Is it possible to track not logged in user without using session or a cookie? Is there a more reliable way?
Just like www.filefactory.com or other similar download space website, they can track if you are free user and send download request, before starting next download you must wait x time, I was thinking it used session or cookies, but after clearing session and cookie or change IP address, it's still the same.
I'm a newbie trying to create a website, I have to track user before logged in like this example site, I'm using php and javascript set session and timeout to keep catch user status (to write file in dir or ...
I've been searching a long time, if anyone knows any tutorial or just a little clue how to do it like this site it would be appreciated..
Thanks!
You dont track who is not logged in, you track whois logged in. So by default everybody gets the link for you must wait xx amount of seconds. If you clear cookies and start a new session, you are still a default user.
Now when somebody logs in, you can put in the session that he is authenticated. Then on the page to show the link you check that. Now if this logged in user would clear his cookies, he would become a default user again untill he logs in again.
//not actual php code
if (authenticated) {
//show direct download link
} else {
//show link after xx seconds
}
If you dont want to use session to keep track of logged in users, there are other ways, but most often its not realy needed or even less secure. Another way could be to use the authenticate header or keep the information in the query string. Both are less secure in my opion, but could be used.
Now if the goal is to prevent free users from downloading two files and need to wait for the second link, you can also make an educated guess if its the same user by combining user information to some sort of hash. EG user-agent, ip-address, location. This will not be 100% accurate, but could give you some idea of a returning free user without sessions.
Related
I have php login page that stores the user id in the session once the login is successful. User can navigate to different pages or can even close the page briefly and once user re-open the page, he is still logged in. However the problem is that when the user closes the page for longer time, the session get expired automatically and he has to re-enter the credentials and login again.
How can I keep the user logged in forever and log out ONLY if user decides to do so?
I would like the user to be able to close the page, turn off the pc for weeks and when he or she comes back to visit the page, he or she should be already logged in.
Sound like you need to set the cookie expiration date - as per this wikipedia article on HTTP cookies, if you do not set an expiration date for a cookie it becomes a session cookie. i.e. it expires once the browser closes.
There is no real way to specify that a cookie NEVER expires, however you can set the expiration date for some time far in the future.. i.e. in 10 years, and renew that expiration date every time the user loads a page.
setCookie( name, value, expiration )
Another alternative (which would also require some JS on your pages) would be to use the browser's internal database to store the user session id so that you can retrieve the session from your database (I assume you are using some sort of database, otherwise you will run into other issues as explained below).
If I wanted to achieve this I would probably have a piece of javascript on my page loads that checked for the existence of the session cookie, and if not, I would load the session id from the browser's database, drop the cookie, and force a page reload. There are certainly more elegant ways of achieving this, but this should give you an example of how to get this started.
Lastly, please keep in mind that if you don't use a database (i.e. Redis, Memcached, SQL), all you session information is lost when you restart your application server. This is certainly suboptimal, and you should store session information in a database if you want to have this information survive server restarts (or if you have a load balanced environment).
Hope this helps!
So I am working on a site that requires a login against an MySQL database with "remember me" functionality. I got that fine (based off of Jaspan's page). What I am a little fuzzy on is the use of sessions to track user movement. I'm not worried about their history on the site. I've looked around on the interwebs and especially SO, but I haven't really found what I'm looking for. Perhaps I'm just not using the right keywords to search. Anyway... as I said, I have the actual login process, and a cookie is set up with the triplet for the "remember me" functionality. But how do I track the authenticated status while the user is browsing the website? The logged-in user should be able to browse the secure area of the website, or the scripts should output special data, without the website having to check the "remember me" triplet against the database every page load. I thought to do something like $_SESSION['authed']==true, and every page load would check the session value, but I suspect that isn't a very secure way to go about this. I have observed that if I set $_SESSION['authed']==true, close the browser, open the browser, and go to the site again, it still says authed=true. Now, I DO understand that the session variables are stored on the webserver, not in the browser's cache. However, I can't see the big picture enough to know the right way to go about this.
I thought to do something like $_SESSION['authed']==true, and every page load would check the session value
Yes, that's what you do.
but I suspect that isn't a very secure way to go about this
It's perfectly fine. You establish a session, which means you send a unique cookie to the user. That is your security. The fact that you have a session at all is your security. Then you simply record the fact whether the user is "logged in" or not in that session.
I have observed that if I set $_SESSION['authed']==true, close the browser, open the browser, and go to the site again, it still says authed=true.
Yes, cookies don't necessarily expire when the browser is closed. Each cookie has a specified expiration time, they can persist however long you want. Even cookies without an expiration time aren't necessarily immediately discarded when the browser is closed. That may have been the default behaviour of browsers a few years ago, but isn't necessarily true anymore.
This is bit different scenario in session management.
I want to develop as system where if users loges in and then keep shows activity on browser his session will continue and if no activity session will destroy.
For example user logged in at abc.com after that if he access google.com , yahoo.com, etc any website his session will be continue at abc.com else session will be destroy.
Its some thing like UTM device where user logged in once and they continue use system for a fix period of time..
Please help me with your suggestions to implement solution for above?
Thank you
I am trying to do it using cron jobs and database table "logging" where i maintained entry of logged in users. In one table storing website accessed by user and accessed time, if difference of last web accessed time and current time is more than 3 minutes removing the entry of user from logging table. If there are some more options available to do it please let me know.
A session is maintained server-side and you need requests to this server to renew the session. If the user requests pages from another server, your own server will and should not be informed.
While it may or may not be possible to write some hacks with JavaScript, you would violate the privacy of the user. This hack could and surely would be used to sniff users.
If you only want to be tolerant in your session timeout, simply choose a longer timeout (extend it to an hour if necessary). Then a user has enough time to browse other sites and still keep the session on your site. All other reasons to collect user requests i can think of, are spyware related.
I've been asked to build a project management application that could only host one user at a time. I managed to do that by simply creating a status row in my user table which is set to 1 when somebody is logged in.
Now, status = 1, nobody else can log in, they get an error message instead saying that another user is already using the application. When the online user logs out, I update the status row in the database and set it to 0 in order to allow other users to log in freely.
Everything is working just fine except, as you can see, it relies on the logout button and many users forget to logout that way, they just close the tab or the browser leaving status as 1 and then blocking the whole system.
I tried a few methods to update the database on page close with session timeout or via onunload but I couldn't reach a clean and reliable way of doing so.
How could I develop such a system combining single-user mode and auto/smart logout at the same time?
Thanks for your help.
The only way you can achieve this is by checking whether the logged in user has been active in the last X minutes. Check this when the new user tries to log in. When the previous user has been inactive for that period, unset the status in the database and let the new user in. You should then also invalidate the session of the previous user, in case he comes back.
Don't try to detect session endings.
You could reduce the user's Session timeout. I think you can accomplish that both from Php and the Webserver (Apache, IIS, ..), should really look at the man pages. That done, you could realize a polling system which periodically ping the user to verify his/her presence. For example, you could make a client-side Ajax script which pings the site at fixed intervals, so that would prolong the user's active Session. If the user doesn't ping the site anymore, after the time-window has expired, then set his/her status = 0.
That is just an idea. Try searching more about on Google.
A variant: you could set a cookie from the server-side language, and associate the session with that cookie. So, give it a short expire time. Then make a client script which periodically send a hidden request to the server. When the server receives the request, it re-write the cookie again, so the new time will start again from the beginning.
I have a really, really poor understanding around security and safety when building websites - what I want to do is store the information the user enters to log in into a cookie so that I can do two things:
Check the cookie from flash (via a php file) to grab information about a logged in user (if at all). This will be used for highscore APIs, etc.
Automatically log in a user when they come back to my site.
The site itself doesn't really have any important information etc, so I mean it doesn't have the be the most secure thing on earth (or even close). But I'd like it to not be tampered with if possible.
From my understanding, storing user information in a cookie can be bad because the user can just alter the cookie and be logged in as someone else.
I was thinking; is it reasonably safe to do something like this?:
When the user logs in, store an MD5'd version of their email address (used to log in). This way at least it's extremely unlikely that they will be able to modify the information to reflect another user in the database.
Because someone could just MD5 an email address that they know someone else uses for the site and change their cookie to reflect that, should I maybe store their MD5'd password alongside it and then use these to attempt a login at every page? Only thing is that this seems like it would be slow/non-strategic because it's needing to basically re-login with the information in the cookie every page.
This approach probably seems really strange, but would it work fine? The main requirement I have is that if the user is logged into my site, playing my flash games anywhere on the internet will automatically pick up that they're logged in and work with their information.
Use PHP sessions.
Php stores the session id in a cookie on the browser, and everything else in the session is stored on the server. Your flash script should be able to the the session id from that cookie and maybe you can write a php file that will return the information that the flash file needs when the flash file passes in the session id?
Because session ids are more or less random, it is difficult for the user to change their session cookie and accidentially access the login of another user.