i have a client side jquery script that logs the user off after 5 mins of inactivity. The problem is though is the user navigates away without logging out the session stays active. If the user closes the browser shouldnt that destroy the session since sessions stay alive for the duration of the browsers being open or the user logs off?
anywho this is what i have
(function($){
$(document).bind("idle.idleTimer", function(){
document.location = "orders.php?action=logoff&session=timeout";
});
//var minute = 60000; //1 minute is 60,000 miliseconds.
var minute = 300000; //5 minutes
var timeout = minute;
$.idleTimer(timeout);
})(jQuery);
how can i implement a server side if the user navigates away? I was thinking of using cron but then that would be not the right way (im thinking but then maybe im wrong)
i read this post
User Inactivity Logout PHP
and i don't see how the session can still take effect if the user navigates away
Navigating away necessarily doesn't expire the session, its closing the browser that does.
I would implement the check on the server side.
If the session is invalid, you should send down a 400 HTTP status code, which your JS code can use to identify that the user is no longer allowed to use the resource and hence redirect to the login page.
Set cookies expiry values to something that suits your application better.
Sarmen, the easiest way is to use the php session garbage collection to suit your need:
http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
300s will meet your requirement.
All you need to do is add some code to your orders.php file.
What you need to do is have a few if statements checking for your $_GET variables of action and session.
If both of those requirements are met then you just need to destroy your session with session_destroy();
you can also redirect them to any page if you would like using header();
Related
I have a requirement that after closing the browser when user open site it should ask for login by default.
I destroyed the session values on logout button so when user clicked on logout button it works fine but if user directly close the browser or tab the session are not destroying.
I have also tried to set session.cookie_lifetime value to 0 but its not working.
The best way to do this in my opinion is the store the session with the time in it, you can create a javascript heart beat which will keep the time updated every x seconds and as look as now is never a larger time than time+x seconds then you will have your heart beat. If the time surpasses it the session will time out and you're off the the races.
On login:
session_start();
$_SESSION['last_action'] = time();
An ajax call every few (eg 20) seconds:
windows.setInterval(keepAliveCall, 20000);
Server side keepalive.php:
session_start();
$_SESSION['last_action'] = time();
On every other action:
session_start();
if ($_SESSION['last_action'] < time() - 30 /* be a little tolerant here */) {
// destroy the session and quit
}
Browsers are an implementation of web standards. They have differences between them as to how they choose they decide to implement them and can sometimes differ from the standard.
If you set a session/temporary cookie, the idea should be that it will be deleted as soon as the website is closed. However, browsers don’t always follow this as gospel. They have convenience features which can keep the cookies and restore the user's session. This could be useful if the browser suddenly crashed or a user accidentally shut down the tab.
On the other hand, for developers, this creates meddling which is not how they should behave. This isn’t the sort of thing that can be controlled so you can’t really delete a cookie when a tab is closed. The only way to solve it is to store a timestamp in a session or another cookie and anytime a page is loaded, check to see if a reasonable timestamp has passed, after which case, the cookie could be destroyed. It’s not an ideal solution, but it is the only way to implement it in modern browsers.
I'm developing a web app with PHP. The requirement is that the user has to login into the website. I'm using session variables for this. The session should expire after 10 minutes of inactivity and the browser have to forward to the login page. At the moment I'm not sure if I can solve it with the following php functions:
session_cache_limiter('public');
session_cache_expire(10); //should expire after 10 minutes inactivity
But I'm not sure if this expires the session after 10 minutes inactivity. I guess it will expire in general after 10 minutes. If it does it, how can I call an session exit handler?
The other way is to log the current time at each activty. How can I log touch events in Chrome? Is this possible? Without touch event logging it makes no sense.
As per #serakfalcon's suggestion, manage the last-request time in the session itself. To log the user out* at the front end after inactivity you will need to use some Javascript. Javascript isn't my strongest skill, but we've used something like this:
<script type="text/javascript">
setTimeout(function(){
window.location = '/loginpage';
}, 600000);
</script>
Just remember that if you're using any AJAX that you'll probably want to have the timer reset when the request is made/completed. All that this does is start a counter for 10 minutes that will then redirect the user to the /loginpage URI. Obviously browsing away (ie remaining active) will prevent the redirect
* Not actually log them out, but rather redirect the user to the login page when the session has already expired at the server. It would be wise to make the JS redirect a few seconds at least longer than the PHP session expiry so that you don't accidentally renew the session with the call here
I know there are many threads regarding PHP sessions while ajax queries etc...
but my problem is,
I have an ajax grid (build after the page load), which I allow to edit only when use is logged on. I don't mind for session to be not checked until user actually change the page (then valid_session.php is called),
but I have an issue, when next day user opens the browser on the same page - the grid is still editable! obviously if I refresh the page, then user get logged out.
I have no-cache set on my pages, but browsers (in particular chrome) don't reload it on open.
I can't get my head around as how to force it to refresh on reopen. please guide me to the right direction...
EDIT
BTW - I found a way to handle this. I simply call session_destroy(); in session_destroy.php on unload() via $.get():
$(window).unload(function() {
$.get('session_destroy.php', function(data) {
alert(data); // alerts me of some var set to 0 - meaning session is destroyed.
});
});
To log out the user actively i think you should do some kind of polling and then trigger a logout automatically when the session expire. Or print an error message like "Changes done to this page will not be saved as the session has expired".
Obviously the grid can't now "By magic" that the session has expired, you have to tell it somehow. In any case even if the grid it's still editable, it shoul dbe impossible to save changes, otherwise there is a design flaw (like not checking if the user is logged in before saving)
One solution is to set a "last refreshed" cookie, and have a javascript setInterval() which checks if the cookie is older than, say 20 minutes. If it is, the javascript triggers a refresh. Of course, you still need to log them out after the inactivity period.
Right now, when the user comes to a page a session is started; that's working fine. But how can I detect when a user leaves that page? I need it so that when the user leaves the page, the session is destroyed.
You wouldn't be able to use PHP to detect the user leaving the page, but you can send an ajax request via javascript on the unload event to destroy that users session.
Related post: Can you fire an event in JavaScript before the user closes the window?
If you're only worried about pages within your website:
if($_SERVER['REQUEST_URI'] !== 'page_with_session.php'){
session_destroy(); // Kill session for all pages but page_with_session.php
}
HTTP is an asynchronous protocol. Asynchronous connections with user sessions are valid in a certain period of time. This time is also refered as expiry time. Therefore sessions have an expiry time. And this time will be renewed while a user accesses your page and invalidated(destroyed) if he does no action in this timeframe.
There is no other way to determine if a user leaves your page.
It is impossible in general case
That's not really how the internet works; you could try sending a signal with onbeforeunload() but it's not a guarantee. Since session garbage is just a probability, and I don't know what your viewership looks like, I'd suggest putting something like this in a common file:
if (isset($_SESSION['last_seen']) && $_SESSION['last_seen'] < time() - 3600) {
session_unset();
session_destroy();
header('Location: logout_or_whatever.php');
exit;
}
$_SESSION['last_seen'] = time();
I have a web app game and while in the game I want to have it so if a user closes the page or their browser, it will automatically log them out. I tried using the onbeforeunload event attached to the window:
window.onbeforeunload = function() {
// perform logout functions here
}
The problem is, that will also fire if the user refreshes the page. Is there a way I could detect whether or not the user is completely closing the whole page, or just refreshing it?
There is not a detectable difference. To automatically logout a user, you should set an expiration on your cookie storing the login or session information. So if you set it for 1 hour, the user would essentially be logged out after that time since the cookie would be destroyed. If you wanted to postpone this auto logout while they are still interacting with the site, you could reset the expiration of the cookie every time they perform some sort of action (clicking a link, activating an AJAX call, etc). That would mean that they'd be logged out after 1 hour of inactivity as opposed to just 1 hour from login, which sounds more like what you want.
If you set the cookie's expiration to 0, then it will expire it after the session ends. That usually occurs when the user quits their browser entirely. That's another option as well.
As said, you cannot. Even worse, this event have been abandoned by lot of browsers, probably because it have been abused by malicious scripts doing pop-under and such.
A possible workaround is to have an Ajax script "phoning home": if it is silent for some time, the user just abandoned the site (closed page or browser).
Have the onunload event send a request to the server which will cause the session to expire in n seconds (where n is the maximum time for a page reload request to occur, so perhaps 10). Then have the script for the site check to see if that event is scheduled and if so, cancel it. This would give you the behavior you seem to want.
But yeah, I'd recommend simply having the session expire.
If I'm not mistaken Javascript should have a function named something like onWindowClose, maybe try searching for it?
Regarding PHP solutions, I'm not sure if there are any but I suggest you take a quick look into PHP Connection Handling, specifically the connection_aborted() and register_shutdown_function() functions.