I have seen MANY questions on this before online in many places, however, out of about 30 forums and whatnot, NONE of them have had the solution I need, and that includes stackoverflow. If anyone could help me find a reliable solution, it would be greatly appreciated, so thanks in advance!
I'm going to explain my site and situation with as much detail as possible in order to help any who want to help answer my questions. Here is my situation:
I have a website and I use PHP and MySQL. My website is a "private" organization site. In order to allow people access to the site, I send new members of our organization and invite code. The user then visits the website, and the index.php file simply contains a form for logging in as well as a link to the registration pages. New members click the "Register Here" link to begin registration. The first registration page asks for the user's last name and invite code which are checked against a database to make sure that person is on the list and has not yet registered. If they pass the check, they are taken to the next page in which they enter required information (username & password, email address, etc.) as well as some optional information (phone, bio, etc.). If the user creates a valid username and password and has all required fields filled out, their information is stored in a database. Passwords are all salted and hashed properly and securely, so there is no problem there, and the whole registration process works as it should. After registering, the user is taken back to index.php where they can now log into using the username and password they just created. This works as well; when the user logs in, their username and password are checked against the database, and if successful, the user is logged in. When the user is logged in, an ONLINE value in the database is set from False to True. The user is now logged in and can use the site as it is intended. On my site, there is a column that lists users that are currently online (based on the ONLINE value from the database). When the user clicks the "Log Out" button which is located on every page of the site, the logout.php script is run, ending the session and setting the ONLINE value back to False. This all works fine and dandy, however, the problem comes when the user closes the browser without logging out first. This is where I have seen many different "solutions" various places on the internet. I am going to explain why they won't work and why I need a better solution.
The answers I see most often involve some sort of session timeout or destroying sessions, which is irrelevant because of the fact that the session already does, in fact, end when the user closes the browser, but that has no effect on telling other users whether or not that person is currently online. When the session ends, the database won't be updated, which causes a problem due to the fact that a user can only be logged in from a single instance. If a user attempts to log in while their ONLINE value is already set to TRUE, they aren't allowed to log in.
I have also seen suggestions of using a "Last Seen" value instead of an online value, and if a user hasn't had any activity within the past x amount of minutes, log the user out. This won't work, however, for two reasons. 1) That script still has to be running somewhere in order for that to work, meaning another user must be logged in for that to work. That basically means that, if using this method, if a user closes their browser or if they loose connection, they won't be able to log back in until another user logs in. With my organization being a small, locally based organization as it is, there are likely to be many times in which there are no users online. Also, even if another user is logged in, the user whose connection was lost still won't be able to log back in until after x amount of minutes has passed, so if the user accidentally closed their browser and wanted to log back in immediately, they simply wouldn't be able to.
A less frequent solution I came across involved using the onBeforeUnload JavaScript function, but those most definitely will not work due to the fact that those would trigger any time a user clicked on a link or on the "Back" and "Forward" buttons. Also, if the user has JavaScript disabled in their browser, this will not work at all.
The last thing I have seen involves while loops and the connection_aborted function, and this is the only one that seems like it could work, yet I have not seen a very clear description of how this should work, and after spending months experimenting with it, I still have not come up with a reliable solution.
In many forums, I have seen people say that "it's not possible," but that can't be the case considering there are sites that do it somehow. I have tested and experimented with this on several sites. On a site that has users such as Facebook or any forum website, there is a list of "online" users, and in the case that a user closed their browser, their name would no longer appear on the list, so it is possible, even if it can only be achieved through some obscure method. So, if anyone knows of a solution, I would greatly appreciate if you could share some of your wisdom on this subject!
Try creating a Heartbeat mechanism in javascript.
this method would start sending an ajax call to your webmethod on timely basis use.
setInterval(function(){
sendPulse();
},30000);
sendPulse(){
var varUserID = userID;//any unique user identifier that can be found on server side
$.ajax({
url: "Default.php/updateUserStatus",
UserID: varUserID,
type: "POST",
dataType: "json",
contentType: "application/json; charset=utf-8",
success: function (mydata) {
//alert("pulse sent");
}
});
}
On server side, you must have a method with same name and case sensitive parameter. the should be static and marked as webmethod. in this method save the current time for the user. you should have a mechanism to know what users have very old pulse, do this check when a user tries to do something or performs any operation. I have implemented this approach and works very well.
That's the answer: persistent connection between client and server. For this, you will need a TCP connection, like websockets nowadays, or a flash old duplex connection. From here on, TCP takes care of noticing you when someone connects or disconnects. What you got to do is a websocket server (for example) who just traks connections (push and pop from an array), and also a way to respond to a "get_users_online" message. You can access your user's session (read only) via the websocket server, and then see if the user is logged-in (and in this way, you can store his nickname in session, access further from websocket server), see if he is admin (session->is_admin).
Pretty simple, I would say.
Here is the library I've been using: http://socketo.me/ . It uses a library for decoding symfony2 sessions, but for simple applications, you don't need decoding (symfony2 applications encodes sessions, so the websocket server has to decode them).
Big note: Sessions has to be stored externally (not in file system /tmp) like a ORM or NoSql.
Either way, escuse me, but I have to say that that the "Last time" seen is super okey. Most of the sites rely on this. You understood something wrong, you don't need to have a living server for checking "Last time" always, when you request /admin.php?users_online=1 , you make a query where "Last seen > NOW() - 5 minutes" (won't work written like that), so you can even get rid of the "ONLINE" "OFFLINE" field.
I suggest using a websocket approach, it's fun. :)
Good luck!
Related
Let me start by stating this : I absolutely do not wish to bypass the captcha.
I am using a particular website (lets call it "Swidili"), that shows a list of websites based on a theme and ordered by votes they got from the users. These votes are limited by IP adress and time (one per hour).
I wish to gift something to the users of my own website (lets call it "Badada") that vote for my website on Swidili. My issue is that I have no way of knowing if a user really voted. There is a cookie response that you get when you vote (vote=y) that lasts an hour (or until you can vote again).
Obviously, I can't read the users cookies from another domain. There is also no API made available by the owner of Swidili. I tried contacting him, but he does not seem to wish to answer me. Since it has now been a couple of months, I'm trying to find another way.
The solution that I thought of would be to show the captcha on my website, and then send with curl the result of that captcha. That way, the user is able to vote, and I can check if the vote is real by getting the cookies back from curl. Unfortunately, that does not seem to be possible, since ReCaptcha2 is limited to specified domains.
I have asked other webmasters, and they seem to have found a solution, but refuse to share it with me. I was wondering if there could be another way to get this cookie. Am I doomed ?
Is it at all possible to retrieve user information that can be used as a unique identifier between domains?
As a quick example of what I am trying to do (not exactly this but the theory is the same) say you had a main website at UK-news.com. You also had three other sites - England-news.com, Scotland-news.com and Wales-news.com, all hosted on the same server.
All 4 sites will share the same database and each would just pull the relevant info out of it. If a user becomes a member of one of the sites, they will also be given the option to become a member of any or all of the others. If a user signs-in to one of the sites he is a member of, and then goes to another how can I get that site to recognise him from the one he signed-in on so he is automatically logged in?
My theory was to store some user information (IP, USER_AGENT, browser, screen resolution, computer name, OS) in the database via PhP and then check against all of those as the user moves between sites. however, even checking against all of these, I am sure it will be possible for two different people to have exactly the same details.
Are there any truly unique identifiers that will guarantee that a person is recognised between domains?
Thanks
Steve
I dont know what is the configuration of your server, but. If one site is under something.domain.com, and another something2.domain.com, and the domains England-news.com and Scotland-news.com are only links to those sites, you can use url overwrite, and cookies sharing over subdomains option in php. But I think that this is not the case. So...
There is no 100% sure user recognition. And this is great, imagine what will happen if there would be. You can NEVER trust user data, and headers data, while sometime you can not even trust $_SERVER array. So there is no option to recognize the same user over few domains.
1) The only answer that is useful is to suggest you to share the user mysql table, and make all the logins and passwords same for each site. IN that case someone can login into another site using the same data.
2) You can try to rely on second hand services like google acount or facebook acount to verify users on your site. But you must remember that there are people without gmail and facebook, and availability of such a site will be reduced.
3) Use a serrvice like forever cookie, or something like that, but this is also not 100% sure. It is using html5 storage, flash objects, and everything to verify if this is the same user. But as far as I know, everything can be ommited, if you are patient enough.
Best regards!
At the moment, I'm working on a website that could use some extra user usability, so I want to launch a couple of modal windows to aid users on their first time visiting of a couple pages.
I want to check if it is a users time time viewing a specific page. I've read about how you can run into problems when using cookies to do this. They can be deleted, the user can use a different PC or device, etc.
Also, I want to check for multiple pages if it's their first time viewing, not only directly after login.
I'm guessing a good idea for this would be to make a separate table with the pages in it that I need and setting a boolean for it if it is viewed or not.
Would this be the best way going about doing this?
There isn't a highly reliable way of doing that:
You can use cookies, but as you said, they are not reliable, a user can change PC, delete cookies, change browser, etc.
You can try using an IP address, but that's also not reliable. If a user switches address (which can today happen as you walk down the street with your mobile phone) he'll see the page over and over again. Moreover, if some other user happens to stumble upon the IP address the first user used, he won't see your tour/tutorial.
What I can suggest you is that you use cookies to detect if the user is new, but don't automatically throw the help modules on him, but prompt him using an non-obstructive toolbar at the top or bottom (never a popup window or lightbox).
That way, you get most of the users (because many people use the same browser and computer and rarely delete all their cookies), and even if a user has deleted his cookies/he still won't be disturbed that much.
There is no reliable approach if user is not registered and logged in with her/his username & password.
As mentioned before, there is no reliable way of detecting users ( and detecting if the user visits the site the first time), I also recomend Madara Uchiha's aproach, also you colud use html5 local storage in addition to cookies, both are not 100% reliable
u can however try user recognition without relying on cookies or html5 storage, but this is extremly complicated, u dont want to do this.
Just to satisfy your curiosity about how to do this, check this epic answer on a related question:
User recognition without cookies or local storage
I think, as I believe, there is no way with no solution. I think, a possible way consists of some parameters which first to be said and and finally by considering those, we can be able to talk about possibilities and impossibilities.
My parameters are in the below;
talk about features of a webpage as "User Detection" and detail them
think about reactions (I mean being fast to click on any elements of a page or not) on a webpage
inspect elements
URL injection
other reactions like click on some parts as spots placed on the page
stay on that page up to a time defined for being and checking authorizing
and so some solutions like the ones above.
This is my first post on these forums, however I've been using them for years in looking for solutions to my coding challenges...thank you for all for sharing your knowledge.
Ok, to the point...I need a nudge in the right direction for a theory of a solution to the below problem.
Desired Result:
Current existing structure: FLEX RIA that communicates with MySQl DB via PHP.
We basically, have a RIA that is part of a software solution we provide to our customers, we want to restrict login sessions to one/username, which we did successfully by setting a value in our MySQL DB...the point of this was to restrict the use of username(s) to one application access point and create the ability for us to charge for additional usernames, if so desired by our customer.
Problem:
Although, we successfully restricted user logins to one session, we ran into a problem when the RIA connection with the DB was inadequately terminated (eg., browser crash, OS crash, flash player error, etc). When these crashes happenned the value that was set in the DB for the user, showing them logged in, would persist and thusly lock them out of our software application. We would have to go into the database and manually reset their logged in status.
What I am looking for:
I need some suggestions or some areas to look into/research for a solution to this problem
Any help you might provide is greatly appreciated,
Thank You
Dignified Dude
When the Flex app pings your server for the first time; create a server side session. When that session expires, flip the value of the database automatically, regardless of whether or not the user has logged out. You may also want to add some form of timer to the UI to automatically log the user out.
I assume there is some way to run code in PHP when the server side session expires. Here are some approaches that came up in a Google Search:
Run query after session expire
http://forums.digitalpoint.com/showthread.php?t=1320013
PHP session timeout callback?
http://www.google.com/search?q=Run+code+when+PHP+session+expires&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#sclient=psy-ab&hl=en&safe=off&client=firefox-a&rls=org.mozilla:en-US%3Aofficial&source=hp&q=run+code+on+PHP+session+expire&pbx=1&oq=run+code+on+PHP+session+expire&aq=f&aqi=q-w1&aql=&gs_sm=e&gs_upl=9504l13039l1l13162l32l12l0l0l0l0l1160l5043l2-4.2.1.3.0.1l11l0&bav=on.2,or.r_gc.r_pw.r_cp.,cf.osb&fp=9fb4160009134867&biw=1200&bih=786
I've been asked to leave passwords and user names aside since most of the site visitors are stop-buy-come-back-several-months-later-kind of visitors, and the motivation was somewhat along the lines "they would forget there passwords any way and have to request new ones".
I suspect there is no realistic way for me to do this thinking IP:s probably change and browsers get updated, cookies are cleared and so forth.
Or do I have any options?
(not that I'm looking for code but rather concepts and pseudo but the language in the project is php/js coupled with an apache server)
Use OpenID.
Let Facebook, Google, Wordpress, or even Stack Exchange handle the authentication for you, and people wont have to remember another password.
Alternatively:
Many users understand the "forgot my password; check my email" routine by now, so why not just short-cut it by having them input their email and send them a login url with a randomly generated token to log in with.
Once they're logged in, keep them logged in for as long as you deem secure.
We do the following in our e-commerce solution:
We use email as a unique identifier.
When a customer makes a purchase using the same email, the order will be attached to their existing user. You don't however get any address details or stuff like that, but have to enter it manually.
The customer will receive an email with a generated password if it is a first time buy. If it is a second time buy, they will just be instructed to log in. This can however be combined with a url and a login token. Likewise for logging into the site, you could just have them enter an email to receieve a login url token.
Combine this with a long living cookie and/or the browsers datastorage to remember the customers details (address and stuff like that).
Another option would be to have them entering something about themselves that they would always know, but others wouldn't. However it is hard to have an internationally workable solution for this.
You could use so-called supercookies, which is offline storage on the client side. Either through html5 offline storage, or plugin like flash to restore deleted cookies. Although, these cookies is likely to be banned at some point, since they're mostly hidden for the user, and very hard to get rid of. (Not recommending this approach, just saying it's possible)
Authentication credentials break down to three options;
Something you know - passwords
Something you have - physical keys, cards
Something you are - iris, retinal and other biometrics
The best you can do is use cookies I think. Or...I guess you could have them download a file, and upload that file as their access credential - same idea as a cookie but unlikely to be deleted. You would have to think carefully about what to put into the file however - their user id isn't enough, as it would be easily hacked. A random long string would do, one that is saved into the database on their account. Nothing that can be predicted, and nothing that can be used to guess a different account's credential.
A couple of options come to mind:
Use a persistent cookie, but only do this in conjunction with SSL (so it simply can't be sniffed off the wire)
Another option is OpenID like you use here - therefore vistors can use an account they use often to log into your site.
It seems to me that your only option is giving them a forever cookie and hoping it doesn't get purged between visits.
You can read about them here.