Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

logout user AND reset LOGGED flag on closed browser

Status
Not open for further replies.
lizok

lizok

Programmer
Jan 11, 2001
82
US
Hello,
Little background:
i needed both session timeout and check if user with the same ID is already loggen in.
So i have this code (see below) on everypage that checks for session variable and if it's expired, it would log user out and update db (set LOGGED="N"). at the same time i can look at LOGGED="Y" and determine if the user with same id ia already logged in.

It works : Another user can't login with the same id while LOGGED=Y. When Session times out and DB is updated LOGGED=N.

The problem is: when user simply closes browser. I can't find a way to update the db and set the flag to LOGGED="N"

Please help!!!


<CFIF #ParameterExists(Session.AgencyID)# is "no">
<center><b>System automatically logs out after 60 min of inactivity - Please Login again.</b></center>
<cfquery datasource="#session.dsn#" name="logoutIP">
UPDATE tblAccount
SET logged='N'
WHERE lastLoginIP='#HTTP.REMOTE_ADDR#'
</cfquery>
<CFINCLUDE TEMPLATE="index.cfm">
<CFABORT>
</CFIF>
 
Sort by date Sort by votes
So i have this code (see below) on everypage
Click to expand...
why put it on every page. put it in the application.cfm file to do it before every page. to kill the session when the browser closes use this.

Code: 
<cfif isdefined("cookie.CFID") and isdefined("cookie.CFTOKEN")>
    <cfset tempCFID = cookie.CFID >
    <cfset tempCFTOKEN = cookie.cftoken >
    <cfcookie name="CFID"  value="#tempCFID#" >
    <cfcookie name="CFTOKEN"  value="#tempCFTOKEN#" >
</cfif>
as for changing the DB you're out of luck. The server doesn't know when you close the browser window, communication between the client and server has ended once it sends the page. the above code expires the local cookies used for session variables. what benefit do you get from changing a DB when they log in?

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
-Douglas Adams (1952-2001)
 
Upvote 0 Downvote
Thanx for reply.
I have that code on Applicaiton page.

i thought that using the db can prevent logins from different PCs with the same username and password as well as i could display the message "Another user is already logged in with the same credentials". How else can this be implemented?
 
Upvote 0 Downvote
Try using application variables with your sessions, they will spread throughout the application and not be confined to a single session. You could set it so that every time a user logs in, they set a specific application variable when their session starts. When someone else tries to log in as that user, and the application already sees that user, it won't let them log in. It may get a little tricky, but it can be done.



Hope This Helps!

Ecobb
Beer Consumption Analyst

"My work is a game, a very serious game." - M.C. Escher
 
Upvote 0 Downvote
i don't think that would work ecobb.

even using dynamicly generated variable names.
once an application variable is created it remains until there is 0 activity from anyone weather they use it or not. theoriticaly a user could never log in again.

the original solution probably wont work for long either because remote_address isn't garonteed to be the same next time the user hits the site.

you could use times but what happens if the user accidently closes the browser and can't log in for 40 more minutes?

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
-Douglas Adams (1952-2001)
 
Upvote 0 Downvote
why is there a risk of 2 or more users logging in on the same account? If more than one person has a password to an account the password should be changed anyway. That's just bad from a security stand point. Preventing multiple (same) users only delays the logging in of the person not supposed to be logged in until the other leaves. Or delays the legit user.

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
-Douglas Adams (1952-2001)
 
Upvote 0 Downvote
The customer requested this feature. It is obviously bad. But it was stated clearly that it is possible that more than one person could work on the same account.
 
Upvote 0 Downvote
ah customer requirement... say no more. lets see what we can come up with....

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
-Douglas Adams (1952-2001)
 
Upvote 0 Downvote
That's a good point, bombboy. What I was talking about doing would be a slight modification of this tutorial:
I've used it (with a little modification) to display a list of everyone who's currently logged in. Armed with that info, it shouldn't be too hard to set up a "you're already logged in" check. It deletes logged in users from the list after 10 minutes of inactivity, but it could be made to do it sooner. Just a thought, though.

Yeah, the whole ip address check thing needs to go away. It will wind up causing some problems eventually.



Hope This Helps!

Ecobb
Beer Consumption Analyst

"My work is a game, a very serious game." - M.C. Escher
 
Upvote 0 Downvote
the best i could come up with is a veriation of that myself, and that's assuming you do away with the end session at browser close.

collect three things. the username, session.cfid, and the time

user 1 attemps to log in it checks to see if the username is in the list/structure/array. if not add the username, current cfid and current time. you'll have to update the time on each page to stay with the session end time. if user 2 tries to log in while the username is in the list fail the log in. assuming user 1 doesn't log off you'll also have to check to see if the current time is greater than 60 minutes from the last time. if you end the session you'll also loose the cfid so even user 1 can't log back in until an hour pases. You'd have to have an admin available to remove the username from the list. I know this is probably clear as mud, i'm in a hurry and trying to get it out as fast as i can. I'm sure ECOBB or WEBMIGIT has seen my rambling enough to decypher it. :)

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
-Douglas Adams (1952-2001)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

RosieGp
  • Locked
  • Question
How to read string of 0s and 1s 1
Replies
3
Views
716
LyndonOHRC
LyndonOHRC
HansKok
  • Locked
  • Question
Error after only changing text and not codes
Replies
0
Views
559
HansKok
HansKok
brk1221
  • Locked
  • Question
Preview in browser - no css
Replies
3
Views
277
spamjim
spamjim
oshinwa
  • Locked
  • Question
Which Call collector should I use and which one is compatible with my Ericsson BP250?
Replies
0
Views
626
oshinwa
oshinwa
MDEJAKE
  • Locked
  • Question
autosuggest (cfc and jquery) help
Replies
0
Views
273
MDEJAKE
MDEJAKE

Part and Inventory Search

Sponsor

Back
Top