I am making a php system (on apache server) and I need to make the site extremely secure,
One of my requirements is to make sure that any visit to a page other from a direct link from the website (even a "back" button) will reset the session and demand another login (redirection to the login screen).
The entire system is up and running, I use php and jquery in my code.
I had an idea about making a function that is being called every 1 minute (or so) and "remake" a token for the next 1 minute(or just a little bit longer, if the function doesn't get approval from the server then the browser will redirect to the login screen.
What do you think about that solution? would it be too "heavy" on the internet connection? (we usually have edge/2g internet connection over ipad).
if I do make this solution, how can I make sure that at the moment when user presses the back button or enters the site he wont be shown any data?
thanks in advance.
use sessions to validate some one presence .
then you can destroy its session and expire its session!
like:
session_destroy();
Well, the solution was making a function that is being called every 1 minute (or so) and "remake" a token for the next 1 minute(or just a little bit longer, if the function doesn't get approval from the server then the browser will redirect to the login screen.
Related
I am sure someone has run across this issue before, I just haven't been able to find anything on it anywhere. Anyway here is the scenario.
I have a PHP website that a user will login, then their account id is set as a session variable, then once they are in it basically acts as a single page app. The session account id is for tracking their activities as they do different things throughout the app.
The site will be accessed primarily on mobile devices. I have PHP that sets the session timeout length, then using JS, gives them a popup warning a couple minutes before the timeout ends. Then after the end of the timeout, using a meta refresh, it redirects them back to the login page.
On a desktop, this all works like it is supposed to. On mobile, it is behaving differently. On a mobile device, a user may login, do some stuff on a page, then without logging out, put their phone in their pocket and not come back to it for a couple hours. When they open up the browser it keeps them on the page they were on, but the JS was obviously not running during the time their phone was sleeping, or whatever else they were doing in the interim. The meta refresh as well also does not work as expected, but the session is still timed out. So when they open the app back up, and try to do stuff, I am getting errors in the DB saying that id cannot be empty.
I can use ajax to check if their session still exists on every click of a button, but for speed of the app I would prefer not to do that.
Has anyone else ran into this and found a solution for automatically logging out people on single page apps viewed on a mobile device?
So I am working on a site that requires a login against an MySQL database with "remember me" functionality. I got that fine (based off of Jaspan's page). What I am a little fuzzy on is the use of sessions to track user movement. I'm not worried about their history on the site. I've looked around on the interwebs and especially SO, but I haven't really found what I'm looking for. Perhaps I'm just not using the right keywords to search. Anyway... as I said, I have the actual login process, and a cookie is set up with the triplet for the "remember me" functionality. But how do I track the authenticated status while the user is browsing the website? The logged-in user should be able to browse the secure area of the website, or the scripts should output special data, without the website having to check the "remember me" triplet against the database every page load. I thought to do something like $_SESSION['authed']==true, and every page load would check the session value, but I suspect that isn't a very secure way to go about this. I have observed that if I set $_SESSION['authed']==true, close the browser, open the browser, and go to the site again, it still says authed=true. Now, I DO understand that the session variables are stored on the webserver, not in the browser's cache. However, I can't see the big picture enough to know the right way to go about this.
I thought to do something like $_SESSION['authed']==true, and every page load would check the session value
Yes, that's what you do.
but I suspect that isn't a very secure way to go about this
It's perfectly fine. You establish a session, which means you send a unique cookie to the user. That is your security. The fact that you have a session at all is your security. Then you simply record the fact whether the user is "logged in" or not in that session.
I have observed that if I set $_SESSION['authed']==true, close the browser, open the browser, and go to the site again, it still says authed=true.
Yes, cookies don't necessarily expire when the browser is closed. Each cookie has a specified expiration time, they can persist however long you want. Even cookies without an expiration time aren't necessarily immediately discarded when the browser is closed. That may have been the default behaviour of browsers a few years ago, but isn't necessarily true anymore.
If I have for example 7 open tabs with user personal profile i browser, after session is going down user sees the alert confirmation does he wan't to continue his session or not, if not, session destroes and all 7 tabs with his personal profile should be loaded end php redirect them to login form.
here is the question, how can I determine that the session were destroed and we should reload tabs? Ajax is not good solution coz it's make a lot of queries to server
I think AJAX would be the solution, there's no need to make a lot of queries. Just use a javascript callback function which is executed once each 5 minuts and checks if user has chosen to not continue his session. If yes, then redirect...
If you do not wish to use AJAX, which is the only available solution I know of for dynamic refresh/closing capabilities, you will have to check if the session exists each time the page is loaded to determine if the page should be reloaded or closed. You can do this by saving the session id in a cookie and comparing it each time the page is loaded. This will tell you if the session has ended and can allow you to reload it if I recall correctly.
I have a study logout.php file which works fantastically, the issue I am faced with however is putting the script into a new 'intranet style' administrative site which uses 4 frames within a frameset (header, left, center, right).
There are two requirements I need to meet which I am having a very difficult time finding a solution to (yes I know frames suck for today's consumer sites but to reiterate, this is for an internal system administration panel with widgets everywhere).
When a user clicks the 'logout' button in the top frame, the ENTIRE page is directed to logout.php which then redirects to a single page "home.php". As of now, hitting logout only takes that particular frame to my desired destination.
When a user logs in, a SESSION variables is created and set to true; if pages are visited without SESSION[validated]= true, the user is logged out. Similarly to above, IF this happens, I need the ENTIRE frameset directed to logout.php.
I am trying to achieve this without javascript (as this can obviously simply be disabled and JS is not a true measure for security).
Anybody ever dealt with this issue in the past?
Is the logout button a link? If so, can't you use target="_parent" to make it change the page with the frameset?
Edit
Re #2: If the session is timed out, you could make an intermediary page with a link that uses target=_parent and the JavaScript below, both of which would break out of the frame.
<script type="text/javascript">
if (top.location != self.location) top.location = 'login.php'
</script>
This is good because if they have JavaScript enabled, they won't even notice and if they don't, they still will break out of the frames.
Solution to part 1:
Make a logout button like this:
logout
Then make logout.php do all the hard work for logging out (probably just clearing the session), and then redirects the user to the proper frameset (use PHP's header command for redirecting).
Solution to part 2:
This should not randomly happen. If you login, your session is set to validated = true. You do not "encounter" a page where your sessions happens to be otherwise.
However, you could include a PHP file (or if you have been smart enough to do so, make this happen in your single point of entry) to redirect to a logout page if your session is somehow invalidated. See 1 above.
I would like to store the login, logout and duration time in database.
The login time is created when the user is authenticated(successfully logged in)
The logout time is created when the user clicks the logout button
The duration is logout - login time. (logout minus login)
But the problem is, what if the user didnt click the logout button. Here are the situations:
Internet loss
Close the browser/tab. (I need this must use javascript, but i donnu how to do it, any idea?)
EDIT:
I forgot to add something to the question, the program is a full flash program, there is no navigation to other page. Only 1 page
It's important to remember that all session/log-in functions in PHP are usually cookie based. So, changing the lifetime of the session cookie should solve your problem:
http://us3.php.net/manual/en/function.session-set-cookie-params.php
Also, you can set the PHP sessions so they only use cookies:
http://us2.php.net/manual/en/session.configuration.php#ini.session.use-only-cookies
Again, you can catch the browser window / tab close but ... why? For instance I may have your site open in multiple tabs. If I close one of those tabs should I automatically be logged out of your website? That's a very bad design. Instead, set the session lifetime so it expires if the browser is closed and not just a tab. (Note also that window.unload will logout when any window on your site that closes - including a pop-up or an iframe. Do you really want that?)
http://us2.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
If you want to store session state in a database try any one of these guides. Or, roll your own with session_set_save_handler
You can't rely on receiving an event for the user logging out, if they simply close their browser, or disappear from the internet.
In this case you'll have to have a session timeout of some kind, and record the logout when your app realises their session is too old.
If this is a real requirement, then I'd say you need a "cron" job monitoring the sessions for timeout. When a session has timed out, if the were logged on, it then records a "logout" event for that user.
Note that you can't use (for example) ASPNET's Session_End event, because that won't be reliably called either (for example if the server process restarts).
Another option is to add the logout time next time that user logs on - when they log on, you check for old sessions and assume that any which weren't closed lasted for a fixed amount of time since the last page hit.
That's really all you can do.
Regarding the closing of browser/tab, you can bind the unload event (window.onunload, jQuery's $(window).unload(fn), or any other) to notify your server. A more general purpose solution would be to periodically ping your server (say, every 5 min), but it might be annoying to the user, so do so judiciously.