I've came across a problem with using a 'hashbang' to keep track of which page has been loaded via AJAX.
When a link is clicked which loads content through an AJAX request into the content div, the hash of the URL changes to the page name. For example, if the user comes directly to pageA (http://www.domain.com/pageA) and then clicks a link for pageB, the URL will change to http://www.domain.com/pageA#/pageB
I'm using CodeIgniter for my application, and the code which handles the hash changing is in my header view, and it does the following:
<script type="text/javascript">
window.redirect = function() {
if(window.location.hash.substring(0, 2) == "#!") {
if(window.location.hash.substring(2).length > 2) {
window.location = window.location.hash.substring(2);
} else {
return false;
}
}
return false;
}
window.redirect();
</script>
<script type="text/javascript">
$(function() {
$(window).hashchange(function() {
if(ajax_loading == true) {
return false;
} else {
loadPage(window.location.hash.substring(2), 'internal', '');
}
});
});
</script>
There are two steps to this. The first one checks if there is a hashbang when coming directly to a page by refreshing, or entering the URL for example. If there is a hashbang, redirect to the page stored in the hash.
The second step checks for a change to the hash, which catches the likes of the user pressing the back button, for example.
My issue is with the first block - when a user refreshes or directly enters a URL with a hashbang.
If the user enters http://www.domain.com/pageA#/pageB, any server side code on pageA will run before the window is then redirected pageB
This is causing problems in cases such as:
User directly goes to pageA - pageA sets a session variable to 'abc'
User clicks on link to pageB - pageB then sets that session variable to 'xyz' - the URL is currently http://www.domain.com/pageA#/pageB
User clicks on link to pageC - the session variable is still set to 'xyz' and pageC doesn't change this - the URL is currently http://www.domain.com/pageA#/pageC
User now hits refresh. pageA is executed first, before redirecting to pageC - but because pageA was executed first, the session variable has now been set back to 'abc' when it should be 'xyz'.
Due to loading the views at the last point of the code within a CodeIgniter controller - I can't do the window redirect at any point other than when the code of the page before the hashbang has executed.
Does any have any ideas of how I can prevent this from happening?
Just don't send user to http://www.domain.com/pageA#/pageC.
You should have a unique page, that does not set any session variable, and load other pages via AJAX. Then users never goes directly to pageA but through http://www.domain.com/index#/pageA.
User goes to /index#/pageA - pageA sets a session variable to 'abc'
User clicks on link to pageB - pageB then sets that session variable to 'xyz' - the URL is currently http://www.domain.com/index#/pageB
User clicks on link to pageC - the session variable is still set to 'xyz' and pageC doesn't change this - the URL is currently http://www.domain.com/index#/pageC
User now hits refresh. index is executed first, before redirecting to pageC - but because index does not set anything, the session variable is now still 'xyz'.
As I suppose you provides yourself the links to the user, there should be no problem setting it up.
Related
I'm using php
I have a process form for a comment page that when you click on submit, you will be redirected to the main page of the website
when I redirected to index.php from my processform.php, I want to see an alert in my index that "Your comment was saved!" (It needs that my index page understand that I'm coming from processform.php)
How can I do this?
you should use something like sessions.
set session on submit form. and on index.php check if session has set with the special key. then show the alert that you want.
on form submit and success :
// Start the session
session_start();
// Set session variables
$_SESSION["processform"] = "Your comment was saved!";
on index.php
if(isset($_SESSION["processform"]){
// do alert
}
I have an index.php page, which behaves as follows :
if a session var exists and is set, it displays a menu + some info
about the user (userID, IP adress, link to disconnect)
if the session var is not set, it displays a login form
So if you go there for the first time, you'll see the login form.
When the user provides his login+password, there is an AJAX call to login_check.php. The main purpose of this page is to generate a session variable (if the user info meets several requirements), but it also sends error messages back to the bottom of the form (under the form of JSON var) in case of authentification failure.
Here is its core :
login_check.php
if (authentification($login, $password)) {
//creates the session variable
$_SESSION['auth'] = $login;
//? here I'd like to refresh the index page
}
else {
//the error that will be displayed at the bottom of the form
$json_err .= "Incorrect login or password";
}
index.php looks like this :
if (isset($_SESSION['auth'])) {
//the menu is displayed, because the user is looged-in
}
else {
//the login form is displayed, because the user is not authentificated
}
So far, I have to manually refresh the index page so that it takes the session var into account. Is there a way to do it automatically ?
Solutions like "location.reload" are not really suitable, because of the error messages that might be displayed. I also tried to call again index.php from login_check.php using "include" or "header" but it didn't work.
Should I make a conditional refresh within my jQuery function, depending on what data was sent back by login_check.php ?
What would you advice ?
Thanks
I think you need to eun your checklogged.php for example once every 5 min and if user if not logged redirect to login page.
<script type="text/javascript">
$(function() {
getStatus();
});
function getStatus() {
$status = $('#islogged').load('login_check.php');
setTimeout("getStatus()",50000);
}
</script>
When the user decides to sign out, they obviously do so by using a "Sign out" button.
When they do, this script is executed:
if(isset($_POST['submit_Logout'])){
$_SESSION['backend']->logout(); // see this function bellow
unset($_SESSION['user']); // unset only this session since there are other sessions I'd like to keep
session_regenerate_id(true); // makes sure the session id is updated, and the old one is discarded
KD::notice('success',$success_LoggedOut); // adding a notice to another session
KD::redirect('/'); // redirecting the user using header();
session_commit();
}
I'm just unsetting this particular session (user) since there's other sessions that keeps other data available, regardless if the user is logged in or not, to better the user experience.
The logout()-function looks like this - for now:
public function logout(){
$this->accessible=false; // just a flag to check against (see bellow)
$this->username=''; // empty the username
}
Since I'm unsetting the session that holds the related user data, I just realized that this function is probably unnecessary. Alternatively move the unset part etc. into the function..
Anyway, I've come to experience that when a user has logged out, he/she, or somebody else for that matter, has the opportunity to just hit the backwards button in their browser, and voila, they can view the page(s). Of course, if they start clicking on any links, they gets thrown out. But the back-button is still available..
I believe this happens as a result of cached pages/views by the browser. So when they click the back-button, they see a cached page/view stored in the browser memory or something..
Since this page, or view, is loaded into my template trough a index.php page with a permanent <head>, there's not much I can do about the caching of these restricted pages/views. Or is there?
Deleting records from the browsers history is not possible? or preventing these pages from being recorded in the first place?
Point is. What I need to do, i believe, is to force the browser to always request the page from the server. So regardless if the user hits the back-button, or a link to a restricted page, the page should always reqest it from the server, and not the browsers memory..
Or am I not getting this correct?
If so. I do wonder how. How is this usually done?
I have this in my class
private $accessible = false; // when logged in, this is set to true
public function accessible(){
return $this->accessible;
}
At the very top of the page that includes the views into the restricted area I have this:
if($_SESSION['user']->accessible()===true):
Othervise the user is prompted with a login screen.
But that doesn't work as expected. This check is not performed when the user uses the back-button in their browser...
Thanks in advance..
UPDATE
Heres a quick overview of my structure/layout:
/*
when the user is logged in/out, the script that does that is executed up here.
That includes setting the sessions etc. aswell - which means, if the user is not logged in, the access will be set to false.
*/
<head>
</head>
<body>
/*
Here I include different pages with php include;
These pages can be home.pg.php, contact.pg.php, and of course restricted.pg.php
each of these pages includes different content (views as I like to call them) that is presented to the user based on their interaction.
Now. When the user tries to access the restricted.pg.php, I have this at the top:
*/
if($_SESSION['user']->accessible()===true):
/* now each view that is included here should be not accessable if accessable() is not true. */
else:
/* the user is presented with a login form */
endif;
</body>
Did this help?
All the pages that require some to login should have something like this,
session_start();
if(!isset($_SESSION['user']){
//REDIRECT USER TO LOGIN PAGE
}
If its because of the browser caching issue that hitting back is taking you back to cached version of the page (even though user is logged out) then you should redirect the user twice (good practice).
what I mean is create a file called logout.php so when user clicks on logout button,it redirect the user to logout.php (that'll have the session unset code) and after that redirect user to login page.
so current page ----redirects to---> logout.php ----redirects to----> login.php
i think in every page you can just check whether a session is set or not. ex. Session::handlelogin('user')
then you can just make a function namely handlelogin in Session class
Class Session {
function handlelogin($user) {
if (!isset($user)) {
//redirect the user to your login page
}
}
}
Notice: just set this up in top of the page if your using MVC architecture then you can set it up in the Controller
Session::handlelogin('user')
I want to clear the php session array every time a user leaves my page, but my page has links with query strings. I don't want to clear the session array, when a user clicks on a link with a query string. I have tried the following javascript code but it does not work when the user leaves the page.
somepage.php
var url = new RegExp(/somepage.php\?sort=.*/);
if (url.test(document.location.href)){
//do nothing
}
else {
$(window).unload(function(){
$.ajax({
url: 'clear_session.php'
});
});
}
Calling a webserivce onunload is very unrealiable. Why not just unset the PHPSESSID cookie? This wont clean up the session on the server, but it will give the user a new empty session when he visits again.
I have a strange problem that does not set the user as logged in to the SESSION until a second click (although they are logged in)
So, I have a login dropdown that looks like this:
I send the user to the ACCOUNT-SELECTOR. PHP to determine the approprirate validation based on a business or individual account:
if (isset($_POST['loginAccountType']) && $_POST['loginAccountType'] == 'individual') {
include('ind_login.php');;
} elseif (isset($_POST['loginAccountType']) && $_POST['loginAccountType'] == 'business') {
include('bus_login.php');
} else {
include('error_login.php');
}
I have session_start(); on my account-selector.php page as well as my ind_login.php page. And, both are located at the very top of the page (before anything else).
Once I log in, this is my view:
As you can see, I am able to set and return the $_SESSION['Ind_ID'] on the ind_login.php page and VIEW YOUR PROFILE works (which is linked to the SESSION ID).
However, we still see a LOG IN button on the navigation when the code says this button should be set to display:none:
if(isset($_SESSION['Ind_ID'])) {
$accIndStyle = "visibility: visible;";
} else {
$accIndStyle = "display:none;";
}
I know this is the correct code as the button does become display: none for other buttons. However, if I log in a second time, or go to a different page with the session(start), the site will read the $_SESSION['Ind_ID'] as set and hide the Login button and replace it with a logout button.
Any help very much appreciated.
Put your session_start() on the top of your index.php file (That file which includes the others.)
seem like your page needs to be refreshed, or just throw an ajax call in there to update the button value according to session.