| Author |
Message |
Donovan
Client
Joined: Oct 07, 2003
Posts: 735
Location: Ohio
|
 Posted:
Wed Mar 25, 2009 8:37 am |
|
As this site is on a college campus and most of the public computers in the lab are Mac's the primary browser is Safari.
I am trying to ensure that when the browser is closed the session expires with it. I don't want another student using the same computer and find it already logged on with someones else's credentials.
I can't seem to get this right.
At the very top of the page I have this.
Code:##################################################
# Start the session #
##################################################
ini_set('session.cookie_lifetime', 0);
ini_set('session.cache_expire', 0);
session_start();
|
The user would then login and authenticate with the ldap server. If the connection is successful and the bind attempt authenticates, I then check to see if they are a medical student.
Code:if ($db->sql_numrows($sql) == 1) {
// if a row was returned
// authentication was successful
// set session variable
$authuser = $_SESSION['authuser'];
}
|
So if the browser is closed instead of the student clicking the log out button I think the session should expire. At least that is my understanding by setting this.
Code:ini_set('session.cookie_lifetime', 0);
|
So then when I access the site after first closing the browser, and then opening up a new one I should be sent to the DisplayLogin function but instead I can view grades.
This is at the top of my StudentGrades function.
Code:
if (isset($_SESSION['authuser'])) {
$authuser = $_SESSION['authuser'];
}
if (!$authuser) {
header("Location: modules.php?name=$module_name&op=DisplayLogin");
exit;
}
|
Confused.....yes I am. |
| |
|
 
 |
|
duck
Involved
Joined: Jul 03, 2006
Posts: 273
|
| Posted:
Wed Mar 25, 2009 10:43 pm |
|
A couple things can cause this one f the user uses the remember me function and as well if there are other copies of the browser still open. If you close a tab or window of the site but there is another open window or tab on another site the session wont expire (iI believe this even includes broswer spawned windos like the downloads window in FF) also after changing these settings you should clear your sessions table in the database |
| |
|
|
|
|
Donovan
|
| Posted:
Thu Mar 26, 2009 7:36 am |
|
I don't have any other tabs open. I don't use a remember me function. |
| |
|
|
|
|
Donovan
|
| Posted:
Wed Apr 01, 2009 7:57 am |
|
I still need help here.
If this returns 1 result...
Code:$sql = $db->sql_query("SELECT * FROM ".$prefix."_tl_students WHERE LDAP_USER = '$authuser'");
if ($db->sql_numrows($sql) == 1) {
|
I want to create a session.
Code:$_SESSION['authuser'] = $authuser;
|
If the browser is closed I want the session destroyed.
This is what I have at the top of my page.
Code:ini_set('session.cookie_lifetime', 0);
ini_set('session.cache_expire', 0);
session_set_cookie_params(0);
session_start();
|
Still does not work. I user can close the browser, open a new one and still be logged in. |
| |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Mon Apr 06, 2009 10:57 pm |
|
|
|
|
|
Donovan
|
| Posted:
Tue Apr 07, 2009 3:10 pm |
|
No I haven't but they seem to take me in a different direction that where I need to go. |
| |
|
|
|
|
Raven
|
| Posted:
Tue Apr 07, 2009 3:20 pm |
|
Not the way I read it. If you want to do any processing after the user exits then these functions should make it easy. |
| |
|
|
|
|
Donovan
|
| Posted:
Tue Apr 07, 2009 5:13 pm |
|
But I don't want to do any processing after the user exits. I just want to make sure their session is destroyed so they have to login again when they open a new browser. |
| |
|
|
|
|
Raven
|
| Posted:
Tue Apr 07, 2009 10:18 pm |
|
Think about it - That's a process - Destroying a cookie/session  |
| |
|
|
|
|
Donovan
|
| Posted:
Wed Apr 08, 2009 7:05 am |
|
?
How do I run code for a user who no longer has a connection? They closed the browser before logging out. Are you saying I need to run a cron job every 5 minutes or whatever?
Every place I read says this is all I have to do:
ini_set('session.cookie_lifetime', 0);
This will clear the session in the cookie. When you close the browser the session will automatically expire, however when I close the browser and open a new window I can still click on Login and get forwarded to that students grades without having to login a second time.
Which tells me that $authuser still equals $_SESSION['authuser'];
therefore $_SESSION['authuser'] is still set. |
| |
|
|
|
|
duck
|
| Posted:
Wed Apr 08, 2009 9:06 am |
|
What about using one of the above mentioned functions to make sure the users session is cleared from the DB? |
| |
|
|
|
|
Raven
|
| Posted:
Wed Apr 08, 2009 9:31 am |
|
There is no cron job. Even though the session "appears" closed, those functions keep the php process active. Once you set php to not allow a user abort you should be able to clear the cookies and then programmatically end the session. it's all explained in the manual. Try searching Google for examples using these functions. I'm sure they are out there. |
| |
|
|
|
|
Raven
|
| Posted:
Wed Apr 08, 2009 9:33 am |
|
I would also incorporate duck's suggestion as part of your end processing process to cover all bases. I would think you could do all of this in a Call Back routine right after the user abort is trapped. |
| |
|
|
|
|
Donovan
|
| Posted:
Wed Apr 08, 2009 11:50 am |
|
So your saying?
Code:
ignore_user_abort(true);
while (true) {
echo "\n";
if (connection_status() == CONNECTION_TIMEOUT) {
session_destroy();
}
}
|
Should I put this on the page once near the top or do I need it in each function? I am not currently inserting any session info to a database so clearing user session info from the database does not apply, and I don't see what other functions duck is referring to unless he was referring to your link and this connection_status() function. |
| |
|
|
|
|
CodyG
Life Cycles Becoming CPU Cycles
Joined: Jan 02, 2003
Posts: 714
Location: Vancouver Island
|
| Posted:
Thu Apr 09, 2009 7:19 pm |
|
Interesting discussion. We were having the same issue with IE at our computer clubhouse lab. Members would not logout of their account and the next person to sit at that computer would find themselves logged in as someone else. It was really problematic when our admin members didn't logout. (egads) IE 7 was flawed in this regard. IE 8 (like IE6) allow cookies to be deleted as soon as the the browser session closes. Still, some people like to modify settings. FF is a bit better.
I'll be keeping an eye on this discussion. |
_________________
"We want to see if life is ubiquitous." D.Goldin |
|
|
|
|
younus
New Member
Joined: Jul 06, 2009
Posts: 1
|
| Posted:
Mon Jul 06, 2009 2:25 am |
|
I am also facing a similar issue, this is reproduced by following the steps mentioned below
1. We received a request, whereby the 'logged in' administrator page was loaded without any authentication on the same machine when a new browser window was opened.
2. On investigating the issue, we observed that, a Firefox property of restoring the last logged in user session caused this. Below are the steps to reproduce this:
a) Load the Application URL in Mozilla Firefox
b) Login as an administrator
c) Navigate to any page of the application
d) Go to the Browser's(Mozilla Firefox)>Tools>Options>Main Tab Default Settings
e) Change the setting for "When Firefox Starts" to 'Show my windows and tabs from the last time" (3rd option)
f) Close the browser
g) Reopen the browser and the same page as in step 'c' shall be visible.
This is observed is Yahoo Mails also, however the client requests to stop such happenings. I request you to provide a conclusion for the session handling problem discussed above which would be applicable for my problem.
Thanks in advance. |
| |
|
|
|
|
Donovan
|
| Posted:
Wed Jun 02, 2010 1:28 pm |
|
This is still an issue. Can't seem to find a cure. I pass the SSID in the URL and can also access authenticated SSID by using the browser history. Was looking into the use of ...
If ($_SERVER['HTTP_REFERER']) == blank
...then could I assume they accessed the page from other than a preferred method.
I could then send them to the login screen. |
| |
|
|
|
|
wHiTeHaT
Life Cycles Becoming CPU Cycles
Joined: Jul 18, 2004
Posts: 579
|
| Posted:
Wed Jun 02, 2010 3:08 pm |
|
Alway's printsomething like this when do tests:
echo '-----sessionID---' .session_id();
echo '<br/>---$_SESSION['authuser']--' .$_SESSION['authuser'];
if (isset($_SESSION['authuser'])) {
//do something here
}
and yes... you defenitly should read a manual or tutorial abouth session handling...
But hey...if you use this on Raven version... you should kill all other applications what calls session_start ... for example the captcha.
I suggest to install a default nuke ,what doesnt run sessions, and try your code in there. |
| |
|
|
|
wHiTeHaT
|
| Posted:
Wed Jun 02, 2010 3:23 pm |
|
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
