I need to build a feature like most of the banks use. Where..
if user has log in to bank account in a browser tab & again he/she change the url of browser & move to some other site.. and again come to bank's page by clicking browser's BACK button.. then bank automatically log out user from there site.
I think may be by java script we can do this.. but, can not able to understand how to do this. I'm using PHP for my server side script. Is this, possible by PHP to do this..
Regards
Suresh
This not a java/PHP question but depends on the exact behaviour you want to implement.
The only way to track the user "live" is through javascript. So if you want to know when the user leaves the page, you can bind yourself to an event listener and then do an ajax call or something like this that invalidates the session on the serverside. Keep in mind that users may be browsing your site with JS disabled, so you need a fallback on the serverside.
I would recommend you to implement session storage on the serverside with a storage mechanism (either the built-in PHP session store or some external storage like Couchbase or Redis, Memached,...) and set the logout time to a sane default (lower if it is something like a banking application).
If you have the basics in place, use JavaScript to enrich the user experience, for example by showing a "countdown" when the user will be logged out and sending session refresh ajax calls to the server to renew the session every time the user has an interaction with the website and such.
For more detailed information I'd need more requirements from your side!
Related
The Dynamics documentation is just awful and I couldn't find an answer to this simple question:
In the web version of the CRM, is it possible to register a web page that can be toggled by the user and that itself has an internal state (updated regularly by an interval set with setInterval) that will persist even if the users closes the page (not the entire CRM, just the sub-page)?
We need the user to provide some information for a CTI integration, and this background process to keep alive the CTI session by polling an API while the user session is active. In addition, we need to reuse the component where the user provides the CTI information to be notified if the session fails and restore it or close it if necessary. The real purpose for this is to make a screen pop (push content information about the incoming call to the agent) which I know can be done using Xrm.Utility, although doing it with a REST API method would be much better, RouteTo Aciton looks like the best method to do this, but I'm not sure it will proactively show the item in the user's browser.
I'm not sure this question is as simple as you suggest, it seems relatively complicated, and involves an integration. I'm not suprised the Dynamics documentation doesn't provide an answer for this specific and unique scenario.
I don't believe there is any single feature within Dynamics that will meet this requirement.
You could use a HTML web resource or a web page from a seperate web site iframed into CRM. I think the possible use of these depends on your expected user experience; I believe the user would need to have the page loaded at all times showing these controls (e.g. user is looking at a dashboard) - I don't see how the controls could interact with the user client side otherwise. You could show the controls in multiple places however.
Xrm.Utility is one way to open a record, but it can also be done by Open forms, views, dialogs, and reports with a URL.
RouteToAction looks like it just adds a record into the user queue, the user would need to refresh the queues to see the changes. I don't believe there is any way for a server side REST API call to natively redirect the user.
You could add JavaScript to do this, however you might struggle to add the JavaScript into every page of CRM.
Where I have worked on a CTI integration in the past (assuming you mean computer telephony integration), we always had some other component doing the screen pops - the client's all had a desktop app installed as part of the telephony solution.
Perhaps you could look into browser notifications, or a browser plugin?
I have a web site with following functionality: An user comes to www.mysite.com/page.php. Javascript on that page makes ajax API call to www.mysite.com/api.php and shows results on the same page www.mysite.com/page.php
I'm afraid of situation where somebody starts to use my api.php on own software, because using www.mysite.com/api.php costs me a bit money. Therefore I want that only users that have visited the page www.mysite.com/page.php can get valid results from www.mysite.com/api.php . There won't be any way for users to log in to my web site.
What would be the right way to do this? I guess I could start a session when an user comes to page.php and then somehow maybe first check on api.php that a session with valid session id exists?
If you just want the user to visit page.php before using api.php, the session is the way to go.
Typically, if you want a "soft" protection you use the POST verb to get results from your site. Then, if the user goes the the URL in their browser and just types the api.php call they will not get a result. This doesn't protect your site but it keeps search engines away from that url reasonably well and accidental browsing to it.
Otherwise, there are lots of authentication plugins for php.
http://www.homeandlearn.co.uk/php/php14p1.html for example.
You can check the request in several ways such as Token validation, Session validation or even by Server 'HTTP_REFERER' variable
Check the referrer with $_SERVER['HTTP_REFERER'] if its outside the domain block it.
Beware that people can alter their REFERER so its not secure.
Another better solution might be a CAPTCHA like this one from google https://www.google.com/recaptcha/intro/index.html
Cookies, HTTP-Referer, additional POST-Data or some form data, that you send in an hidden input field aren't secure enough to be sure, that the user comes from your site.
Everything of it can be easily changed by user, by modifying the http-headerdata (or if you use cookies, by changing the cookie-file on the client machine).
I would prefer the PHP-Session combined with an good protection against bots (ex. a Honeypot), because it's not so easy to hi-jack, if you use them properly.
Please note: If there is a bot especially for your site, you lost anyway. So there isn't a 100% protection.
I am writing a browser data analyzer which detects user activities and sends to server. This way server can provide some personalization based on users interest.
I am trying to intercept when user bookmarks page or saves the page. Then I would send this information to server so as server knows more details about users interest.
I know usually we track users interest based on what links he clicked. But I want to add more functionality to this by including client side tracking also.
I am not sure if we can do using javascript. If not javascript, can I do using something else..like an applet probably?
Any help would be appreciated. Thanks.
I don't think it's possible to intercept whether a user bookmarks a page. You could add a button that adds the page to their favorites and track that. It won't track whether or not they add it through other means though.
I need a solution based on java script(cookies), which could save the user selected preferences and render the output(html pages) acc. to the cookie saved.
Here is the situation:
Lets say user starts from page1 and navigates to page2(having 40-50 hyperlinks) and there he selects or clicks one of the hyperlink and get directed to the target page(there will be 40-50 pages corresponding to those 40-50 links).
So all i need is to automate the whole process, so that after first visit user's selection could get saved and he will directly get navigated to final target(It will be one of the page from 40-50 pages).
Any code-snippet will highly be appreciated..
mrana
I am curious to know why can't you do this in a preference table on the server side. Cookies can be removed from the browser (which would force users to go through that step again) and storing 40-50 cookies in the browser is not a good solution, as cookies get transmitted to every HTTP request so it would waste users' bandwidth.
If you have these settings/preferences stored on the server side then you can easily determine where to send the user when he logs in to your site, instead of extracting those information from the cookies.
Alternatively you can store these preferences in localStorage which provides bigger storage for storing key/values. The downside is that you need to load a bootstrap JS first which will read the settings from localStorage and decide where to redirect the user.
But IMHO I'd still go with a server side solution if I have to store 40-50 preferences.
Note: Cookies can only have 4KB of data, this is a limit.
I have a web application which is used by lots of non-technical users. I have found that several of these users are saving the login page of the application to their desktops (which also saves the associated CSS and JS files). Then, to start using the application, they double click on that desktop icon which shows the local copy using the file:// protocol.
This can cause problems later on, e.g. if I change the login form, or the URL it posts to, etc. Also, certain javascript utilities, e.g. PIE.htc don't work using the file:// protocol.
Obviously what they should be doing is saving a browser bookmark/favorite, I'm looking for a way of detecting and warning those users without confusing the rest. I have been using some javascript to warn these users:
if (top.location.protocol == 'file:') {
alert('This application is not designed to be accessed from a desktop copy...')
}
But this will only warn users that have saved the desktop copy since I have added this piece of javascript.
Has anyone else had this problem and come up with clever solutions that they'd like to share?
Thanks
Update:
In the end I decided to do this by setting a cookie with a nonce value upon login page request, and storing the same value as a hidden field in the form. Then, in the form submit handler, check that the two are the same and show an error message if not. One could store the nonce in a session instead of a cookie, but I don't want to create unnecessary sessions.
If the user has saved the login page locally, they will likely have different nonce values in the saved form compared to the cookie (if they have a cookie at all).
Normally one wouldn't add CSRF protection (that's sort of what this is) to a login form, but it fulfills my requirements. I read about this technique on The Register, http://www.theregister.co.uk/2009/10/02/google_web_attack_protection/, Google implemented similar protection for their login forms, to protect against forging of login requests, http://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests.
I think your best bet is going to be educating the users to use bookmarks instead of saving physical files.
Other than that, there's probably a way to create a shortcut to your URL instead, perhaps during logon?
Maybe cookies? If site is running with file:\\ there probably are not any cookies within request. (Of course, now you should add some cookie (session data) on your login page.
Also, read about CSRF http://en.wikipedia.org/wiki/Cross-site_request_forgery and preventing method.
You could probably check the http referrer on the server side and warn users not coming from your hosted login form.
Edit:
Actually, a vaguely similar question has been asked before and got a good explanation why referrer is not an ideal solution and also provides an alternative solution: How to check if a request if coming from the same server or different server?
Why, don't you, instead of the alert, put a redirect to your page?
window.location = 'http://www.yourdomain.com'
Or you can also force a reload with window.location.reload();
Instead of message you may redirect your user to the real page which has login form, or show the help box that will explain that user should save page in such way.
You could set a session variable that is set as a hidden variable in the form. If that is not there, you redirect to your login form.