How can I prevent the user login into my website, even if he uses another login?
I can prevent in the same browser, using session/cookies. And also I can prevent the same user, using a DB solution.
But I dont know how to prevent with another browser and/or another user.
Does anyone has any ideas? Im actually using asp and javascript, but im open to another platforms.
Tks,
MC
Actually if user have 2 different accounts and uses 2 different computers from LAN(or WiFi on that matter) based network only solution for you is to insert into database open session ID and correlated IP, date time when session got opened.
You also need to make sure that you set open session to 0 once it get closed or just times out.
Session and cookies will help you only to prevent user to use same browser from same computer.
Related
I was trying to test features in my website that is different based on the user. I tried logging in from 2 separate tab but it each time I sign out and login from a different tab the older tab gets signed out and logged in as the new user as well. I thought that the cookies that are stored in the browser are tab specific. Each new tab has new cookies but I was wrong.
Does browser store one single cookie for the URLs that are the same?
I know facebook and other services works the same way but I always thought that this was possible using some extra programming that facebook wrote to insure security
I have a problem and after some research online was unable to find other people with this same issue.
I'm designing a site that has sensitive data the user's work with in the page content. It uses CodeIgniter as well as CodeIgniter's session and cookie implementations to track user activity and determine when a session has expired. when sessions expire, the user has to log in again either through a sign-in portal or through a sign-in popup.
My issue is if someones working on their computer then just gets up and walks away from the browser, the session expires, but they didn't realize the session would expire then return to their computer to finish their work. There is a regular ajax call that checks if the user has been inactive, and if the time threshold is reached their session data will be erased and the session is no longer active. There is then a popup window prompting the user to sign in again if they want to keep working.
The problem is, how do I protect any sensitive data in the HTML in the meantime? You might think if the session expires just redirect the user away from the page, but if they're in the middle of something I don't want to erase all of their work. I could try just hiding the HTML using javascript, but then someone could just open the inspector to see the HTML. is there some way I could prevent anyone from seeing the page data at all unless the sign in a popup is completed?
Thanks for any input.
I don't know of anyway to protect their work like you're asking.
I'd suggest saving the users work in a draft format, as they enter it. Then if they walk away and get logged out it doesn't matter, the work is still there when they log on next.
First off, Thanks in advance to anyone who resolves/helps to resolve this problem. And sorry if this is a duplicate(I couldn't find it anywhere, so posted a new question).
So the main issue is I want my webpage to display an alert message, subsequently from when a user visits the page for 2nd time onwards, so I thought IP logging using cookies would be the most unique thing to do, please do suggest if there's a better thing to use.
Browsing till now, did not get me a way to log IP in cookies. Also, the solutions I found were somewhat similar but they were in PHP, which, I'm not good at.
I would prefer using JavaScript as opposed to jQuery, but all and any help is appreciated.
First off before I give different ways of identify repeated visit and display a message after 1st visit.
I would recommend not using the IP address because there could be multiple machines behind the NAT routers sharing the one IP address, there will also be a the problem of mobiles always changing their IP address because they will also be connecting to different networks.
There is multiple ways of doing this:
I would recommend using either Option 3 or Option 4 so that there is nothing stored on the users machine. It is then much more secure that client side because people can store of JavaScript on their browsers.
Option 1:
You could have a client side local storage by using the HTML5 Web Storage.
HTML5 Web Storage
Before HTML5, application data had to be stored in cookies, included in every server request. Local storage is more secure, and large amounts of data can be stored locally, without affecting website performance.
Unlike cookies, the storage limit is far larger (at least 5MB) and
information is never transferred to the server.
Local storage is per origin (per domain and protocol). All pages, from
one origin, can store and access the same data.
Option 2:
You could go with using a client side cookie, which you would set and remove with JavaScript:
Cookies are data, stored in small text files, on your computer.
When a web server has sent a web page to a browser, the connection is
shut down, and the server forgets everything about the user.
Cookies were invented to solve the problem "how to remember
information about the user":
When a user visits a web page, his name can be stored in a cookie.
Next time the user visits the page, the cookie "remembers" his name.
Cookies are saved in name-value pairs like:
username=John
I've actually done an example of this few days ago.
COOKIE EXAMPLE
Option 3:
You could have a session, which is a good way of checking if you are having users logging into your website/application:
PHP Sessions
A session is a way to store information (in variables) to be used across multiple pages.
Unlike a cookie, the information is not stored on the users computer.
When you work with an application, you open it, do some changes, and
then you close it. This is much like a Session. The computer knows who
you are. It knows when you start the application and when you end. But
on the internet there is one problem: the web server does not know who
you are or what you do, because the HTTP address doesn't maintain
state.
Session variables solve this problem by storing user information to be
used across multiple pages (e.g. username, favorite color, etc). By
default, session variables last until the user closes the browser.
So; Session variables hold information about one single user, and are
available to all pages in one application.
Option 4:
You could use server side cookies (this way it's not stored on users machine), this is a good way of identifying a user (visitor):
PHP Cookies
A cookie is often used to identify a user.
A cookie is often used to identify a user. A cookie is a small file
that the server embeds on the user's computer. Each time the same
computer requests a page with a browser, it will send the cookie too.
With PHP, you can both create and retrieve cookie values.
Suppose, I have 200 links and if the visitors visits continuously all the links then I want to offer a free pdf book
after last link but if someone directly visits last link then offer should not display.
In this case the user may visit the site per month or any long time to complete the tutorial site (this site) and the
user may delete the cookies so I should not use local storage or something like that.
So, I'm pulling an option with the users' ip address and if that ip's users completes the whole page visit the offer should be displayed.
So, how to decide if an ip address has viewed all the pages and if the user is at last link then display offer.
Does it have a login feature? If so I would track page views by url and userId.
The shortcoming of ip address is that different people using the same computer will count towards the same tracking. Also, you will not get credit if you visit the site from two different locations.
It is not possible to track the information with only the ip address. The IP address can change everytime the user reconnects to the internet e.g. reboot router. You will have to provide user login feature so you can associate the link visits with that user account.
The usual way to do this would be as follows using some server-side storage:
When a browser hits your server on any of the pages you are tracking, you see if there's already a tracking cookie in the browser. If not, you coin a unique ID for this browser and put it in a cookie that you set into that browser. Make sure the path allows visibility of the cookie anywhere on the site and set the expiration for however long you want.
In your server-side database, create an entry for this cookie ID and record that the page that was just hit has now been seen by this cookie ID.
On any subsequent page hit, get the cookie ID, look it up in the database, record that this page has now been viewed by that ID and check if all the required pages have now been viewed by that ID. If so, add the special offer to the delivery of the current page.
Using a cookied ID like this avoids issues with multiple browsers sharing a single IP address (which even happens on home networks and happens all the time on corporate networks).
If your site has a user login, it's even better to use the login ID as the user identifier because that allows you to accumulate the browsing history of the user even if they use multiple browsers/multiple computers as long as they login first.
FYI, some of the logic above can also be implemented via ajax calls made from the client upon each page load rather than work done at the time of serving the page - though this adds an extra server request for each page.
I want to logout user if browser is closed and force it to login again on turning the browser on.
if (!(isset($_SESSION['admin']))) {
header ('Location: login.php');
}
This doesn't work - because turning off the browser does not mean drop the sessions on server - if I understand well a lot of posts on SO and outside.
Using javascript to delete sessions just before closing the browser often doesn't work because browser will not wait to execute any code if user clicks to close the browser.
Second option is keeping server session alive by sending a js code from client (setInterval - ajax).
Problem here is scenario with multiple pages open on different tabs/windows, i.e. interference between multiple setInterval functions.
I also tried this:
session_set_cookie_params(0);
session_start();
This also doesn't work - after turning off/on the browser index.php is open without redirecting to login.php.
The reason is maybe browser option to automatically restore previously loaded pages.
So, what to do ?
#Axalix wrote:
If session relies on cookies, you just need to keep expiry date empty, then when browser / tab is closed this cookie will be removed from a browser automatically. That's a standard browsers behavior. Yes, the server will still keep it, but since browser doesn't have it, user will need to relogin
You responded:
could that be a possible security issue because cookies are javascript stuff - chengable by client?
Yes cookies can be changed by the client but Axalix' answer from the comments is still the best if you intend to use $_SESSION. If you want to end session on browser exit so that a 2nd user doesn't come later and take over the old session, then you must trust the owner of the session with the session cookie.
If you really want to break access as soon as the client leaves, then $_SESSION is not the best tool to track login state. Instead you could use WebSockets. The socket remains open as long as the webpage is open. Once the socket closes, you can invalidate any login state.
This may be more trouble than it's worth though, so think hard about whether it is really that important. As an alternative, you could use SessionStorage, which is destroyed when the browser closes but it's also available to the user (so a user could just copy and save what's in SessionStorage, then recreate it later).
Basically you need to trust the user who provided you the username and password.
There are couple options but all end up same way. you can either store something in sessionStorage to check session. when browser is closed session storage will be wiped out. or you can add a hidden input field and assign a value per session. if page is newly loaded and value exists that means session is still active, so you can redirect to logout and show login page in either way. but second option may not be usefull if your app has page reloads. I think sessionStorage would be your answer. set session on sessionStorage on login, if it is empty. then check session storage on page load. if it is empty that means user first time on there, since page reload will keep the value.
When Google Chrome is configured to re-open all previous tabs, it won't delete your session cookie. See for example this question asked 5 years ago, but stil an issue (just verified, Google didn't change that behaviour). Unfortunately you can't do much about this behaviour (as far as I know). Without deleting that cookie your session still remains open (unless it is deleted server-side during clean-up).
Best solution to handle an automatic logout is to store a 'last activity time' in your session, update it in every request and in your 'is logged in check' verify that the last activity was not more than, say, 15 minutes ago. If it is more than 15 minutes ago, you could send him to the login.php.
To improve this furthermore (and if this is really an issue for you), you can use a setInterval in javascript to send keep-alive AJAX-calls to the server every 30 seconds or so. In that way you can lower the 'last activity time' (either real activity or automated) limit from 15 minutes to 2 or 1 (leave some room for network hickups).