I want to set up a system that allows a visitor to view only one webpage at a time.
Only one browser window or tab should be allowed.
I have implemented a session variable called "is_viewing". If it is true, the person is denied access to the pages (by simply showing a different template).
What is the best way to reset this session variable if a user navigates from one page to another?
I have added a ajax function to the html body's onunload event. All it does is set the session variable to false.
But this brings all kinds of trouble and unexpected results.
Refreshing the page first shows the deny template (with the session variable being shown as true for some reason that I do not know) and then after another refresh I can load the page again.
Can't I work with headers on a script that is called with ajax?
How else would I reset the session variable and track where the user is going on the site to deny him access if he is already viewing another page?
If you really want to stop people from doing that, limit the number of connections per IP on the server. But please don't limit it to one or so to avoid locking a whole family or so when they have multiple PCs.
If it's ok when people willingly ignore that limit (for example by launching another browser), give each user a cookie and limit the number of connections per cookie on the server - kill old connections when new ones come in.
Related
I need to know if a user visited the webpage by clicking on a link from the same website. I can use $_SERVER['HTTP_REFERER'] and check if the domain is the same. But HTTP_REFERER is not always set.
I must detect the difference between visiting a page via own website and coming from an external website (or direct visit). This must be able over and over again, meaning that if a user leaves the site and come back through a search result, I again must be able to detect this.
I thought about setting a session, but than I can't detect a second visit within the session lifetime. Also don't see an option for setting a cookie.
What other options do I have?
I think you should use Database(MySQL) to save the HTTP_REFERER each time for every visit from a specific IP and for a particular date.
You can check the time difference between the two records (like in some minutes) that an IP has accessed and can get the records if a user leaves and come back again to the website. This way you can track the logs for each visitor like how many times a visitor access the website.
Hope this way you can manage the desired output for your application.
I'm probably using the wrong search terms since I'm getting nowhere with google.
I have a site-wide settings page available only to admins. This question is not about permissions of users. How can I lock access to this page so that only a single admin can be using it at any one time?
My idea so far is to set a flag in the database, but how can I handle those instances where the admin closes the browser or otherwise leaves the page without releasing the lock?
There could be some workarounds for this but none of them is reliable.
As you said you need to set flags for the desired page on the database. You can disable the page view on every time if another admin is on the page (if flag is set).
To unset the flag, you need to use javascript. If user is leaving the page, you need to send an ajax request to some hidden URL on your script to unset the flag. I think that is the only way but It's not reliable. JS could be disabled on user's browser so you wouldn't know. To prevent this you can set a cronjob or add timestamp to database. If the flag is set more than 60 minutes, unset the flag.
I am trying to write a php page that will load several different websites in different iframes. Several of those sites will need the user to login. What I need to do is basically allow the user to only type in the username and password once and then populate all the other forms (that are basically using the same user-pass pair for logging in)
Now i know that since those are external sites you don't have access to the DOM and XSS is not allowed and all, but i was wondering if theres actually any other way to achieve that.
Somebody actually suggested me to simulate keypresses and have a javascript that will basically go from field to field and essentially type in the username and pass but after doing some research I dont think thats possible since you can only simulate the event and not the actual keypress so...any other suggestions?
NOTE: I have also checked this but agreeing with the other sites/domains is not an option in my case!
Thanks -- Mike
that depends.
if those sites share a domain (the parent window and iframes), then it's possible for the top window to communicate with the child iframes. AJAX prevents cross domain (that includes inter subdomains) but iframes can communicate as long as they belong to the same top domain.
see https://stackoverflow.com/a/9338955/575527 and https://stackoverflow.com/a/9676156/575527
a better approach is to have a "top domain cookie" where that cookie is visible in all those iframes (assuming they are of the same top domain). login once using a single login page, then subsequent requests in the pages will need to check the cookie vs the session if that user is logged in.
or if those pages have different domains but access the same database, then one can just then pass the session id as a url parameter to the iframes rather than as cookies. then the website in the iframes will parse the session id and check in the database if those sessions are valid, are current, and are logged in.
all of which need additional CSRF and XSS checking as session IDs are in the open.
You cannot do what you describe in JavaScript.
However, depending on what you need to do with the data/websites once the user is logged in, you may be able to use a remote POST to simulate that behavior. See this question for more info.
I am just starting to learn about web development and something has been niggling me for a while now, How a website controls what you can access and cannot access.
For example, a website like Facebook. When i first go to the site, it presents a login form, once i am logged the same page that i tried to access before now shows information relevant to me that i could only access once logged in, i can navigate to a different site and then comeback to google and it still allows me to use if without logging on again.
How exactly would a site block someone trying to access a particular page when they are not logged in, lets say the page viewProfile.php. How does the website know who to allow access to this page?
I realise this question may seem confusing and elementary but its just a something that came to me whilst viewing facebook.
Thanks.
This is a very simple concept called sessions.
When you visit facebook, it reads unique information sent to it via the connection such as IP address, browser, and some other minor information, when this information is combined it creates a unique identifier.
this unique identifier is then stored in a file like so:
d131dd02c5e6eec4693d9a0698aff95c.session
So when you login with your credentials there application add's information into this file such as last activity etc.
When you go away and come back, facebook will then read the information that's sent with every requests, it then add's it all together and creates a unique hash, if this hash exists within it's storage system it will open it up and read the contents, and know exactly who you are.
all this is combined with cookies, the unique hash is sent back to the browser and stored in your cookies folder, this cookie file is sent back to facebook with every request.
PHP Handles this for you internally so it's pretty basic to get it up and running: http://php.net/manual/en/features.sessions.php
Here's an example that may help you understand the concept a little more.
<?php
/*
* The session_start generates that hash and send a cookie to the browser
* This has to be first as you can only send cookie information before any content
*/
session_start();
/*
* Anything storeg within $_SESSION is what's been read from the session file and
* We check to see if the information has already been set on the first time the user
* visited the site
*/
if(!isset($_SESSION['hits']))
{
$_SESSION['hits'] = 0;
}
/*
* Now we increment the value every time the page is laoded
*/
$_SESSION['hits']++;
/*
* now we display the amount's of hits the user has loaded the page.
*/
echo 'You have vistited this site <strong>' . $_SESSION['hits'] . '</strong> times.';
?>
if you load this page and then hit F5, the session value get's incremented every request so you should see something like:
You have vistited this site 1 times.
You have vistited this site 2 times.
You have vistited this site 3 times.
You have vistited this site 4 times.
...
The session file is unique to each person visiting, thus meaning that when using the session variable in PHP it would be to that user only, so everyone get's there own individual session.
as your researching it's goods to search StackOverflow for certain tags, such as PHP and sessions.
https://stackoverflow.com/questions/tagged/php+session
Here's a good question in regards to cookies and sessions advantages etc.
Purpose Of PHP Sessions and Cookies and Their Differences
A website uses something called a "cookie" to store information on your computer.
This information can hold any text string, but in this case it is probably a unique ID that Facebook knows (probably stored in a database somewhere) is tied to a certain user. Cookies can only be read by the website that sent them and by the browser itself.
The login page sends a POST/GET request to a script that generally checks the username/password combo against data in a database a database. If the data is found to be valid, then the user is granted access to the websites landing page (the page after login) and a cookie is stored. If it is not, they are sent back with a error message.
Cookies can also have a "lifespan". This lifespan can be anything: for a certain amount of seconds; until you leave the site; until you close your browser; or forever (there are probably more.)
The website that sent a cookie can also delete a cookie before it expires. This is how most "logout" buttons work.
To allow only logged in users to view content you can first check for a sign that they are logged in, such as look for an active session and that it has a flag which tells you they're logged in ( which you control ). In PHP at the top of a page you can simply:
<?php session_start();
if(!isset($_SESSION['loggedin'])){
header('Location: http://example.com/login.php');
}
?>
which will redirect non logged in users to a login page. Upon success login, you should set $_SESSION['loggedin'] to a value.
To check whether a person who is logged in is allowed view a particular profile is down to looking up where the page is restricted to friends only, and if so, checking that the loggedin user's id is in the profile owner's friend field in the DB.
It is done with cookies. When you log in, the site puts a cookie into your browser for a set amount of time (generally a very long time so that you can stayed logged in). When you access the site again, your browser sends the cookie back to the site (and the site sets a fresh cookie). In any browser, you can find the list of cookies somewhere in the options.
If you want to know more about cookies, you can read the wikipedia: http://en.wikipedia.org/wiki/HTTP_cookie
Do a Google search for "Session Management."
Summary
when you login to a site you get a unique id. That id pulls your data from the database and then populates a dynamic page, like viewProfile.php with your data. So each user pulls the same file, viewProfile.php, but gets different results based on their unique id.
I have secured pages that all check for a set session variable to determine logged in users, pretty standard stuff. Where I run into problems is when I submit form information to a backend page that will process that data and then redirect to a success/failure confirmation page. In that time the session gets lost, at least the session with the variable. The session is still around because I can manually navigate to a secured page after and it works. Just auto redirects from a backend page to a secured page or a link on one of the unsecured pages after a redirect from the backend will fail. It may or may not be related, but after visiting multiple secured pages or doing one of the operations that use the problematic backend pages, there are two session cookies on my computer from the domain-- one registered to domain.com and the other to www.domain.com. At the end of my wits about this, thanks.
I see two problems here, but they're related.
The first is that you seem to be bouncing between secured (https://) and un-secured (http://) pages. Cookies aren't supposed to be shared between those, so that's why your session appears to break (PHP sets a cookie with the session ID).
The other is closely related and that is sharing between domain.com and www.domain.com. Cookies can share in one direction, but not the other. Don't worry about which: just pick one hostname and stick with it. Then check that you're setting the session's cookie domain to the correct one.
You must call session_start() from your PHP page before you output anything, preferably at the start of the page.
If the session has been already created, it will resume it for that page.
http://php.net/manual/en/function.session-start.php