I need to know if there is an user logged in my website. For this purpose, I have only his session ID.
I got this id using: session->getId();
¿Is it possible?
Thanks in advance.
add a custom field to the session when the user logs in and then just check that field
Given that the web is essentially stateless, it is hard to know for sure if a particular user is logged onto a website.
One way to accomplish your goal is to keep a running log of all the users logged in, and the last visit time. Then you could query that log and if the users last visit time was less than 5 minutes ago, you could then say the user is logged onto your site. This will only tell you if the user is logged into your site, not if your site is the active tab in their browser.
Another way to get more "real-time" information as to the the active users of your site is to use something like SignalR which will allow you to do push to the browser. I've used SignalR in the past to send out system status messages to the browser and have it automatically update the page. The great thing about SignalR is it maintains an in-memory list of all the clients connected.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I'm trying to create a cross domain sign in just like Google. So you have the same account for your youtube, gmail, google+, etc. However, there are several questions I'm confusing about:
Suppose I have 5 websites, I don't want to transfer any data about the user besides his/her email, username and password. If I have only 1 user database instead of 5, every time I call the user database to access user's profile picture, username and etc, do I need to call the remote database?
I've been thinking about having a remote user and session database so every child site access that instead of local user and session database. But my application uses the table extensively and i'm worried about the performance of getting the data from a remote database every time.
How can I implement this in a clean way so every child site can easily access the user info locally, and they also share the same login/logout process just like Google and its products? (I'm using a PHP framework called Yii with MySQL)
I've come up with the following solution and I posted it as an answer as well, please advice if there is any issue about this? Thank you guys for help.
Have a user table in every child site, say child1.com & child2.com
Have a super user table in the parent site, say parent.com
When user logs into child1.com, check identity, redirect to parent.com/child1 to register or login. Once it's done, redirect back to child1 with an encrypted URL to login the user automatically. If the user's info has changed from the parent database, we can sync it here to the child database, (If it's a register process instead of a login process, write the user_id, username and email as well into the database so you can access this locally from child1.com)
When user logs into child2.com, it redirects to parent.com/child2, however, the users has been authenticated to parent1.com, so it redirects the user to child2 with out encrypted URL, so child2.com logs the user in directly.
For logout process, logout child1.com & curl other encrypted logout link to logout this user from other sites say child2.com or parent.com
After talking to a bunch of people, the following way seems promising.
Have a user table in every child site, say child1.com & child2.com
Have a super user table in the parent site, say parent.com
When user tries to log into child1.com, redirect to parent.com/child1 to register or login. Once it's done, redirect back to child1 with an encrypted URL to login the user automatically. If the user's info has changed from the parent database, we can sync it here to the child database, (If it's a register process instead of a login process, write the user_id, username and email into the database so you can access this locally from child1.com)
When user logs into child2.com, it redirects to parent.com/child2, however, the users has been authenticated to parent1.com, so it redirects the user to child2 without login again, and child2.com logs the user in directly with the encrypted URL from parent.com.
For logout process, say the user logout from child1.com, we curl other encrypted logout links automatically to logout this user from other sites say child2.com or parent.com
You can edit UserIdentity class ,find it in components folder, in each website and override authenticate() method to check OAuth, remote database, web service or what ever method you think it is comfortable for You... Don't worry about performance, because login is performed only once per session...
Why not create something like this?
MasterSite.com
users
id
user_email
password
sites
name
domain
salt
site_users
id
user_id
site_id
Child1.com
Say the user's name is Joe and has visits www.child1.com. He clicks on www.child1.com/register/. He will be redirected to www.mastersite.com/register/site/child1. After the registration he will be redirected back to www.child1.com/session_id/abcdefgh12345
Now say the user visits www.child2.com. And he visits www.child2.com/login/. The sysem will redirect him or popup a login back from www.mastersite.com/login/. If a session id already exists on www.mastersite.com then the user will be simply redirected back to www.child2.com/session_id/abcdefgh12345
That session id will be stored in the MasterSite.com's database and occasionally will be updated by www.childX.com as needed.
Storing user's data on each website is ok to a certain extent but it can get ugly real quick. However, since there are cloud based solutions nowadays... I don't think it will be much of a problem to scale the MasterSite's database or CPU power if the need arises.
Having a single remote database (parent server) with user information sounds like the simplest solution.
Keep in mind that PHP sessions are stored on a server's local file system, by default. So when you log into website-B with website-B's session data, you are not logged into any other sites.
This is where the magic happens. You need to instruct PHP to use the remote MySQL database to store session data, instead of the local machine's file system. Once set up, this works like magic.
I did a quick google, and found this site with instructions for setting up a MySQL session table for PHP.
enter link description here
This is bit different scenario in session management.
I want to develop as system where if users loges in and then keep shows activity on browser his session will continue and if no activity session will destroy.
For example user logged in at abc.com after that if he access google.com , yahoo.com, etc any website his session will be continue at abc.com else session will be destroy.
Its some thing like UTM device where user logged in once and they continue use system for a fix period of time..
Please help me with your suggestions to implement solution for above?
Thank you
I am trying to do it using cron jobs and database table "logging" where i maintained entry of logged in users. In one table storing website accessed by user and accessed time, if difference of last web accessed time and current time is more than 3 minutes removing the entry of user from logging table. If there are some more options available to do it please let me know.
A session is maintained server-side and you need requests to this server to renew the session. If the user requests pages from another server, your own server will and should not be informed.
While it may or may not be possible to write some hacks with JavaScript, you would violate the privacy of the user. This hack could and surely would be used to sniff users.
If you only want to be tolerant in your session timeout, simply choose a longer timeout (extend it to an hour if necessary). Then a user has enough time to browse other sites and still keep the session on your site. All other reasons to collect user requests i can think of, are spyware related.
I'm designing an application in PHP, something like a users directory, where i need to display login status for each user. Is there a safe way to tell if a user is connected (logged in) or not?
Edit: I'm updating the post with some application logic. The application is about a craftsmen directory. Each craftsman will login to the application. When someone search for craftsmen, he will be able to see the logged in ones and send a message with a job description that needs to be done.
Craftsmen may not have other activity that just log in to the app, so the app it self must have a way to "tell" if a user is logged in or not.
I think only php for your requirements would make it difficult. Take a look at socket.io or something similar. You could achieve this with craftsmen having a connection like longpolling/sse/websockets. You can integrate this with php serving the html and then set up a connection from the client on document ready to socket.io.
By "safe" do you mean "accurate" ?
I'd suggest setting a flag to LOGGED_IN when they initially, and successfully (being safe!), log-in. Then update a timestamp each time this user requests another page. When the last_update reaches a grace period, 15 minutes?, you can then assume they've logged out.
I have developed a web application in PHP for a client. The client is now renting out access to the system to another company on a per user basis.
Is there a way to prevent the secondary company to use a single login and give it to 20 people to use at the same time? I know one can get the IP address of the client machine that is being logged in from, but this is obviously not very reliable method. The answer probably lies in a combination of cookies and tracking things in a database, but my brain gets a bit stuck thinking on how to implement a strategy here.
Create a unique session ID when a user logs in and store that in the DB. Add something to the session authentication code (run on all page visits) that checks that the user's session ID is equal to the one in the DB and if not, log them out. Then your web app will be accessible by only one user at a time.
To be completely honest though, can't you raise this issue with your client?
No way to tell if the login is shared among 20 people. You can restrict access by blocking simultaneous usage thru session cookies.
Most of all, protect yourself with a published Terms and Conditions document. Violation of which - revokes any standing agreement/contract. And sue them if you can provide evidence (logs) that they violated it.
Make sure you bind one user to one session. In that way you can generate a warning screen if somebody uses the same login with another session. You can then let the user choose to close the other session.
In that way you can make sure two users are not using the system at the same time. It's a bit like a software program you have installed on a computer: multiple users can use it, but only one at a time. This is probably fine.
If you don't want that, you should try to bind the login more firmly to the user: make sure he logs in with a personal e-mail address, and he gets notifications (if applicable) via e-mail. Also let the user set personal configurations. In that way you create extra value for users to have their own account.
If you have a login you have authentication, and you write any user id in session, make sure that only one session with this id created, if the session already exists throw error message.
The only problem you will have in case and user did not logout properly, instead of it pressing x button on browser then he will not be able to login till session s not expired.
I am developing the user management portion of a website that will host a webcast. The goal is to prrevent the same user nam (email address) from being used concurrently. That is, we don't want two individuals using one login to view the event.
I've already setup a table that holds the user registration data with regID as primary key. My thought is to create a login history table with username as primary key, foreign key to user name in registration table. The login history table would simply timestamp when the user logs into the site. However, this won't accomplsih my goal of preventing more than one individual from using the same login name.
Instead, would it be better to have a login status field either in the login history or user table that is set to 1 for logged in and 0 for logged out? It would need a stored procedure to update the value at login and at logout, and would need to be validated when a user logs in such that if login status = 1, user already logged in and cannot login a second time. Is this a feasible approach?
Please share other methods you've used to prevent the same login credential from being shared amongst multiple individuals.
Thanks,
Sid
If it is OK to logout an already logged in user if someone else logs in with the same credentials then you could do the following: when a user logs in generate a random ID in your database for that user and the same in a cookie session. The two must match to authenticate.
Without rolling your own session handler, you could do a little parallel tracking. When a user logs in, you can store the user's session ID and login time in the database (maybe inside the user information table). The login script could then check for the existence if this sessionID and allow/deny login based on the presence of the session ID. If the ID's null/blank, then the user logs in. If there's a session ID present, and it's more than X minutes old, allow the login. Otherwise deny them.
Of course, you'd probably want to roll your own session cleanup handler at that point, so that when stale session files get deleted, you can remove the associated IDs from the database at the same time.
The problem here is detecting the user is logged in (i.e. whether he didn't logout).
One possible way is to register in the database the time of his last activity and the time of his explicit logout. You could then deny a login if it this was attempted less than say 5 minutes ago relatively to his latest activity and if he didn't login in between.
You could force "activity" by having the website pages periodically poll the server with Javascript.
It's easy to determine when someone logs in. It's much harder to determine when someone logs out. If you have a mechanism of killing the webcast streaming to a particular user quickly, you might want to have something which pops up asking the user if they want to kill their other session if you think there might be one active.
How are you doing user sessions on the server? If you store them in the db, you could query the active sessions anytime someone attempts to log in and see if they're already in there. Of course you'd probably also have to check some kind of timestamp since you're not guaranteed that sessions will disappear at session.gc_maxlifetime.
You might want to consider making a global variable in php to store a hash array with login status. This has the benefit that if the application has to be restarted for some reason, the user isn't stuck in the wrong state in the database.
You can store a mapping from user ID to IP or session cookie and redirect requests that come with different information to the login page. If the user logs in, the other session would be invalidated and further requests in the last session forward to the login page.