Copy link to clipboard
Copied
Hello dreamweaver gurus !
please how can i automatically timeout my website login member page after a specific time of user inactivity.
i found out that if a member login into my restricted page and forget to logout, the page will be not be logout automatically.
how can i make my webpage to be automatically logout after a specific time of user inactivity.
see my member login page below :
<?php require_once('Connections/democon.php'); ?>
<?php
//initialize the session
if (!isset($_SESSION)) {
session_start();
}
// ** Logout the current user. **
$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
$logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
//to fully log out a visitor we need to clear the session varialbles
$_SESSION['MM_Username'] = NULL;
$_SESSION['MM_UserGroup'] = NULL;
$_SESSION['PrevUrl'] = NULL;
unset($_SESSION['MM_Username']);
unset($_SESSION['MM_UserGroup']);
unset($_SESSION['PrevUrl']);
$logoutGoTo = "login.php";
if ($logoutGoTo) {
header("Location: $logoutGoTo");
exit;
}
}
?>
<?php
if (!isset($_SESSION)) {
session_start();
}
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;
// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
}
// Or, you may restrict access to only certain users based on their username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
}
if (($strUsers == "") && true) {
$isValid = true;
}
}
return $isValid;
}
$MM_restrictGoTo = "login.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0)
$MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
}
?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
$colname_Recordset1 = "-1";
if (isset($_SESSION['MM_Username'])) {
$colname_Recordset1 = $_SESSION['MM_Username'];
}
mysql_select_db($database_democon, $democon);
$query_Recordset1 = sprintf("SELECT * FROM portal WHERE idno = %s", GetSQLValueString($colname_Recordset1, "text"));
$Recordset1 = mysql_query($query_Recordset1, $democon) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
<body>
<p style="font-size: 18px"> </p>
<p style="font-size: 18px">Welcome <span style="color: #F00"><?php echo $row_Recordset1['firstname']; ?></span> <span style="color: #F00"><?php echo $row_Recordset1['surname']; ?> !</span> You are now login into the member area.</p>
<p> </p>
<table width="356" height="127" border="0" align="center" cellpadding="6">
<tr>
<th colspan="2" bgcolor="#FFFFCC" scope="row">YOUR PROFILE</th>
</tr>
<tr>
<th width="134" align="left" bgcolor="#FFFFCC" scope="row">ID NO</th>
<td width="342" bgcolor="#FFFFCC"><?php echo $row_Recordset1['idno']; ?></td>
</tr>
<tr>
<th align="left" bgcolor="#FFFFCC" scope="row">SURNAME</th>
<td bgcolor="#FFFFCC"><?php echo $row_Recordset1['surname']; ?></td>
</tr>
<tr>
<th align="left" bgcolor="#FFFFCC" scope="row">FIRST NAME</th>
<td bgcolor="#FFFFCC"><?php echo $row_Recordset1['firstname']; ?></td>
</tr>
<tr>
<th align="left" bgcolor="#FFFFCC" scope="row">EMAIL</th>
<td bgcolor="#FFFFCC"><?php echo $row_Recordset1['email']; ?></td>
</tr>
</table>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p><a href="<?php echo $logoutAction ?>">LOG OUT</a></p>
<p> </p>
<p> </p>
<p> </p>
</body>
</html>
<?php
mysql_free_result($Recordset1);
?>
.osgood_ ~
If the timeout is enforced on the server-side, any download links and other "actions" all absolutely need to (and should) be run through a validation. If there's a fully downloaded video on the screen there's only really client-side technology (JavaScript) that can detect if any "client side" action is valid and within timeout. I can think of a million scenarios and a million answers to each of them but ultimately if the user performs an action, whether directly by refreshing PHP or vi
...Copy link to clipboard
Copied
To be simple, you should save a session variable with a timestamp in it. Every request made should merely check the timestamp against the current time. Decide how much time is considered "expired" and if the timestamp exceeds that duration, force your logout proceedure. Do remember to continuously reset that timestamp every request or your user will timeout every time.
Think this through regarding the closing of the browser however. If someone merely closes the browser and walks away, another could open the browser and go back to the page, with a valid login. This could be good or bad based on your needs. For example my bank would not reload after the browser is closed but Gmail will happily reload mail.
You can couple this with some simple JavaScript that keeps track of the users actions with the same approach. If JavaScript detects the user has idled past your limits, it either prompts the user to stay logged in (the modern way) or auto-forwards to a logout.
Copy link to clipboard
Copied
Thanks for your reply !
'To be simple, you should save a session variable with a timestamp in it. Every request made should merely check the timestamp against the current time. Decide how much time is considered "expired" and if the timestamp exceeds that duration, force your logout proceedure. Do remember to continuously reset that timestamp every request or your user will timeout every time'
as you said above, can you please help me write the code so that i can implement it. thanks
Copy link to clipboard
Copied
I can show you a stripped down example of what I mean but you can easily weave this into your own code.
In this example I'm just going to start a session, check for the existence of an 'auth' session variable (representing your authentication info), and if it doesn't exist I will hard-code a value into it. You would be actually authenticating the user at this point and storing that instead. During that time I just inject a 'timestamp' portion into my session.
Every time the page is loaded I'm checking the timestamp to see if it's in the valid range. I defined a constant 'IDLE_MAX' which is just the number of seconds until I consider that user to be logged out. I set it to 5 so you can quickly see the example function. So after 5 seconds the code will consider the user as having "exceeded" the max idle time and removes the session data.
Simple example (just paste into a .php page and test alone):
<?php
session_start();
# set an expire to 5 seconds for testing
define('IDLE_MAX', 5);
$msg = '';
if (!isset($_SESSION['auth']))
{
# new session
$_SESSION['auth'] = (object) ['id'=>123, 'timestamp'=>time()];
$msg = '<p>User had no session, new session created.</p>';
}
else
{
# does the idle time exceed the max seconds?
if ((time() - $_SESSION['auth']->timestamp) > IDLE_MAX)
{
# yes, log them out..
unset($_SESSION['auth']);
session_write_close();
$msg = '<p>User has expired session.</p>';
}
else
{
$msg = '<p>Users session exists and is valid, updating timestamp.</p>';
$_SESSION['auth']->timestamp = time();
}
}
?>
<!DOCTYPE html>
<html lang="em">
<head>
<meta charset="utf-8">
<title>Session expire example</title>
</head>
<body>
<?php print $msg; ?>
</body>
</html>
You will see one of 3 messages when you refresh your browser. It will either announce it has no session in memory and will start a new session (this is where you perform your authentication).
If you refresh within 5 seconds (or whatever you set IDLE_MAX to) it will tell you the user auth info exists, and then updates the timestamp. You can refresh as much as you like and it considers it a valid login due to activity.
If you exceed 5 seconds (or again, whatever IDLE_MAX is) and refresh you will see the session expired message and the session auth variable is removed as well as session closed. At that point the user must go back to step 1 and authenticate.
There's nothing magical or hard to follow in there so it's really up to you to put this simple logic in your own code. There are other strategies when the criteria of encryption and confidentiality come into perspective but for most simple purposes, since this is entirely server-side (assuming your session folder is secure), it works well.
Copy link to clipboard
Copied
ok ! let me try and see the outcome.i will notify you the outcome.
Copy link to clipboard
Copied
You could use a simple meta refresh tag - 60 seconds
<meta http-equiv="refresh" content="60; url=log_out.php">
and in the 'log_out.php' page destroy the session - I think Dreamweaver has a server behaviour for doing that although I have not checked in some time. Then just redirect back to the login.php page.
php alone wont 'automatically' do anything without a page refresh.
Personally I'd use jQuery rather than a meta refresh tag but both do the same and the meta tag is easier to set up.
Copy link to clipboard
Copied
I'd use JavaScript as I mentioned, for user-friendliness (give a warning before punting), short of that it's too insecure to rely on. Scripts can be turned off and a meta tag can be easily disabled with developer tools in a couple seconds while someone's not looking. The server is always king when it comes to integrity and security. Anything else is just decoration.
More to the point, either a Refresh or JavaScript redirect after a timeout won't matter if the browser is closed and re-opened long after. The session could still exist. It's more like JavaScript nor Refresh can automatically log-out themselves, the server language is responsible for always checking validity.
Copy link to clipboard
Copied
sinious wrote:
I'd use JavaScript as I mentioned, for user-friendliness (give a warning before punting), short of that it's too insecure to rely on. Scripts can be turned off and a meta tag can be easily disabled with developer tools in a couple seconds while someone's not looking. The server is always king when it comes to integrity and security. Anything else is just decoration.
I totally agree with that, however as I have NOT tested this I'm not sure of the answer maybe you can enlighten me.
Say a user was on a secure page, maybe games downloads, or video downloads etc. The user vacates their computer and doesn't come back leaving the download, secure page, still open. I know when the page is refreshed or another page is called using the php solution the session is 'killed' but what if the page is not refreshed could the downloads still be accessible until the page is refereshed or another page is called.?
The only reason I suggested a meta refresh/jQuery solution redirection to a log-out page where the php session is destroyed is because after a certain period of inactivity it actually does direct away from the 'open' secure page BUT as you say it is open to abuse IF someone knows how to navigate around it.
php is obviously a more secure sloution but it lacks the ability to do anything until manually provoked into doing it - in an ideal world their would be a language that can have the security of server side scripting and the flexibility of client-side decision making.
I'm certainly not advocating just a meta tag refresh without destroying the php session as the OP is deploying, that would be totally unsecure.
Copy link to clipboard
Copied
Thanks so much ! It work perfectly.it redirect user to logout page after 60 seconds.
BUT THE MAIN PROBLEM IS THAT IF SUCH USER CLICK BACK BUTTON IN THE BROWSER, SUCH USER CAN REGAIN BACK TO MY RESTRICTED MEMBER PAGE.
IS THERE A WAY TO PREVENT SUCH USER TO C'LICK BACK BUTTOM.
Copy link to clipboard
Copied
You have the PHP-side answer in the code example above. That answer logs the person out on the server side so no amount of refreshing, going back or restarting a browser will keep a user logged in beyond the amount of "idle" time you specify.
What I'm getting here is you don't know PHP because the answer is very simple. Do you know PHP? If not you should specify that. It's very important to understand the code people may give you before you may blindly open a giant problem in your system, compromising it.
Copy link to clipboard
Copied
am not that pro in php. but am trying moderately. most of my code is written by dreamweaver, i only like to modify some part to suit my need. that is why i always paste my code here for review.
what I expect from good programmer like you is to look into my dreamweaver code i pasted above and tell me where i should make neccessary additional code and i will implement and tell you the feedback.This is what good member here did for me.
Remember not every dreamweaver user is a professional PHP gurus.
Am Sorry to mention a name. i respect a member here with the ID of osgood_. The programmer help me solve one of my complicated php code in dreamweaver.If i tell you that many programmers run a way in one forum that i pasted the code earlier- they say my code is plenty and they can solve the problem.
Copy link to clipboard
Copied
I'm not sure if this will work as I rarely use the php/mysql code generated by Dreamweaver but you could give it a try. Also the code seems a bit mangled because youre directing to login.php as the restricted secure page ($MM_restrictGoTo = "login.php";) after a successful login but I can't see any login form in the html code. Maybe the login code just go left in the page, it's hard to tell.
Anyway what you ulitmately need to do is unset the $_SESSION['MM_Username'] which is set when the user logs in so insert the code that sinious posted, which is in black below between the code in red which already exists in the code you posted. I'm assuming at some point if a user HAS succesfully logged in and this is the page they go to when that occurs $_SESSION['MM_Username'] will be available to the page.
After 5 second refresh the page and see if you get any message.
if (!isset($_SESSION)) {
session_start();
# set an expire to 5 seconds for testing
define('IDLE_MAX', 5);
$msg = '';
if (!isset($_SESSION['MM_Username']))
{
# new session
$_SESSION['MM_Username'] = (object) ['id'=>123, 'timestamp'=>time()];
$msg = '<p>User had no session, new session created.</p>';
}
else
{
# does the idle time exceed the max seconds?
if ((time() - $_SESSION['MM_Username']->timestamp) > IDLE_MAX)
{
# yes, log them out..
unset($_SESSION['MM_Username']);
session_write_close();
$msg = '<p>User has expired session.</p>';
}
else
{
$msg = '<p>Users session exists and is valid, updating timestamp.</p>';
$_SESSION['MM_Username']->timestamp = time();
}
}
}
Copy link to clipboard
Copied
Thanks for reply. i have done what you said but i got this error below:
Parse error: syntax error, unexpected '[' in C:\xampp\htdocs\demo\member.php on line 18
and the code at my line 45 is : $_SESSION['MM_Username'] = (object) ['id'=>123, 'timestamp'=>time()];
see how i implemented the code as you directed as bolded :
<?php require_once('Connections/democon.php'); ?>
<?php
//initialize the session
if (!isset($_SESSION)) {
session_start();
# set an expire to 5 seconds for testing
define('IDLE_MAX', 5);
$msg = '';
if (!isset($_SESSION['MM_Username']))
{
# new session
$_SESSION['MM_Username'] = (object) ['id'=>123, 'timestamp'=>time()];
$msg = '<p>User had no session, new session created.</p>';
}
else
{
# does the idle time exceed the max seconds?
if ((time() - $_SESSION['MM_Username']->timestamp) > IDLE_MAX)
{
# yes, log them out..
unset($_SESSION['MM_Username']);
session_write_close();
$msg = '<p>User has expired session.</p>';
}
else
{
$msg = '<p>Users session exists and is valid, updating timestamp.</p>';
$_SESSION['MM_Username']->timestamp = time();
}
}
}
// ** Logout the current user. **
$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
$logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
//to fully log out a visitor we need to clear the session varialbles
$_SESSION['MM_Username'] = NULL;
$_SESSION['MM_UserGroup'] = NULL;
$_SESSION['PrevUrl'] = NULL;
unset($_SESSION['MM_Username']);
unset($_SESSION['MM_UserGroup']);
unset($_SESSION['PrevUrl']);
$logoutGoTo = "login.php";
if ($logoutGoTo) {
header("Location: $logoutGoTo");
exit;
}
}
?>
<?php
if (!isset($_SESSION)) {
session_start();
}
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;
// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
}
// Or, you may restrict access to only certain users based on their username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
}
if (($strUsers == "") && true) {
$isValid = true;
}
}
return $isValid;
}
$MM_restrictGoTo = "login.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0)
$MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
}
?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
$colname_Recordset1 = "-1";
if (isset($_SESSION['MM_Username'])) {
$colname_Recordset1 = $_SESSION['MM_Username'];
}
mysql_select_db($database_democon, $democon);
$query_Recordset1 = sprintf("SELECT * FROM portal WHERE idno = %s", GetSQLValueString($colname_Recordset1, "text"));
$Recordset1 = mysql_query($query_Recordset1, $democon) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="refresh" content="60; url=login.php">
<title>welcome</title>
</head>
<body>
<p style="font-size: 18px"> </p>
<p style="font-size: 18px">Welcome <span style="color: #F00"><?php echo $row_Recordset1['firstname']; ?></span> <span style="color: #F00"><?php echo $row_Recordset1['surname']; ?> !</span> You are now login into the member area.</p>
<p> </p>
<table width="356" height="127" border="0" align="center" cellpadding="6">
<tr>
<th colspan="2" bgcolor="#FFFFCC" scope="row">YOUR PROFILE</th>
</tr>
<tr>
<th width="134" align="left" bgcolor="#FFFFCC" scope="row">ID NO</th>
<td width="342" bgcolor="#FFFFCC"><?php echo $row_Recordset1['idno']; ?></td>
</tr>
<tr>
<th align="left" bgcolor="#FFFFCC" scope="row">SURNAME</th>
<td bgcolor="#FFFFCC"><?php echo $row_Recordset1['surname']; ?></td>
</tr>
<tr>
<th align="left" bgcolor="#FFFFCC" scope="row">FIRST NAME</th>
<td bgcolor="#FFFFCC"><?php echo $row_Recordset1['firstname']; ?></td>
</tr>
<tr>
<th align="left" bgcolor="#FFFFCC" scope="row">EMAIL</th>
<td bgcolor="#FFFFCC"><?php echo $row_Recordset1['email']; ?></td>
</tr>
</table>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p><a href="<?php echo $logoutAction ?>">LOG OUT</a></p>
<p> </p>
<p> </p>
<p> </p>
</body>
</html>
<?php
mysql_free_result($Recordset1);
?>
now ! what could be the problem ?
Copy link to clipboard
Copied
Lets just back up a bit. Keep a back-up copy of your current members.php page. Then copy the code below and paste that into a new Dreamweaver document and save it as members.php - sign in to the page and see what happens.
?php require_once('Connections/democon.php'); ?>
<?php
//initialize the session
if (!isset($_SESSION)) {
session_start();
# set an expire to 5 seconds for testing
define('IDLE_MAX', 5);
$msg = '';
if (!isset($_SESSION['MM_Username']))
{
# new session
$_SESSION['MM_Username'] = (object) ['id'=>123, 'timestamp'=>time()];
$msg = '<p>User had no session, new session created.</p>';
}
else
{
# does the idle time exceed the max seconds?
if ((time() - $_SESSION['MM_Username']->timestamp) > IDLE_MAX)
{
# yes, log them out..
unset($_SESSION['MM_Username']);
session_write_close();
$msg = '<p>User has expired session.</p>';
}
else
{
$msg = '<p>Users session exists and is valid, updating timestamp.</p>';
$_SESSION['MM_Username']->timestamp = time();
}
}
}
?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
$colname_Recordset1 = "-1";
if (isset($_SESSION['MM_Username'])) {
$colname_Recordset1 = $_SESSION['MM_Username'];
}
mysql_select_db($database_democon, $democon);
$query_Recordset1 = sprintf("SELECT * FROM portal WHERE idno = %s", GetSQLValueString($colname_Recordset1, "int"));
$Recordset1 = mysql_query($query_Recordset1, $democon) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="refresh" content="60; url=login.php">
<title>welcome</title>
</head>
<body>
<?php print $msg; ?>
<p style="font-size: 18px"> </p>
<p style="font-size: 18px">Welcome <span style="color: #F00"><?php echo $row_Recordset1['firstname']; ?></span> <span style="color: #F00"><?php echo $row_Recordset1['surname']; ?> !</span> You are now login into the member area.</p>
<p> </p>
<table width="356" height="127" border="0" align="center" cellpadding="6">
<tr>
<th colspan="2" bgcolor="#FFFFCC" scope="row">YOUR PROFILE</th>
</tr>
<tr>
<th width="134" align="left" bgcolor="#FFFFCC" scope="row">ID NO</th>
<td width="342" bgcolor="#FFFFCC"><?php echo $row_Recordset1['idno']; ?></td>
</tr>
<tr>
<th align="left" bgcolor="#FFFFCC" scope="row">SURNAME</th>
<td bgcolor="#FFFFCC"><?php echo $row_Recordset1['surname']; ?></td>
</tr>
<tr>
<th align="left" bgcolor="#FFFFCC" scope="row">FIRST NAME</th>
<td bgcolor="#FFFFCC"><?php echo $row_Recordset1['firstname']; ?></td>
</tr>
<tr>
<th align="left" bgcolor="#FFFFCC" scope="row">EMAIL</th>
<td bgcolor="#FFFFCC"><?php echo $row_Recordset1['email']; ?></td>
</tr>
</table>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p><a href="<?php echo $logoutAction ?>">LOG OUT</a></p>
<p> </p>
<p> </p>
<p> </p>
</body>
</html>
<?php
mysql_free_result($Recordset1);
?>
Copy link to clipboard
Copied
thanks for reply !
i have backed up the initial members.php and i create new page as members.php as you said with the new code you gave. unfortunately it still give the same error in line 23 which is this below :
Parse error: syntax error, unexpected '[' in C:\xampp\htdocs\demo\members.php on line 23
the code on line 23 is : $_SESSION['MM_Username'] = (object) ['id'=>123, 'timestamp'=>time()];
am suspecting that id. because i did not have any id as a column in my database table but rather idno and i even changed it to idno but the problem still persist.
If this php server method is not working, i will stick to that meta refreshing method . i will just modify it to pop up alert for my website visitor.
Copy link to clipboard
Copied
lancoin wrote:
thanks for reply !
i have backed up the initial members.php and i create new page as members.php as you said with the new code you gave. unfortunately it still give the same error in line 23 which is this below :
Parse error: syntax error, unexpected '[' in C:\xampp\htdocs\demo\members.php on line 23
the code on line 23 is : $_SESSION['MM_Username'] = (object) ['id'=>123, 'timestamp'=>time()];
am suspecting that id. because i did not have any id as a column in my database table but rather idno and i even changed it to idno but the problem still persist.
If this php server method is not working, i will stick to that meta refreshing method . i will just modify it to pop up alert for my website visitor.
It may have something to do with the 'id' BUT I have recreated the same set up as you have on my local computer and do not experience the problem. The page does not throw an error for me and acts as it should do.
Copy link to clipboard
Copied
U really tried ! though it does not worked for me. i still appreciate it .May be the problem is from that id . that is why my dreamweaver is constantly point to it as an error. thanks.
Copy link to clipboard
Copied
You should really just be able to test this by inserting the original code in a DW page and viewing it in a browser. IF you still get the error then I think its a php server compatibily issue. Not all servers are set up the same.
<?php
session_start();
# set an expire to 5 seconds for testing
define('IDLE_MAX', 5);
$msg = '';
if (!isset($_SESSION['auth']))
{
# new session
$_SESSION['auth'] = (object) ['id'=>123, 'timestamp'=>time()];
$msg = '<p>User had no session, new session created.</p>';
}
else
{
# does the idle time exceed the max seconds?
if ((time() - $_SESSION['auth']->timestamp) > IDLE_MAX)
{
# yes, log them out..
unset($_SESSION['auth']);
session_write_close();
$msg = '<p>User has expired session.</p>';
}
else
{
$msg = '<p>Users session exists and is valid, updating timestamp.</p>';
$_SESSION['auth']->timestamp = time();
}
}
?>
<!DOCTYPE html>
<html lang="em">
<head>
<meta charset="utf-8">
<title>Session expire example</title>
</head>
<body>
<?php print $msg; ?>
</body>
</html>
Copy link to clipboard
Copied
sdfds sdf
Copy link to clipboard
Copied
.osgood_ ~
If the timeout is enforced on the server-side, any download links and other "actions" all absolutely need to (and should) be run through a validation. If there's a fully downloaded video on the screen there's only really client-side technology (JavaScript) that can detect if any "client side" action is valid and within timeout. I can think of a million scenarios and a million answers to each of them but ultimately if the user performs an action, whether directly by refreshing PHP or via AJAX, it should be hitting a server side script, and this timeout will ultimately decide if the action is permitted or not. It all has to be wired through it.
That said, although I said it's not 100% reliable and can be tampered with, I would absolutely use a JavaScript (preference) or meta refresh technique to bounce on the client side along with the logic in the back end. The back end is the absolute gate keeper and as you said, it'd be insecure if that isn't the case. The client side just decorates but is very important to a good user experience.
gear coin ~
Just $0.02 but you shouldn't go to far with the self-contained example code I gave. In that scenario I was 'defining' what, in your case, is $_SESSION['MM_Username']. It had not been previously assigned. If Dreamweaver is populating this with a String and you attempt to try to re-assign it with an object (as I am) you're going to get errors. My code was just created as a completely isolated example, not to be followed entirely literally here as a paste-in solution. I just needed to know your level of comfort with PHP.
I haven't scanned all of that code for the PHP quality nor do I admit I'm familiar with the automation that Dreamweaver does, but I'm very familiar with PHP so this is the code only portion taken from your original post with my timestamp amendment added to it. As mentioned, duplicate the file so you have your old code intact (always, or better, use git or SVN and version it). Then try removing all the code portion of that page in replace with this:
<?php
# assuming this outputs nothing to the browser, otherwise put session_start() above this
require_once('Connections/democon.php');
// removed unnecessary conditional around this
session_start();
// allow logout to happen first if desired
// ** Logout the current user. **
$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
$logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
//to fully log out a visitor we need to clear the session varialbles
$_SESSION['MM_Username'] = NULL;
$_SESSION['MM_UserGroup'] = NULL;
$_SESSION['PrevUrl'] = NULL;
unset($_SESSION['MM_Username']);
unset($_SESSION['timestamp']); // unsetting out timestamp for cleanliness
unset($_SESSION['MM_UserGroup']);
unset($_SESSION['PrevUrl']);
$logoutGoTo = "login.php";
if ($logoutGoTo) {
header("Location: $logoutGoTo");
exit;
}
}
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;
// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
}
// Or, you may restrict access to only certain users based on their username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
}
if (($strUsers == "") && true) {
$isValid = true;
}
}
return $isValid;
}
$MM_restrictGoTo = "login.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0)
$MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
}
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
//-----------------------------------------------------------------------------
// define your idle max, in seconds
define('IDLE_MAX', 5);
// if we already have $_SESSION['MM_Username'], let's check a timestamp
if (isset($_SESSION['MM_Username']))
{
// if we get here, we're logged in.. check or add a timestamp
if (isset($_SESSION['timestamp']))
{
// we have a timestamp, let's see if it exceeds our idle threshold
if ((time() - $_SESSION['timestamp']) > IDLE_MAX)
{
// we have EXCEEDED our idle, we are therefore going to log out.
// Using the assigned variable from above:
header($logoutAction);
exit;
}//if idle exceed
else
{
// idle is not exceeded, allow the user to continue but UPDATE timestamp
$_SESSION['timestamp'] = time();
}
}// if timestamp
else
{
// we have a username but no timestamp, must be initial login
$_SESSION['timestamp'] = time();
}
}//if MM_Username
//-------------------------------------------------------------------------
$colname_Recordset1 = "-1";
if (isset($_SESSION['MM_Username'])) {
$colname_Recordset1 = $_SESSION['MM_Username'];
}
mysql_select_db($database_democon, $democon);
$query_Recordset1 = sprintf("SELECT * FROM portal WHERE idno = %s", GetSQLValueString($colname_Recordset1, "text"));
$Recordset1 = mysql_query($query_Recordset1, $democon) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
?>
Again, I've changed none of the Dreamweaver logic outside removing closing/reopining PHP tags (unsure if the snippits need those, add as needed). I also removed the condition to start the session since it's entirely unnecessary. That's literally it, except the code you see near the end surrounded by the long comment lines //-----------------...
The page has 2 basic entry points that I can see but it doesn't matter how many it has. The logic is pretty simple. If by the time you get to my code you have had Dreamweaver validate a user, $_SESSION['MM_Username'] will be set. If that's true then I check for a timestamp. If none exists then the user was literally just logged in, so I add a timestamp. Every time the page is refreshed from that point, re-running all the code, the timestamp is checked to make sure it's below your IDLE_MAX (in seconds). I set it to 5 again to be obvious. If the time is greater than 5 seconds since login, I use the previously defined $logoutAction global and redirect you to the logout process which should land you at login.php on the next redirect, as a logged out user.
I always try to use the code that already exists and do nothing unnecessary but I have to assume from this code that no information is sent to the browser for display in this code. A header() redirect will not work if that is not the case. I don't "see" anything in here that is explicitly doing that so I'm assuming this will work just fine. Please give it a simple test and season to taste.
No matter what the user attempts to do, if the idle time is exceeded the logout process will continuously be thrown upon them. No matter if they refresh, back up, etc.
Copy link to clipboard
Copied
sinious wrote:
.osgood_ ~
If the timeout is enforced on the server-side, any download links and other "actions" all absolutely need to (and should) be run through a validation. If there's a fully downloaded video on the screen there's only really client-side technology (JavaScript) that can detect if any "client side" action is valid and within timeout. I can think of a million scenarios and a million answers to each of them but ultimately if the user performs an action, whether directly by refreshing PHP or via AJAX, it should be hitting a server side script, and this timeout will ultimately decide if the action is permitted or not. It all has to be wired through it.
That said, although I said it's not 100% reliable and can be tampered with, I would absolutely use a JavaScript (preference) or meta refresh technique to bounce on the client side along with the logic in the back end. The back end is the absolute gate keeper and as you said, it'd be insecure if that isn't the case. The client side just decorates but is very important to a good user experience.
I think we agree, agree
The client-side just adds a nice touch while the server-side provides the real security.