Results 1 to 5 of 5
  1. #1
    Join Date
    Apr 2004
    Location
    ontario canada
    Posts
    3

    help to detect session interruptions -(PHP)-

    I hope this is not a dumb question, but I am reasonably new to php so be gentle if it is.

    I am writing some software to maintain a users online session over https. They have logged in via my own mechanism, and are therefore allowed access to the https section of my server.
    I am using the session_start() function to generate a unique session id and set it in the session cookie on the users' machine.

    Everything works fine, but I want to be able to detect and respond to the user performing item 'C' in the following sequences.

    situation 1 --------------------------------------------------------

    A) user logs in fine.
    B) user is in the secure part of the server.
    C) user types in another url in the address bar and goes to some site outside of the secure server then presses the back button on their browser to come back.

    - the user should still be able to use the back button of their browser within the secure session though.

    -or-

    situation 2 --------------------------------------------------------

    A) user logs in fine.
    B) user is in the secure part of the server.
    C) user attempts to open a second browser window during the same session. They should only be allowed one browser window at a time in the secure area.

    -----------------------------------------------------------------------


    I can't think of a way to do those things with the information available to me, but I know it is possible since I log into systems that do have these properties/behaviours.

    Maybe I have to configure apache or SSL to take care of these things? Any ideas or advice would be helpful.

    Thanks.

    Todd

  2. #2
    Join Date
    Aug 2002
    Location
    Superior, CO, USA
    Posts
    633
    For the first part, I've seen two solutions. The first uses a small Javascript that gives the server a heartbeat. That is, every X seconds the Javascript connects to something like "http://www.myhostname.com/?sessionId=12345". The server recognizes this and does the right thing to keep the session from expiring. Obviously on the server side there needs to be a timeout method so that, for example, if you don't get the heartbeat after a minute you kill off the session.

    The second solution involves using a small Java applet to maintain a socket connection back to the server, using a very similar URL. This is very expensive in that it will maintain a socket connection for each client you have. It is, however, real time - the instant the applet is killed when the user moves from the page your server will be notified.

    For your second question what does it hurt? If the new window is within the same process then the session id's will get shared and everything should work as planned. If they are separate processes then you can disable the second login by checking if the user is already logged in. You would likely have to store this information in a DB. When tied to part one, you'll know if you have to mark the user information in the DB as "logged out".

  3. #3
    Join Date
    Apr 2004
    Location
    ontario canada
    Posts
    3
    Firstly, thank you for your response.

    When you say 'separate processes.' (third paragraph) Do you mean, if they attempt to login again entirely? I have dealt with this by wiping out the validity of their first sessionid and starting a new one. I can't wait for the first session to logout because most people don't actually use the logout button, they just close the window, the server would not know if the first one was logged out or just reading the page.
    (if you have any better ideas for this let me know).

    I like the idea of the javascript 'heartbeat' because it is active as long as the session-capable window is open. It may work for the issue described in the above paragraph, but it does not really prevent a user from performing the described actions in 'situation 1' it only works if they are gone for longer than X seconds.

    Aside: Can you use javascript to send a message to the server indicating that the browser window is being closed?

    I do not have the enough experience with javascript to answer my initial questions about your described technique. Would it require the whole page to refresh? if so, I don't think it would be a useable option.

    Would this javascript heartbeat send the pertinent cookie information with each heartbeat?

    The reason that I don't want user to have multiple windows in one active session is because I don't see any requirement for it, and I would like to reduce the possibility that the data displayed is inconsistent, or mistaken for current when it is not. Multiple windows would enable the user to operate on outdated data. My particular system involves interactions with, and operations on data, and I'm afraid something wierd could happen. Or at the very least it could potentially result in a "less bulletproof" system.


    Any comments are appreciated.

  4. #4
    Join Date
    Jun 2002
    Location
    Kansas City
    Posts
    12
    one way i have seen this done is when you go to a website and then when you close or leave it comes up and says "Thanks blah blah please fill out this handy questionaire!" you could do the same thing except instead of a questionaire a window that says "logging you out of system" it uses frames but not noticably just a big frame that the whole site is in that way the unload is part of the frameset not each page


    Code:
    <html>
    <head>
    <script language="JavaScript">
    <!--
    function unload() { window.open('logout.php'); }
    //-->
    </script>
    </head>
    <frameset rows="100%,*" onUnload="unload()" scrolling="no" border="0" frameborder="no" framespacing="0">
    <frame src="main.php" name="the_main" scrolling="auto" border="0" frameborder="0">
    </frameset>
    </html>

  5. #5
    Join Date
    Apr 2004
    Location
    ontario canada
    Posts
    3
    Thanks for your answer. I did a bit of investigation, and determined that the site that I was referencing uses this technique. I think it will solve my problems.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •