login page and also i see things that shouldn't appear before login such as admin menu but it is not accessible in other words it's half logged in and half not.
cashing is not disabled.
session id is the same i can see it.
I really can't get my head around it!
Is that something normal in the browser which means every device is independent from the whole browser?
Or i'm doing something wrong?
Finally and after several hours of reviewing my code and debugging every single thing I came up with a solution to my problem :
my hypothesis in the question that the devices are independent
from each other is quite correct because every device has a different
HTTP_USER_AGENT
You can try it like this :
echo $_SERVER['HTTP_USER_AGENT'];
Toggle different devices on the browser and see the result .
So as for sessions best practice based on stack overflow and many other resources it is a good practice to save $_SERVER['HTTP_USER_AGENT'] in a session and later on check the session after login which means the logged in user is exactly the user coming from that browser
And that's what i was doing i was checking for the user login session and the user agent session
And that's what was causing the problem so when i toggle different devices the HTTP_USER_AGENT gets changed so the session doesn't match and therefore i get logged out automatically.
I am making a php system (on apache server) and I need to make the site extremely secure,
One of my requirements is to make sure that any visit to a page other from a direct link from the website (even a "back" button) will reset the session and demand another login (redirection to the login screen).
The entire system is up and running, I use php and jquery in my code.
I had an idea about making a function that is being called every 1 minute (or so) and "remake" a token for the next 1 minute(or just a little bit longer, if the function doesn't get approval from the server then the browser will redirect to the login screen.
What do you think about that solution? would it be too "heavy" on the internet connection? (we usually have edge/2g internet connection over ipad).
if I do make this solution, how can I make sure that at the moment when user presses the back button or enters the site he wont be shown any data?
thanks in advance.
use sessions to validate some one presence .
then you can destroy its session and expire its session!
like:
session_destroy();
Well, the solution was making a function that is being called every 1 minute (or so) and "remake" a token for the next 1 minute(or just a little bit longer, if the function doesn't get approval from the server then the browser will redirect to the login screen.
I just started using Ratchet (http://maker.github.io/ratchet/) and it's great. However, a big issue I'm having is that the user has to click the logout button (which is actually an anchor <a>) twice in order for the logout to actually occur.
I'm intending this as an app to be saved to the iPhone homescreen, where it can be launched as a fullscreen webapp. Normally, sessions aren't maintained when such a web app is closed (it's sandboxed as opposed to regular Safari). I'm 99% certain that this click-twice-to-logout issue is because I am using not only a PHP session but also a cookie in order to make it so that the user will remain logged in after closing the full screen web app (as per the second answer in this post).
My logout script is as follows:
// logout.php
<?php
session_start();
setcookie(session_name(),"",time()-3600);
$_SESSION = array();
session_destroy();
header('Location: /');
?>
I thought this issue might have something to do with Ratchet's push.js, but even if I set the logout link with data-ignore="push", the current page just reopens in Safari (which is annoying on its own, because if the user has it saved to their home screen, I want it to run only within that full screen interface), and I still have to tap logout once more.
The issue also does not appear to be a problem of running it as a full screen web app, as I have the same issue accessing it via Safari.
Any pointers?
I believe I solved the issue. From that link I had posted before, I had inserted the following code into all of my main PHP pages:
$cookieLifetime = 365 * 24 * 60 * 60; // A year in seconds
setcookie(session_name(),session_id(),time()+$cookieLifetime);
I don't fully understand this, but I get that it's basically creating a cookie which allows the session to be maintained even when the app is run in iOS's sandboxed full-screen web app mode. I was able to fix the issue by removing this code from my login.php script while keeping it on every other page of my app. logout.php remains as before. Now, my saved-to-home-screen full screen web app will keep the user logged in, even if the iPhone is restarted. They are also able to logout with a single tap of the logout button instead of twice.
I have a PHP site that works great....as long as there are no network disruptions. im having problems with users, especially on iPad's and laptops, that log in, and work within the site without submitting any data for a prolonged length of time (maybe an hour or so). They type a bunch of notes in, and when they submit they are sent to the logon screen and what they worked on for that hour is lost. I'm getting used to dirty looks...
My research as shown that maybe using cookies will help the issue. security is not a huge concern, so storing usernames and hashed password within cookies is not a big threat. but i never worked with cookies and don't know where to really begin. my objective is to have any user be able to log in, start typing in a text area, move throughout the building, maybe dropping their internet connection and picking it back up, and be able to submit the form after with no errors. any ideas? thanks in advance...
Sounds like your session is simply expiring, nothing to do with changing internet connection or Wifi AP.
Change the default PHP session expiry with PHP, or change the php.ini setting:
ini_set("session.cookie_lifetime","3600"); //an hour
The default session handler works by setting a session ID cookie on the client. With each page request, the session ID will be sent. If the session expires, the cookie will be deleted and thus the client will be shown the login screen.
That's assuming you are using the default PHP session handler (you didn't say). If that's not the problem, then it would point to a problem in your code, for example if you are trying to prevent session hijacking by comparing IP addresses (which will change as the user moves from AP to AP).
Apologies if this question is already posted. I didn't find the answer i was looking for when searching through the related questions.
I have a login system I've just created that works with Facebook. Once the user logs in with their Facebook info and then I create profile in my database for them. I start a session upon successful login and store the user's id in that session. This setup so far has worked fine, but I've recently noticed if I try to login to the site on another browser (1xChrome, 1xIE, so on...) at the same time it wont let me. How can I fix this problem? I would like the user to be able to not only log into multiple browsers on the same computer at the same time, but if they stay logged in at home be able to still log in from another computer.
Any help is greatly appreciated!
Thanks!
EDIT: Yes I'm interested in allowing user's to log into multiple browsers as in 1xChrome, 1xIE, 1xSafari, etc. I should've been more clear. sorry.
You may want to do some more research into cookies.
Your users should not be able to use multiple instances of the same browser (for example, 4 Internet Explorer windows) to log in.
Your users SHOULD be able to use different browsers (ie 1 x IE, 1 x Firefox, 1 x Chrome or any of the above browsers + 1 with Private Browsing/Incognito/etc enabled).
The reason for this is because the cookie storage is different. You could technically use different Firefox profiles, too, I think...
... but to get back to your question - you might want to learn more about Cookies and their function in sessions.
The session should not be terminated, unless you do a check and terminate it yourself. An issue could be the actual facebook login. If facebook does not allow multiple logins(i think it does not), your first browser session will be getting an expired session( if you check on the facebook login status ), and this could cause your script to refresh the state of the first client (again, if you handle it like that).