I am creating an admin panel to log breakdowns, save tasks, log errors and much more. I currently have the following piece of code at the top of the screen which checks if a user is logged in, if not they are sent to the login / create a user page.
<?php
session_start();
include 'login/config.php';
if(!isset($_SESSION['username'])){
header('location:login/index.php');
exit();
}
?>
I feel that there may be better ways of doing this and also more secure ways.
A username and password are required to login and get to the initial dashboard and user status levels & permissions will be added later on.
QUESTIONS::
How can I make the system more secure by improving the code or adding additional security features?
AND
How can I log to my SQL database when a user logs in and out of the admin system?
As for security, I'm no expert there, so I'll rather wait and see what the other people tell you, since it's a very interesting topic. But I'll give you my thoughts anyway.
First of all, you should take care of SQL injections on your login, always validate the input data from the users, specially on CRUD operations. I think protecting your pages with sessions should be good enough, as long as the login itself is secure, for example you could implement a system that would block the IP after few failed attempts to login etc...
About the second part, you can create a table i.e. userlog which would contain the fields you want, user_id, action(login/logout), time.
Then everytime the user does login/logout, you just insert a new record to the table. That piece of code would be located where you set/unset the session.
Not sure about the efficiency of this method, but this is a way to implement what you are saying.
you can create table like login_history which have field loginTime and logoutTime as per system time. When user login,loginTime inserted and when he logout record updated with logoutTime.
Related
I'm creating an application with Laravel 5.2 for classifieds ads, a classified belongs to a user, the flow should be like this:
A homepage with a 'Post Classified' link
After the (unauthenticated) user fills the create-classified form, which includes file uploads, he gets prompted to login.
Following best practices, what would be the best way to accomplish this?
Should I save the classified in the database with a user_id of, let's say -1 until the user logs in, then update the record? what happens if the user never logs in?
Should I keep the classified in a session, then save it after the user logs in? What happens with the file uploads?
Note: Code not necessary, just an explanation of what would be the best option.
I would not save the data in DB initially as I do know know the user yet and usually user is is the primary key. Intermediate table does not sound good wither.
I would save the data in session, store files on HDD and keep the file location also in session. Once registration is over then enter the data to the DB. We also need to keep in mind that the there might be need for cleanup of the files of users that never register. However I do not think it will be a big problem.
I am a novice php programmer building a multiuser application in codeigniter.
Now, my boss has told me to look into the ability to log out people based on their changed user access privileges.
Fx. A guy is logged in as a semi admin, but has just been demoted by a real admin to regular user status. Now the semi admin should supposivly be logged out when that happens but this is where my problem occurs.
I can think of a few ways to do this but they all revolve around doing checks that will be redundant in most cases (this is a rare situation but it has occured, i have been told)
My best bet at the moment is to log all the active users in a session db and force them to relog in if their user role changes.
This however is going to generate a lot of trafic on the server for a rare "problem" as the user session data is more fittingly put into a regular session.
So my question in short is, how can i log out a user when his user privileges are changed, without working my server too hard.
Thanks in advance!
You can check if privileges have changed periodically, like once every 10 minutes, this should reduce the amount of "useless" queries and still ensure that there is an acceptable response time to a logged in user privileges being changed.
Add a javascript listener on the page then, when the super admin changes the semi-admin privileges to a normal user, trigger the logout event. Make sure that the app has javascript enabled, otherwise it won't work. This solution is used by many ACL-based apps.
I have a question from a potential client (hence, no code yet) about a website they have which has a custom login script.
Basically, they have Analytics setup but it doesn't serve the purpose that they need - being able to tell how many times a user has logged in and how frequently they do so.
What would be the best way of achieving this? I'm guessing I would need to alter the PHP login script but I'm a little confused at how best to do it. I could do a new field in the database that counts their logins but I suspect that that's not a great way of doing it, and I'm not sure how I could tell the frequency from that type of system.
Any suggestions?
Every time a user logs in you could log it in your db or to a file. You could easily include user name, datetime, ip, user agent (all relevant data) etc. As mentioned this will make it very easy to build a profile on the user, login times, login locations etc
If you store the time of each attempt, you can run reports to figure out whatever you need.
the best way to implement this is a relational database. When a user is logged in, an entry is made in a table. When you want to find out how many times a user has logged in, a query to this table to count the entries that apply to that user.
You can simply make a new table where you store user_id and timestamp everytime the user is logging in. Using that data you can then see who, how many times and in which intervals of the day has been logged in.
I've developed many login systems in PHP. Basically, for each website or application I created, it had a login scheme to create articles, upload images, edit comments e blablabla.
I've never had problems with that, except once when I created a kind of social page inside my website. There was a user bothering the other users, so I decided to delete his profile, that's why I'm here asking your help.
At the time, I was just checking the session on each page, for example:
<?php
if($_SESSION['loggedin'] === true)
{
// Keep that page
}
else
{
// redirect to login page
}
?>
Then, when I deleted his profile the session wasn't closed yet, after that the user continued annoying the other users, and I wasn't able to do anything.
So, what's the most common and best way to handle sessions on each page: Check the database each time or just check if the session is true?
I don't know whats the best way, but I do something like this:
I have an sql table with the sessions (for example userid, sessionid, expiredate, ...).
The sessionid is "saved" in a $_SESSION['cms_session'] .
If the sessionid which is in $_SESSION['cms_session'] doesn't exist in the session table, the user isn't loged in anymore.
For deleting the old sessions in the table i use crons.
What you are trying to do is have a single place where you can maintain user status and know that a change will be reflected immediately.
Checking a "user_status" field in the DB is a pretty efficient call to make on each request. This provides a single place where you know that if you deactivate a user, the changes will be reflected upon their next request. You can also do this easily without writing another set of routines to look through session variables or to create some sort of messaging system where the application announces that a user has been deactivated.
Checking the database each time a page loads is really inefficient. If all you're trying to do is kill his session, you should store sessions in memcached where the 'key' is based on the username, something like "johnsmith-session" and then on an admin page, send a message to memcached to kill that key, which should immediately log him out of your site.
If PHP is currently writing session data to disk, depending on how the data is serialized, you may be able to track down his session file on disk and delete that file, which will accomplish the same thing: the next time that user tries to load a new page, his session will be invalid and he'll be required to log in again.
Keep in mind that really persistent trouble users will often re-register a new account to continue their antics, so you'll want other means of watching for new registrations from that person.
I've made a log in script for my site, the session stuff basically look like this.
if($_SESSION['loggedin']=="Yes"){
//user online stuff
}
For all other users the session is set
$_SESSION['loggedin']=="No";
How can i display active session that are set to yes or no? should i work anything with mysql tables and use crontabs? or should i count files in tmp(session directory) on apache?
What are the best methods and how can I do it?
Crontab is not necessary here. You can store last activity date and time somewhere (mysql database?), and use simple select, which would show amount of users, who were active within some timeout.
This table can be used for server-side tracking of logged in users. Table may also contain some additional information, like IP address, X-Forwarded-For IP etc.
You can store the users in a database, along with their login information, and check that every time you want to authenticate a user. This is far safer than using just session variables to authenticate.
You can count the number of users that are logged in by setting a bit for the user's record when they log in and turning the bit off when they log out / session expires, and counting the number of these bits that are on to see how many people are logged in.
If you need to display the actual users currently logged in, you're better off using a column in your users mysql table to track the current login state, and doing a periodical request via a cronjob, and store that info in a .txt file so that you can do the query just once for all logged in users and share the result by including it in your rendered html.
The other method (reading inside the session folder storage) is possible but more complex and probably less effective, although i haven't done any benchmarks. It just feels very hacky.