I'm designing an application in PHP, something like a users directory, where i need to display login status for each user. Is there a safe way to tell if a user is connected (logged in) or not?
Edit: I'm updating the post with some application logic. The application is about a craftsmen directory. Each craftsman will login to the application. When someone search for craftsmen, he will be able to see the logged in ones and send a message with a job description that needs to be done.
Craftsmen may not have other activity that just log in to the app, so the app it self must have a way to "tell" if a user is logged in or not.
I think only php for your requirements would make it difficult. Take a look at socket.io or something similar. You could achieve this with craftsmen having a connection like longpolling/sse/websockets. You can integrate this with php serving the html and then set up a connection from the client on document ready to socket.io.
By "safe" do you mean "accurate" ?
I'd suggest setting a flag to LOGGED_IN when they initially, and successfully (being safe!), log-in. Then update a timestamp each time this user requests another page. When the last_update reaches a grace period, 15 minutes?, you can then assume they've logged out.
Related
I need to know if there is an user logged in my website. For this purpose, I have only his session ID.
I got this id using: session->getId();
¿Is it possible?
Thanks in advance.
add a custom field to the session when the user logs in and then just check that field
Given that the web is essentially stateless, it is hard to know for sure if a particular user is logged onto a website.
One way to accomplish your goal is to keep a running log of all the users logged in, and the last visit time. Then you could query that log and if the users last visit time was less than 5 minutes ago, you could then say the user is logged onto your site. This will only tell you if the user is logged into your site, not if your site is the active tab in their browser.
Another way to get more "real-time" information as to the the active users of your site is to use something like SignalR which will allow you to do push to the browser. I've used SignalR in the past to send out system status messages to the browser and have it automatically update the page. The great thing about SignalR is it maintains an in-memory list of all the clients connected.
I am a novice php programmer building a multiuser application in codeigniter.
Now, my boss has told me to look into the ability to log out people based on their changed user access privileges.
Fx. A guy is logged in as a semi admin, but has just been demoted by a real admin to regular user status. Now the semi admin should supposivly be logged out when that happens but this is where my problem occurs.
I can think of a few ways to do this but they all revolve around doing checks that will be redundant in most cases (this is a rare situation but it has occured, i have been told)
My best bet at the moment is to log all the active users in a session db and force them to relog in if their user role changes.
This however is going to generate a lot of trafic on the server for a rare "problem" as the user session data is more fittingly put into a regular session.
So my question in short is, how can i log out a user when his user privileges are changed, without working my server too hard.
Thanks in advance!
You can check if privileges have changed periodically, like once every 10 minutes, this should reduce the amount of "useless" queries and still ensure that there is an acceptable response time to a logged in user privileges being changed.
Add a javascript listener on the page then, when the super admin changes the semi-admin privileges to a normal user, trigger the logout event. Make sure that the app has javascript enabled, otherwise it won't work. This solution is used by many ACL-based apps.
I have a functioning authentication, ACL and session management system for my online software application. As this is a paid service on a per-user account basis, I need to ensure that a user account cannot be shared between employees in the same fashion that PayPal manages business accounts.
My struggle is finding a way to do achieve such functionality that a competent, technical user couldn't circumvent via modifying Javascript or using a client side proxy.
Currently, each company account has a database on my server with a "session" table that consists of session_id (PK), session_user, session_data, client_ip, timestamp_created and timestamp_updated columns. Whenever a user logs in, the session_user column is updated with their login name. Should another person log into that account on a different machine, the previously accessed account will have the session_user column set to NULL. The result is that no two rows should have the same value for session_user. Possibly worth noting is that customers do not have administrative access to their database.
The client-side application runs a Javascript function on a timer every 5 seconds which performs an AJAX call to a Zend Controller. This controller checks the session_user column for the active session via a DB query using Zend_Session::getId();. This method echo's a JSON encoded response with success set to TRUE if the session_id has an associated session_user in the database, or FALSE if there is no value in the session_user column. In the event that the method returns FALSE, the Javascript function proceeds to alert the user that another machine has logged into their account, and then redirects them to the login page.
The problem with this approach is that anyone with experience in Chrome's inspector or Mozilla's FireBug can remove the Javascript that performs the AJAX call and proceed to use the application on numerous machines. Worse yet, this easy method is only the beginning of vulnerabilities.
I have a feeling that I will need to look into Zend's plugin architecture, perhaps implementing a check during preDispatch() to ensure that the current session_id has value set in the corresponding session_user table. This check would be complimentary to my current structure, as I feel that the majority of my users will not be well versed in basic "hacking" per se, and will do just find to prevent account sharing. If this server-side check fails, as it occurs when a resource is requested, an error could be thrown and the requested data would not be pushed to the front end (e.g. the data for viewing products).
Does this approach seem like it will work, or is there a better way of achieving such functionality? I've read a bunch of SO posts that derail into arguments regarding whether or not it is a good idea to be so cumbersome on the end-user. We have already decided that since revenue is largely based around company accounts purchasing additional user accounts that there is a significant need to prevent any sort of account sharing. Preventing the user from logging into an account with an existing session is something I want to avoid. Believe it or not, I would rather have users be annoyed by being booted out of their active session by another device logging in, as I feel this will encourage additional user licenses to be purchased.
Please feel free to ask if you would like any additional information, or require clarification about anything I described in my post.
Store the user's IP every time an action is done on your website as a database entry using $_SERVER['REMOTE_ADDR'].
Check if the IP has changed alongside the session data from the previous entry - if so, have them log out and log back in.
This way, separate devices cannot concurrently act without having to relog as a result.
I've been asked to build a project management application that could only host one user at a time. I managed to do that by simply creating a status row in my user table which is set to 1 when somebody is logged in.
Now, status = 1, nobody else can log in, they get an error message instead saying that another user is already using the application. When the online user logs out, I update the status row in the database and set it to 0 in order to allow other users to log in freely.
Everything is working just fine except, as you can see, it relies on the logout button and many users forget to logout that way, they just close the tab or the browser leaving status as 1 and then blocking the whole system.
I tried a few methods to update the database on page close with session timeout or via onunload but I couldn't reach a clean and reliable way of doing so.
How could I develop such a system combining single-user mode and auto/smart logout at the same time?
Thanks for your help.
The only way you can achieve this is by checking whether the logged in user has been active in the last X minutes. Check this when the new user tries to log in. When the previous user has been inactive for that period, unset the status in the database and let the new user in. You should then also invalidate the session of the previous user, in case he comes back.
Don't try to detect session endings.
You could reduce the user's Session timeout. I think you can accomplish that both from Php and the Webserver (Apache, IIS, ..), should really look at the man pages. That done, you could realize a polling system which periodically ping the user to verify his/her presence. For example, you could make a client-side Ajax script which pings the site at fixed intervals, so that would prolong the user's active Session. If the user doesn't ping the site anymore, after the time-window has expired, then set his/her status = 0.
That is just an idea. Try searching more about on Google.
A variant: you could set a cookie from the server-side language, and associate the session with that cookie. So, give it a short expire time. Then make a client script which periodically send a hidden request to the server. When the server receives the request, it re-write the cookie again, so the new time will start again from the beginning.
I have developed a web application in PHP for a client. The client is now renting out access to the system to another company on a per user basis.
Is there a way to prevent the secondary company to use a single login and give it to 20 people to use at the same time? I know one can get the IP address of the client machine that is being logged in from, but this is obviously not very reliable method. The answer probably lies in a combination of cookies and tracking things in a database, but my brain gets a bit stuck thinking on how to implement a strategy here.
Create a unique session ID when a user logs in and store that in the DB. Add something to the session authentication code (run on all page visits) that checks that the user's session ID is equal to the one in the DB and if not, log them out. Then your web app will be accessible by only one user at a time.
To be completely honest though, can't you raise this issue with your client?
No way to tell if the login is shared among 20 people. You can restrict access by blocking simultaneous usage thru session cookies.
Most of all, protect yourself with a published Terms and Conditions document. Violation of which - revokes any standing agreement/contract. And sue them if you can provide evidence (logs) that they violated it.
Make sure you bind one user to one session. In that way you can generate a warning screen if somebody uses the same login with another session. You can then let the user choose to close the other session.
In that way you can make sure two users are not using the system at the same time. It's a bit like a software program you have installed on a computer: multiple users can use it, but only one at a time. This is probably fine.
If you don't want that, you should try to bind the login more firmly to the user: make sure he logs in with a personal e-mail address, and he gets notifications (if applicable) via e-mail. Also let the user set personal configurations. In that way you create extra value for users to have their own account.
If you have a login you have authentication, and you write any user id in session, make sure that only one session with this id created, if the session already exists throw error message.
The only problem you will have in case and user did not logout properly, instead of it pressing x button on browser then he will not be able to login till session s not expired.