I just started using Ratchet (http://maker.github.io/ratchet/) and it's great. However, a big issue I'm having is that the user has to click the logout button (which is actually an anchor <a>) twice in order for the logout to actually occur.
I'm intending this as an app to be saved to the iPhone homescreen, where it can be launched as a fullscreen webapp. Normally, sessions aren't maintained when such a web app is closed (it's sandboxed as opposed to regular Safari). I'm 99% certain that this click-twice-to-logout issue is because I am using not only a PHP session but also a cookie in order to make it so that the user will remain logged in after closing the full screen web app (as per the second answer in this post).
My logout script is as follows:
// logout.php
<?php
session_start();
setcookie(session_name(),"",time()-3600);
$_SESSION = array();
session_destroy();
header('Location: /');
?>
I thought this issue might have something to do with Ratchet's push.js, but even if I set the logout link with data-ignore="push", the current page just reopens in Safari (which is annoying on its own, because if the user has it saved to their home screen, I want it to run only within that full screen interface), and I still have to tap logout once more.
The issue also does not appear to be a problem of running it as a full screen web app, as I have the same issue accessing it via Safari.
Any pointers?
I believe I solved the issue. From that link I had posted before, I had inserted the following code into all of my main PHP pages:
$cookieLifetime = 365 * 24 * 60 * 60; // A year in seconds
setcookie(session_name(),session_id(),time()+$cookieLifetime);
I don't fully understand this, but I get that it's basically creating a cookie which allows the session to be maintained even when the app is run in iOS's sandboxed full-screen web app mode. I was able to fix the issue by removing this code from my login.php script while keeping it on every other page of my app. logout.php remains as before. Now, my saved-to-home-screen full screen web app will keep the user logged in, even if the iPhone is restarted. They are also able to logout with a single tap of the logout button instead of twice.
Related
I am working on a website admin cp with PHP as a back end technology and in the same time I am fixing some responsive issues.
So I am logged in to the admin panel But when i toggle different devices such as Galaxy, Nexus Iphone or even responsive mode to test the responsive look or fixes that i have done i find myself logged out and redirected to login page and also i see things that shouldn't appear before login such as admin menu but it is not accessible in other words it's half logged in and half not.
cashing is not disabled.
session id is the same i can see it.
I really can't get my head around it!
Is that something normal in the browser which means every device is independent from the whole browser?
Or i'm doing something wrong?
Finally and after several hours of reviewing my code and debugging every single thing I came up with a solution to my problem :
my hypothesis in the question that the devices are independent
from each other is quite correct because every device has a different
HTTP_USER_AGENT
You can try it like this :
echo $_SERVER['HTTP_USER_AGENT'];
Toggle different devices on the browser and see the result .
So as for sessions best practice based on stack overflow and many other resources it is a good practice to save $_SERVER['HTTP_USER_AGENT'] in a session and later on check the session after login which means the logged in user is exactly the user coming from that browser
And that's what i was doing i was checking for the user login session and the user agent session
And that's what was causing the problem so when i toggle different devices the HTTP_USER_AGENT gets changed so the session doesn't match and therefore i get logged out automatically.
I'm working on a community networking site where users session never expires (unless log out button is pressed). Along with that I've wordpress cms integrated for blogging hosted in sub domain.. I use js to trigger login and logout on wordpress site.. Means when users login to main (non- wordpress) site, they are also automatically logged in to wordpress site.. Here now the problem is, after certain period of time or when browser is closed, the wordpress site automatically logged out from the system-leaving only main website in session, and that will need users to logged out from main website and again re-login just to trigger back the wordpress login...
I'd just want wordpress to never automatically (even if the windows is closed) logout unless logout button is pressed.. I used the following function which doesn't seems to work..
function change_wp_cookie_logout( $expirein )
{ return 1555200; // 6 months in seconds
}
add_filter( 'auth_cookie_expiration', 'change_wp_cookie_logout' );
I've tried with different similar tactics but doesn't get it working..
Thanks in advance
I'd recommend you to check about cookies, in my humble opinion that would be the best approach to persists the user data for a long term. You could use the cookies to restore their data in a new session using some key information. Basically, whenever they close the browser the session will expire (disconnected by the server), but if you have cookies on their end, you could check in server side when a new session is requrested if does it exist a cookie and based on the info you had store there, you can restore the info necessary on their web session.
You can read more about on oficial page:
https://en.support.wordpress.com/cookies/
I am sure someone has run across this issue before, I just haven't been able to find anything on it anywhere. Anyway here is the scenario.
I have a PHP website that a user will login, then their account id is set as a session variable, then once they are in it basically acts as a single page app. The session account id is for tracking their activities as they do different things throughout the app.
The site will be accessed primarily on mobile devices. I have PHP that sets the session timeout length, then using JS, gives them a popup warning a couple minutes before the timeout ends. Then after the end of the timeout, using a meta refresh, it redirects them back to the login page.
On a desktop, this all works like it is supposed to. On mobile, it is behaving differently. On a mobile device, a user may login, do some stuff on a page, then without logging out, put their phone in their pocket and not come back to it for a couple hours. When they open up the browser it keeps them on the page they were on, but the JS was obviously not running during the time their phone was sleeping, or whatever else they were doing in the interim. The meta refresh as well also does not work as expected, but the session is still timed out. So when they open the app back up, and try to do stuff, I am getting errors in the DB saying that id cannot be empty.
I can use ajax to check if their session still exists on every click of a button, but for speed of the app I would prefer not to do that.
Has anyone else ran into this and found a solution for automatically logging out people on single page apps viewed on a mobile device?
I am making a php system (on apache server) and I need to make the site extremely secure,
One of my requirements is to make sure that any visit to a page other from a direct link from the website (even a "back" button) will reset the session and demand another login (redirection to the login screen).
The entire system is up and running, I use php and jquery in my code.
I had an idea about making a function that is being called every 1 minute (or so) and "remake" a token for the next 1 minute(or just a little bit longer, if the function doesn't get approval from the server then the browser will redirect to the login screen.
What do you think about that solution? would it be too "heavy" on the internet connection? (we usually have edge/2g internet connection over ipad).
if I do make this solution, how can I make sure that at the moment when user presses the back button or enters the site he wont be shown any data?
thanks in advance.
use sessions to validate some one presence .
then you can destroy its session and expire its session!
like:
session_destroy();
Well, the solution was making a function that is being called every 1 minute (or so) and "remake" a token for the next 1 minute(or just a little bit longer, if the function doesn't get approval from the server then the browser will redirect to the login screen.
I have a study logout.php file which works fantastically, the issue I am faced with however is putting the script into a new 'intranet style' administrative site which uses 4 frames within a frameset (header, left, center, right).
There are two requirements I need to meet which I am having a very difficult time finding a solution to (yes I know frames suck for today's consumer sites but to reiterate, this is for an internal system administration panel with widgets everywhere).
When a user clicks the 'logout' button in the top frame, the ENTIRE page is directed to logout.php which then redirects to a single page "home.php". As of now, hitting logout only takes that particular frame to my desired destination.
When a user logs in, a SESSION variables is created and set to true; if pages are visited without SESSION[validated]= true, the user is logged out. Similarly to above, IF this happens, I need the ENTIRE frameset directed to logout.php.
I am trying to achieve this without javascript (as this can obviously simply be disabled and JS is not a true measure for security).
Anybody ever dealt with this issue in the past?
Is the logout button a link? If so, can't you use target="_parent" to make it change the page with the frameset?
Edit
Re #2: If the session is timed out, you could make an intermediary page with a link that uses target=_parent and the JavaScript below, both of which would break out of the frame.
<script type="text/javascript">
if (top.location != self.location) top.location = 'login.php'
</script>
This is good because if they have JavaScript enabled, they won't even notice and if they don't, they still will break out of the frames.
Solution to part 1:
Make a logout button like this:
logout
Then make logout.php do all the hard work for logging out (probably just clearing the session), and then redirects the user to the proper frameset (use PHP's header command for redirecting).
Solution to part 2:
This should not randomly happen. If you login, your session is set to validated = true. You do not "encounter" a page where your sessions happens to be otherwise.
However, you could include a PHP file (or if you have been smart enough to do so, make this happen in your single point of entry) to redirect to a logout page if your session is somehow invalidated. See 1 above.