reset all logged in users after they shutdown their consoled - php

i have list of student who have Nintendo DSs, and they should log in my website to solve some sheets (by using DS Opera browser), when they logged in , (status filed at my DB will change from 0 to 1),also the status change to 0 if they log out, what i need is when the student didn't log out and Shut down their DS's , the status should be 0,,
i don't have an idea to it,
any suggestion would be helpful for me ..
FYI ,DS opera browser limitation here

Due to the stateless nature of the web, there is no way to get notified what a user shuts down her browser.
The usual solution to this problem is to have some kind of an "I'm still connected" notification using ajax calls, and a timeout on the server side when a user hasn't checked in after a while.
As far as I can tell, there should be a problem doing that on the DS opera browser.

While itsadok is correct, you could tell who connected recently by using sessions for all your pages. Life would be a lot simpler if you implement your own session handler using a database for storage - and keep (a copy of) the authenticated username in a separate field from the session data.
C.

Related

Loggin a user out of a database on browser close PHP/MySQL

I have seen MANY questions on this before online in many places, however, out of about 30 forums and whatnot, NONE of them have had the solution I need, and that includes stackoverflow. If anyone could help me find a reliable solution, it would be greatly appreciated, so thanks in advance!
I'm going to explain my site and situation with as much detail as possible in order to help any who want to help answer my questions. Here is my situation:
I have a website and I use PHP and MySQL. My website is a "private" organization site. In order to allow people access to the site, I send new members of our organization and invite code. The user then visits the website, and the index.php file simply contains a form for logging in as well as a link to the registration pages. New members click the "Register Here" link to begin registration. The first registration page asks for the user's last name and invite code which are checked against a database to make sure that person is on the list and has not yet registered. If they pass the check, they are taken to the next page in which they enter required information (username & password, email address, etc.) as well as some optional information (phone, bio, etc.). If the user creates a valid username and password and has all required fields filled out, their information is stored in a database. Passwords are all salted and hashed properly and securely, so there is no problem there, and the whole registration process works as it should. After registering, the user is taken back to index.php where they can now log into using the username and password they just created. This works as well; when the user logs in, their username and password are checked against the database, and if successful, the user is logged in. When the user is logged in, an ONLINE value in the database is set from False to True. The user is now logged in and can use the site as it is intended. On my site, there is a column that lists users that are currently online (based on the ONLINE value from the database). When the user clicks the "Log Out" button which is located on every page of the site, the logout.php script is run, ending the session and setting the ONLINE value back to False. This all works fine and dandy, however, the problem comes when the user closes the browser without logging out first. This is where I have seen many different "solutions" various places on the internet. I am going to explain why they won't work and why I need a better solution.
The answers I see most often involve some sort of session timeout or destroying sessions, which is irrelevant because of the fact that the session already does, in fact, end when the user closes the browser, but that has no effect on telling other users whether or not that person is currently online. When the session ends, the database won't be updated, which causes a problem due to the fact that a user can only be logged in from a single instance. If a user attempts to log in while their ONLINE value is already set to TRUE, they aren't allowed to log in.
I have also seen suggestions of using a "Last Seen" value instead of an online value, and if a user hasn't had any activity within the past x amount of minutes, log the user out. This won't work, however, for two reasons. 1) That script still has to be running somewhere in order for that to work, meaning another user must be logged in for that to work. That basically means that, if using this method, if a user closes their browser or if they loose connection, they won't be able to log back in until another user logs in. With my organization being a small, locally based organization as it is, there are likely to be many times in which there are no users online. Also, even if another user is logged in, the user whose connection was lost still won't be able to log back in until after x amount of minutes has passed, so if the user accidentally closed their browser and wanted to log back in immediately, they simply wouldn't be able to.
A less frequent solution I came across involved using the onBeforeUnload JavaScript function, but those most definitely will not work due to the fact that those would trigger any time a user clicked on a link or on the "Back" and "Forward" buttons. Also, if the user has JavaScript disabled in their browser, this will not work at all.
The last thing I have seen involves while loops and the connection_aborted function, and this is the only one that seems like it could work, yet I have not seen a very clear description of how this should work, and after spending months experimenting with it, I still have not come up with a reliable solution.
In many forums, I have seen people say that "it's not possible," but that can't be the case considering there are sites that do it somehow. I have tested and experimented with this on several sites. On a site that has users such as Facebook or any forum website, there is a list of "online" users, and in the case that a user closed their browser, their name would no longer appear on the list, so it is possible, even if it can only be achieved through some obscure method. So, if anyone knows of a solution, I would greatly appreciate if you could share some of your wisdom on this subject!
Try creating a Heartbeat mechanism in javascript.
this method would start sending an ajax call to your webmethod on timely basis use.
setInterval(function(){
sendPulse();
},30000);
sendPulse(){
var varUserID = userID;//any unique user identifier that can be found on server side
$.ajax({
url: "Default.php/updateUserStatus",
UserID: varUserID,
type: "POST",
dataType: "json",
contentType: "application/json; charset=utf-8",
success: function (mydata) {
//alert("pulse sent");
}
});
}
On server side, you must have a method with same name and case sensitive parameter. the should be static and marked as webmethod. in this method save the current time for the user. you should have a mechanism to know what users have very old pulse, do this check when a user tries to do something or performs any operation. I have implemented this approach and works very well.
That's the answer: persistent connection between client and server. For this, you will need a TCP connection, like websockets nowadays, or a flash old duplex connection. From here on, TCP takes care of noticing you when someone connects or disconnects. What you got to do is a websocket server (for example) who just traks connections (push and pop from an array), and also a way to respond to a "get_users_online" message. You can access your user's session (read only) via the websocket server, and then see if the user is logged-in (and in this way, you can store his nickname in session, access further from websocket server), see if he is admin (session->is_admin).
Pretty simple, I would say.
Here is the library I've been using: http://socketo.me/ . It uses a library for decoding symfony2 sessions, but for simple applications, you don't need decoding (symfony2 applications encodes sessions, so the websocket server has to decode them).
Big note: Sessions has to be stored externally (not in file system /tmp) like a ORM or NoSql.
Either way, escuse me, but I have to say that that the "Last time" seen is super okey. Most of the sites rely on this. You understood something wrong, you don't need to have a living server for checking "Last time" always, when you request /admin.php?users_online=1 , you make a query where "Last seen > NOW() - 5 minutes" (won't work written like that), so you can even get rid of the "ONLINE" "OFFLINE" field.
I suggest using a websocket approach, it's fun. :)
Good luck!

How to know whether a person left your website?

I am building a website in PHP and i need your help. I want to know the time of the user who logged in my site. The task was to store the login time and then the logout time. The login can be stored easily. But for logout there are many ways. The one I can think about are:
By clicking on the logout button.
By Closing the browser.
By letting the session gets expired.
Certainly by disconnecting from internet due to any reason.
I solved my problem for the first three but I don't know how to solve the Fourth one. Then Searching on net I got an idea to implement it using the SERVER PUSH MESSAGE method. In which the server can send message to the client browser after certain interval of time. If he gets a response then it means the user is still connected otherwise user is not connected. I liked the idea but I don't know how to implement this idea because i don't have any knowledge about the push messages.
Please Help.
Thanks in Advance.
From Javascript you shouldcatch the event window.onbeforeunload

Logging every user out of a Web application

I am helping develop a web application for one of the departments in the company I work for.
I was asked to look into a way to log off every user that might be on the application at once, so that if updates to the Web App are pushed out, people aren't working with an old version of it.
My problem is that as I am not very savvy with PHP, JQuery, AJAX, etc. which is what we're using, I have not known exactly what to look for.
We have a timer script running every couple seconds in the background, so I was thinking that I could add an admin button that updated a field in the database which this script could check every so often, and if the field was set, the logoff script could be executed. But this seems like a hack to work around the issue.
The guy I'm working with suggested I look into custom SESSION handlers.
What do you guys think? Any ideas?
Any help would be appreciated. Even if it's an idea on what to start searching for.
Thanks in advance!
EDIT: I should mention that this is a one-page web app. The user is not following any links or leaving the page.
Make an entry for logged in users in your database of choice, maybe memcached if performance is a criteria.
Use a custom Session save handler which stores the sessions in database or file. When you want to destroy all sessions, you can clear the storage (be it database, or file).
Start from - http://php.net/manual/en/function.session-set-save-handler.php
What I ended up doing was the following:
I added a field into one of out database tables and checked its value every time our browser tick came through (about every minute or so). If the field is set when the tick comes through, their page is refreshed, thus logging them off the application and destroying their session (We destroy the session when someone leaves the page).
The users cannot log back in until that field has been reverted to '0'
The admin account can change that field with the click of a button. Therefore their field in the database remains as a '0'
It might be kind of a hack, but it's what I could come up with even after everyone's help. The only issue is that it takes a bit to log everyone off. Problems of pulling vs pushing I guess.
And yes, an email will be sent out some time before logging everyone off so they don't lose work.
Thank you all for your help!

PHP + socket.io (session, authorizing and security problems)

I have a working php application in which I want to add real-time support. I would like to use nodejs/socket.io to add that kind of functionality.
First problem I found was how to properly authorize user on nodejs side (user is already authenticated on php backend through PHP session). Using socket.handshake.header.cookie on nodejs side i can parse and get PHP session id, which I can authenticate through redis/memcache/database (depending on what have I used to save session information). Everything looks cool when user has only one tab/window of the site opened - when having more and using session_regenerate_id(), in nodejs the user authenticates with another sessionid key, so I cannot distinguish two tabs by anything other than the socket id they connected with. When user logouts he shouldn't be getting any messages on any tab (because he already logged out on every tab/window from that browser). So on logout message (sent from browser just before the logout PHP things) I should remove all the socket connections connected to the authorized user id. But what if user logges in on two devices (fe. pc browser and an ipad safaris). After logout on one device, he shouldn't be getting any messages on the device he logged out, not on every device. How can i distinguish connections from different devices/browsers in socket.io? Of course not using session_regenerate_id() would be efficent here, but what can I do if I really want to use this feature?
Another problem I have is rather a security issue (or even question). Let's assume that authorized user in application can see page example.com/user1 (which is a news feed for user1) and cannot see example.com/user2 (fe. he doesn't have rights to see it). I'd like socket.io to send update messages to browser when user is on example.com/user1, and of course not to send when user is on example.com/user2 site. On socket.io side I can read the referer address (so presumably, when user is on user2 site he does not get any socket.io connection). The question is: should I compare the referer address with the rights of authenticated user on node.js side? Or maybe the referer value is safe on the node.js side? Adding another db check on node.js side would slow it down (because almost every request there should be same database check on two sides - PHP and node.js).
Or maybe the whole concept of socket.io + PHP application working the way I presented is wrong?
UPDATE
I think I found a way to omit problems with the first question - basically I just add another cookie (besides PHPSESSID) fe. named NODESESSID, which I generate (fe. using uniqid()) when user is authorized. Now authorization on node.js side is comparing PHPSESSID and NODESESSID (both must match). Now, when user logges out he delivers the message logout to socket.io and socket.io disconnects all the sockets with NODESESSID. This is like connecting the benefits of regenerating session id and not regenerating session id (but is not vulnerable to session fixation, isn't it?).
For your second questions:
the Referer is not secure, as mentioned in the comments.
I hava a similar problem in my application and this is how it works for me.
first, i hava a single-page app where all traffic goes through the socket, but thats not necessary. it should work with sessions the way you managed it, too.
in nodejs onConnect I ask the backend if the user is authenticated and then store the userid into the socket object (socket.data) and also populate a hashmap to lookup sockets from userids directly.
second, i use Redis and subscribe to a redis list from nodejs (see redis pub/sub). the php backend pushes messages in this list with a userid to address the message. nodejs takes this message (e.g. a new news feed item), looks up the userid in the mentioned hashmap and sends it to the client. so, a user only gets what he is authorized for. the client then decides what to do with the message. if the user is on his feed page, it could add the item. if the user is on someone elses feed, it could simply add a notification somewhere else on the page. it might also discard it.
on the php backend site, this messages are send to redis everytime an event occurs which needs to be shown live on some connected client. if user1 posts on user2's feed, the new item is stored in the database and in the same time is send as message into the redis queue.
this system also helps to reduce DB load since nodejs just need to query a database to make sure the connected user is already authenticated.
Actually, you can avoid using node.js, and use phpdaemon, its written with php and work very good.

How to reset RDBMS value when browser crashes

This is my first post on these forums, however I've been using them for years in looking for solutions to my coding challenges...thank you for all for sharing your knowledge.
Ok, to the point...I need a nudge in the right direction for a theory of a solution to the below problem.
Desired Result:
Current existing structure: FLEX RIA that communicates with MySQl DB via PHP.
We basically, have a RIA that is part of a software solution we provide to our customers, we want to restrict login sessions to one/username, which we did successfully by setting a value in our MySQL DB...the point of this was to restrict the use of username(s) to one application access point and create the ability for us to charge for additional usernames, if so desired by our customer.
Problem:
Although, we successfully restricted user logins to one session, we ran into a problem when the RIA connection with the DB was inadequately terminated (eg., browser crash, OS crash, flash player error, etc). When these crashes happenned the value that was set in the DB for the user, showing them logged in, would persist and thusly lock them out of our software application. We would have to go into the database and manually reset their logged in status.
What I am looking for:
I need some suggestions or some areas to look into/research for a solution to this problem
Any help you might provide is greatly appreciated,
Thank You
Dignified Dude
When the Flex app pings your server for the first time; create a server side session. When that session expires, flip the value of the database automatically, regardless of whether or not the user has logged out. You may also want to add some form of timer to the UI to automatically log the user out.
I assume there is some way to run code in PHP when the server side session expires. Here are some approaches that came up in a Google Search:
Run query after session expire
http://forums.digitalpoint.com/showthread.php?t=1320013
PHP session timeout callback?
http://www.google.com/search?q=Run+code+when+PHP+session+expires&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#sclient=psy-ab&hl=en&safe=off&client=firefox-a&rls=org.mozilla:en-US%3Aofficial&source=hp&q=run+code+on+PHP+session+expire&pbx=1&oq=run+code+on+PHP+session+expire&aq=f&aqi=q-w1&aql=&gs_sm=e&gs_upl=9504l13039l1l13162l32l12l0l0l0l0l1160l5043l2-4.2.1.3.0.1l11l0&bav=on.2,or.r_gc.r_pw.r_cp.,cf.osb&fp=9fb4160009134867&biw=1200&bih=786

Categories