On a password protected website (ajax-php-jquery login system), a fadeIn/fadeOut alert confirms that the user just logged out. The user is sent back to the login page and I do a document.referrer to check if he comes from a page of the site (if so it means that he just logged out so I can display the message). But of course if the user refreshes the page he will get the notice again.
I was thinking of changing the document.referrer but the property is read-only. Any idea how I could display the message only once if the user did log out?
You could do a conditional with PHP:
if(isset($_SESSION['justLoggedOut'])){
print '<script type="text/javascript"> ..notification code.. </script>';
unset($_SESSION['justLoggedOut']);
}
You just have to set the session from within the authenticated area (or the logout page which redirects to the index page [I'm assuming.])
Using a cookie would be easiest route. Simply add a cookie when they log out, and then delete it after the notification has been shown. This cookie could contain all of the information you want about the log out: e.g. the time the logged out and the URL from which they initiated the log out.
Of course, that is assuming your clients are allowing cookies on your site. A server side alternative would be to use session data. Your notification would then send an AJAX call back to the server to clear the indicator that the notification should be shown.
Related
When users log into my PHP website, they are automatically logged out after a period of inactivity.
I have a few input fields on the main page for searching for stuff. Input type="text" with JQuery autocomplete option on them. The JQuery autocomplete takes user input and sends it to a PHP file that searches the database and returns data in JSON format.
The original page displays the data returned in a clickable list.
Now, if users have been logged out due to inactivity, this isn't immediately obvious, unless of course they choose to reload the page. Most don't, however. So if they just start entering search words, they just get nothting, because they're not logged in.
I already have a routine to redirect users to the login page if they're not logged in. But this doesn't work in this case, because it's the JSON-generating page that is being redirected, that that doesn't really have any influence on the main page.
Also, I can't see how I can interact directly with what's being returned - it seems like JQuery does all of the data handling internally, so I can't really grab onto data returned and tell the main page to redirect in that case.
How do I achieve the desired result?
On server side ajax first check login condition and based on that give respons e like {login:false} something like that, in your jquery function check that response and if login=false then redirect using window.location.
My goal is to make a modal window popup if a user clicks on a link to a page (or POSTs a form) for which he is unauthorized, as it is a better user experience than redirecting to a generic error page.
What I did is implement
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
// ...
}
so that if the request is a non-AJAX request then it redirects to the same page (gives the illusion of staying on the same page) and appends the query string with "forbiddenRedirect=true" and then JavaScript opens the error modal. I'm trying to think of a better way than using the query string. From what I can tell, there's no way for JavaScript to access response headers, only the URL. That's why I went with the query string solution. But maybe in MVC there's some way I can redirect and pass some sort of token that the base controller can recognize and then add something to the view bag like ViewBag.IsRedirectFromUnauthorizedAction = true.
Any suggestions?
The user should never get to a page where they can post data without being authenticated and authorised!
If your users can get to forms where they can post information (lets go with a User Profile Page), they should be authenticated before they can even get there. So for example, you would lead the user to a Log in page before you allow them to access the Edit Profile page. Once they have authenticated themselves and you have checked they are authorised to perform a POST on a particular page, then you present them with the form.
But what if their session times out?
In the event that the user authenticates and gets to that page, then their session times out, you should redirect them back to the Log in page where they are prompted for their credentials again and deny their post request. In an ideal scenario, you should have an AJAX function running in the background every 30 seconds or so. If they are idle for a set period of time (lets say 5 minutes) then you can assume they have closed the browser or left their PC unattended. At this point, either ask the user (via modal window) if they'd like to stay logged in or be logged out in 30 seconds. If they click the Stay logged in button, leave them be. If they don't answer, you can log them out and automatically redirect them back to the Login page.
I have basic login code system that every values of the textboxes(user inputs) will store in a SESSIONS. After the user's login, my HOME.php showed. And in a HOME.php, The user clicked the back arrow of google chrome, and it seemed the page is going back to the INDEX.php where user logged-in. I was trying if the sessions in index.php are exist. if not go back to home.php?
How could I prevent if the user try to click the back arrow of chrome and still remain in home.php?,
You should check whether the session has set in the index.php and if it was set then you should redirect the user to home.php else to remain same in the index.php
So, In your index.php you should have this code
if(isset($_SESSION['user']))
{
header("Location: home.php");
}
else
{
#Ask for credentials using your form
}
Note : I am using $_SESSION['user'] you should the name that you are using.
I am not exactly sure what the problem is, but I think you want to check if the user session exists in your index.php page. If it does, redirect automatically to home.php and if it does not, show the page contents / login form.
i have a issue with my SESSIONS, on the first page the user clicks on a anchor, then if the user is logged in will be redirected without problem, but if not, first he will pass through login page, but when the user reach thelogin page, the variables are missing. (The login page occurs after the redirect page). So i have saved the SESSIONS with $_GET parameters.
How i can keep the current SESSIONS to redirect the user after the login?
Thanks!
EDITED
Page: retailer.php (this page is where its fired the parameters)
<a href="/go2store.php?rid=<?php echo $row['slug_title']; ?>&c=<?php echo $row_coupons['coupon_id']; ?>" onclick="javascript:window.location.href='<?php echo $row_coupons['logout_url']; ?>';" target="_blank">
Page: go2store.php (this page is where i'm saving the SESSION)
$_SESSION["myCupon"] = "/go2store.php?rid=".$_GET['rid']."&c=".$_GET['c'];
Page: redirect.php (This page its checking if the user is logged in, if yes, redirect to the URL on the SESSION, if not will send to login.php)
Page: login.php (here i have this on top of the code)
session_start();
$_SESSION["myCupon"] = "/go2store.php?rid=".$_POST['rid']."&c=".$_POST['c'];
But it comes empty, its not returning any values after the redirect.php page.
As noted by a user in the comments, you need to include:
session_start();
At the top of each page to carry session variables across pages, otherwise it won't recognise the vars you set initially.
We don't know how you're organising your code, but this needs to be present both before and after potential login.
You can easily set/get $_SESSION variables prior to login or indeed set/get upon login from other vars you might use in pages that aren't yet authenticated.
I have an application URL which generates xyz named cookie for me if the user is logged in, in browser. I want to hit the URL programatically(using Java/JSP) to look if the user is logged in or not.
Now every time when I hit the url from my Java code it doesn't find that cookie (xyz) as it creates new session on every request. This is probably because I am hitting the url from my code. Now how can I come up with this situation so that my application will create cookie in browser and my code will look for that cookie.
The cookie is stored client-side by the browser of the user, so if you call the URL server-side it won't sent the cookie back with the response.
The way you are trying to know that user is logged in or not, can not be achieved through your approach.
Possible workaround for our case is :
Implement the HttpSessionAttributeListener and override the method attributeAdded and attributeRemoved method of it.
When ever session is getting created for logged in user, you would be saving the userName attribute is session most probably. Once the userName attribute is getting saved, attributeAdded method of your listner will get called and you can see the name of user there, once user is logged out, attributeRemoved method will get called by trigger of session invalidate method and your listener will get the notification . You can see the name of user who has logged out.
See below example for detail explanation.
http://www.roseindia.net/servlets/SessionAttributeListenerExample.shtml