I use wamp to develop on a windows 7 machine. For this app I have an admin area which tracks the admin username and encrypted password with $_SESSION and a cookie which keeps track of the randomly generated encryption key for the password.
I set the cookie like:
setcookie('key', $key, time()+7200, 'admin/');
The admin user verification is run on every admin page after the admin user has entered username and password details to login.
The directory structure of the site and the admin is:
localhost/mysite/
locahost/mysite/admin/
A session runs in the admin section, and a session also runs in the user interface of the front-end to keep track of chosen criteria for searches.
When I run long database queries in the admin area ie. multiple updates and inserts where each iteration requires a connection to an external API, I am unable to load the front-end user interface in the same browser ie. firefox until after the admin operation has completed. If I use a different browser ie. chrome , I am able to load the front-end of the site while running admin mysql functions with no problems.
I'd like to view the site while these operations are running, and use the same browser. It's a small problem, but I'd like to know how to get around it because I want to learn. I mean I could just tell myself that it doesn't matter because the site works fine when I open another browser, and the final user isn't going to be running admin operations while viewing the site anyway, so from that perspective it doesn't matter, but I am curious.
What is going on with the sessions and cookies that stops me from viewing the site whilst the admin operations are running? Is my question even a good one? Part of me thinks that it's a silly question because ultimately the site works perfectly well in a separate browser. Anyway, thank you for looking!
I think your session is being locked. On the page that takes a long time to run add this at the top: session_write_close(); that should fix it.
Related
We have several webapps based in Wordpress and Codeigniter, which are based on different servers but under the same domain (ie: intranet.something.local) and most of them use Active Directory login credentials.
For Wordpress, I'm using a plugin called Active Directory Integration to log in with these credentials and it's working perfectly after configuring openLDAP.
The thing is, our client asked us to have a single log on for every app, meaning that once I'm logged into Wordpress, I should be logged in when I go to another app, that uses the same login user and password.
Is there a possible way to do this? And if so, where should I start?
I believe, that is possible in multiple ways..
Setup Single Sign On in your apps
Use a script which automatically copies User data from a web app,
and then using that information creates user login to the other
apps..Idea is to let user register for one site, and based on that information, register him to other sites automatically
May be, some sort of Database sharing be possible, but that would be
really really a tough job, still Possible (I believe, in Computer
Science, nothing is impossible forever)
create a common cookie file and when user switches the app, use that
cookies to get the user login in between different apps
I have main PHP website and a Redmine app. When a user logged in to my website, new tab will pop-up and open the Redmine and login using the username and password that the user entered on the main website. Or if it is not possible to auto login from my main website to Redmine, is it possible to just have a default value on the username field and password field from the ones that the user also inputted on the main website?
I'm still noob on configuring Redmine and Ruby on Rails, so please bear with me :(
Edit: The main website and the Redmine website will be a system for our group only so I think security will not be a major issue. Also they won't be going online and will be operating through the intranet only.
You asked:
is it possible to modify redmine login page? To have it get variables on url? So I can just open a new window like this: redmine/login?user=user&pass=pass.
Hopefully not. If Redmine is built well (and I'd be reasonably sure it is) then it will only accept user credentials in a post operation, so as to avoid passwords being recorded via the URL in browsers, proxy servers and web servers. It would be poor security practice to attempt to log on this way, or for Redmine to permit you to do so.
One of the approaches I was suggesting in my earlier comment was for your PHP application to become a proxy for Redmine operations. There's two sub-categories here:
Use a programmatic browser component to carry out form operations in Redmine by visiting pages, clicking buttons, submitting forms etc. This is the "screen scraper" approach, but can be quite reliable since presumably Redmine does not change its HTML layout very often. Thus, the cookies you would normally have in your browser would be stored on the server instead.
Use an API built into Redmine. I guess there's not one as standard, but I found this one. I've not used it, so you'd need to test its suitability.
In either approach, you would not use Redmine directly at all: you would build the Redmine features you need into your PHP application, using forms to accept relevant user input, and rendering to the screen the output your server has received from Redmine.
This would work, but bear in mind that it's not a trivial project, either in terms of its size or complexity. If you are after a simpler alternative, then the browser password store is an option, but it won't log users on automatically, nor automatically discover the username you are logged on as in your PHP application.
I have a local site running that is authenticated by an htaccess file which requires a username and password. This works great, but I want to add a feature that if the site is inactive (you walk away) for 10 minutes it will ask you for the username and password again upon refreshing/reloading a page on the site. Is there anyway to do this?
It's a Wordpress site so adding code to every single page might be a little bit of a hassle.
HTTP authentication hasn't any logout, nor session expiration. The credentials are sent on every request. What you want is a web-based authentication. In the case of Wordpress you may use one of the existing plugins, for example http://wordpress.org/extend/plugins/basic-authentication/.
I have very specific problem.
I have web based application which set cookie after login. The same login details are used in desktop application which is connected to the web interface.
My idea was is it possible that when the user logins first in web app and it set cookie for him, then he downloads the application, install it on his PC and start it for first time somehow to get the user and password and auto fill the login fields in desktop application, so it won't be necessary to write them second time.
One of the ways is to save the login and password in a plaintext in cookie, which is very risky and then the desktop app gets this cookie from the browser (the app is written in c++).
I really don't have any clear idea at the moment how this could be done, but if there is a way I will be happy to red any of your suggestions.
The main issue I see is actually getting to the cookie. I can't see how you'd do that reliably with all the OSes / OS versions, browsers / browser versions out there. You could maybe include an encrypted resource file in the download containing the credentials. You can put that into the downloaded archive on the server side.
Is downloading without a login really not an option?
Edit: including a one-use token in the download, using which the client can fetch the username and password (via SSL, encrypted, somehow safe) looks like a good bet.
Using symfony framework 1.4 I have created a website. I'm using sfguard for authentication.
Now, this is working great on WAMP (windows). I can login to several accounts on different browsers and use the website.
I have ubuntu server 9.10 running apache (everything up to date and default configuration). On my server, when I login to the website in one browser it works great. When I on my other computer login with another user account on the public website, the login is successful. But when I refresh/go to another page the first user is shown as logged in instead!
Also, when I press logout, It's not showing that I'm logged out after page load. When I press f5 again I'm logged out.
As mentioned, all this works as expected on my local installation. I'm thinking there something wrong with my PHP session configuration on my ubuntu server, but I've never touched it..
Please help me. This is a school project and I'm presenting it today :(
It's unlikely to be the session handler (certainly not the problem if you are using the default handler). Top of my list of things to check is whether you are sending out the right caching information in the authenticated pages (i.e. either no-cache or Varies: cookie).
C.