Hi all,
I'm currently relying on logged-in users hitting "logout"
(logoff) before they leave, in order to terminate the session.
With PHP the session filename is in a cookie that lasts for the
current session. The problem is that the server does not know
when the current session expires. (I have quite long timeouts.)
Did anybody attempt a script to automatically call "logout"
when the session expires? It seems quite complicate, as there
are multiple urls that share the same session and the user is
not actually logging out until one of them is open in some
client window.
Any better ideas?
TIA
Ale
4  3269 
>I'm currently relying on logged-in users hitting "logout" (logoff) before they leave, in order to terminate the session.
With PHP the session filename is in a cookie that lasts for the
current session. The problem is that the server does not know
when the current session expires. (I have quite long timeouts.)
Then keep track of the timeout yourself.
When the user logs in successfully, set $_SESSION['last_hit']
to the current time. When the user hits a page, check his
login INCLUDING that $_SESSION['last_hit'] being not too old.
If it is too old, redirect to the login page.
If the session is valid, and you want to count the timeout from
the last hit, not the time of login, set $_SESSION['last_hit']
to the current time.
Did anybody attempt a script to automatically call "logout"
when the session expires?
You can't send a page to the browser spontaneously.
You can invalidate the login. With the above procedure,
you don't have to actually DO anything to expire the session
at the time it expires, just check if it has expired at
each page hit.
Gordon L. Burditt
Yup, I'm keeping track of login and last_hit times. However, the server
is not able to distinguish between a user who is taking a long time to
post an update from a user who killed the browser window without
hitting logoff. (The purpose is to just warn them when more than one
is updating the same data.) You can't send a page to the browser spontaneously.
I could use the onBlur feature to automatically load logoff.
Perhaps I could use a frame, where an invisible page stays there
just to confirm that the user's session is still valid. Many sites,
e.g. PostNuke, display to a user what other users are currently
logged on, so I don't want to reinvent the weel...
>Yup, I'm keeping track of login and last_hit times. However, the server is not able to distinguish between a user who is taking a long time to
post an update from a user who killed the browser window without
hitting logoff. (The purpose is to just warn them when more than one
is updating the same data.)
If you are really trying to track simultaneous updates to the same
data, you need a lot more than login information. And isn't the
time to do this when the user submits the conflicting change?
What's your purpose in trying to tell when a user has "logged off"
(whatever that means)? Invalidating a session after a certain amount
of time addresses the "unattended keyboard" security issue (and
doesn't require dealing with the browser at all). If this isn't the
point, what is?
You can't send a page to the browser spontaneously.
I could use the onBlur feature to automatically load logoff.
It's this sort of thing that is a major reason Javascript is Turned Off(tm).
Perhaps I could use a frame, where an invisible page stays there
just to confirm that the user's session is still valid. Many sites,
e.g. PostNuke, display to a user what other users are currently
logged on, so I don't want to reinvent the weel...
If your purpose is to display who's logged on, that info is suspect
at best. You can't tell the difference between someone who is still
entering an update and one who has been arrested (leaving his browser
open) and is serving a life sentence, except by the magnitude of
the idle time. Oh, yes, there's also computers crashing, power
failures, and suddenly getting disconnected from the Internet via
dialup lines (call waiting, line noise, someone picks up extension
and starts dialing, etc.).
I suspect those sites displaying users logged in are using timeouts
and not worrying too much about accuracy.
Gordon L. Burditt
>> (The purpose is to just warn them when more than one is updating the same data.)
If you are really trying to track simultaneous updates to the same
data, you need a lot more than login information. And isn't the
time to do this when the user submits the conflicting change?
I used to provide for sending data's timestamp as a hidden field
and checking it before executing the update when it comes back.
It is an expensive style of coding, not always strightforward,
and seldom firing: users often work in the same office, know
what everybody else does, and apply human reasoning. Thus I've
decided I'll just warn them if they enter in the same logic area.
One logic area has its own cookie name and corresponding list of
sessions. The server maintains a session-group's list in a file
named after the cookie: on each request, the server deletes from
the list any session-id whose corresponding file doesn'exist any
more.
The other use of sessions is to store confirmation messages,
e.g. "your move operation succeeded: it moved 24 items".
Concurrency warnings, e.g. "user smith logged off at 10:44:35,
no other user is logged on", are appended to confirmations.
The resulting code is quite compact and smoothly portable to
different logic areas. One difficulty is adding the logoff link
to every page, which increases the likelyhood that the user
does not logoff... :-(
You can't tell the difference between someone who is still
entering an update and one who has been arrested (leaving his
browser open) and is serving a life sentence
However, the prisoner can get a mercy or ask to a relative to do
something with the browser for him. After the browser dies, there
is no way to reach the session on the server, except searching
all sessions in a group for the given user-id. That way a user can
delete all non-current sessions he owns, i.e. all sessions having
his user-id except the one issuing the "force logoff" command.
I suspect those sites displaying users logged in are using timeouts
and not worrying too much about accuracy.
Yes, and probably they have short (~300 secs) timeouts. I will wait
until next day, still shorter than life sentences, in most cases :-) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Stephen Hillyer |
last post by:
Does anyone know of a way to get SBS monitoring to log to SQL 2000
enterprise rather than the Desktop SQL Engine? I have an SQL Server running
the databases for WSS, and have removed this instance from SBS, but I cannot
find out if it is possible to move the monitoring database off SBS, or
upgrade the desktop SQL engine to SQL 2000 (sp3) on the SBS server.
Cheers,
Steve
|
by: csomberg |
last post by:
SQL 2000 SP3
Howdy all.
I saw some code out there somewhere that logged deadlock info including
SQL code that caused it as well as the user information.
Any ideas ?
Thanks,
|
by: Daniel Chou |
last post by:
Hello,
I have two questions about "not logged initially":
1. Before using "alter table tbname activate not logged initially",
should the table be created with "not logged initially"?
2. After using "alter table tbname activate not logged initially",
how to deactivate it?
|
by: msnews.microsoft.com |
last post by:
No clue why I get this error. It doesn't happen on my local machine. It
doesn't give a clue as to where it occurs. Any way to track this? I'm not
even sure if it's affecting the web site. It seems to run fine regardless of
the error.
-------------------
System.Web.HttpException: Invalid file name for monitoring:
'c:\websites\edit336\edit.com\~'. File names for monitoring must have
absolute paths, and no wildcards.
at...
|
by: athos |
last post by:
Dear guys,
Now we are trying to build an Audit-Log module for our projects.
The idea is to
1. develop a module that could be used by different projects to save
the log, including account management, master data, and transaction
data actions.
2. based on the requirement of each project, use SSRS to define
different reports showing corresponding logs
| | |
by: John |
last post by:
Hi
My webform works fine on local dev server but when uploaded to a remote host
it comes up with the following error. What is the problem and how can I fix
it?
Thanks
Regards
|
by: Jo |
last post by:
Hi.
I have a few questions regd event monitoring. Would appreciate some
assistance with this.
1. Does the event monitor only insert data into the event monitoring
tables once the connection has been disconnected? sometimes when i
select from the tables the data does not show current connections, only
when i use the FLUSH command the data is updated. so, is my
understanding correct? thanks.
2. Can we activate and deactivate the event...
|
by: natG |
last post by:
Well folks, I didn't heed the warnings (that excessive monitoring,
statistics, etc. can cause a performance hit) and I have been playing
around with all kinds of monitors, snapshots, especially with the gui.
BUT! Performance has dropped 70%! The monitors show that the the most
system overhead is caused by these selects themselves.
Question 1: Is there a big red switch that turns OFF *all* of this type of
activity!
Question 2: If so, can I...
|
by: rohit |
last post by:
hi,
i am designing a desktop search engine using python.
i am having a query , is there a package available that contains
functions for retrieving the files being edited , created,deleted in
the file system.
thanks
|
by: aleu |
last post by:
Hi,
I was wondering whether any of you is monitoring MSSQL server 2005
(whatever information could be obtained) from a remote Linux server with
the use of SNMP or WMI-perl scripts (for example via MRTG or Cacti)?
Is something like that even do-able with MSSQL 2005? Could you share
some information on your monitoring solution?
Thanks,
Aleu
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
