Hi UserSpice developers,
I'm currently testing my implementation of userspice on my project. One thing I notice is that when user opens more than 1 page of userspice in the browser, and then logout in one of the pages, the other pages still remains active unless you refresh the page. I'm thinking if there is a way to add an automatic logout on all UserSpice pages when the user logout in one of them? May be some changes in the navigation.php or header.php or ini.php so that all userspice pages would have this function?
Thanks for all your effort in maintaining this website!
Best,
Angel
I can definitely look into this but as a rule each Tab in a browser is its own unique instance. The reason for this is to stop one tab from stealing information from another tab... we may be able to for some kind of check of the system session information every time a page loads. I will take a look at that.
So when you say "remain active" do you mean it still shows as Logged In until they try to navigate elsewhere? As soon as they try any other interaction, it should then show them as logged out. That is sort of by design, because right now, virtually all the functionality is server side, there isn't really any client side (i.e. JavaScript) in the UserSpice code, and that's the only way I can think of to "force" a logout of all pages when it is performed in a separate tab.
That is something that could be done...implement a JavaScript watch dog that checks every 30 seconds if the session is still valid or not. Perhaps someone has a better idea than this what would be more responsive. I'm not sure how we would do that server side. The downside to the JS implementation is that it could be disabled, though that wouldn't matter that much since users would be logged out on their next action in the other pages.
Have I interpreted your observation correctly?
You are absolute right with what I meant. I'm trying to release my project along with UserSpice to test again right now. One of the feature that needs to be done is the "automatic logout detection" thing. I think the "Javascript watch dog" idea would very likely work. Do you have any suggestions as to how to do that?
Thanks
Angel
One important reason to add this automatic logout detection feature is that I'm adding function level access control to pages in my project. I mean, right now userspice controls user access to the page level, which means based on his/her authorization access, the user can either access the page or not. But some of my use cases would be to grant the user read access to a page but not allowing them to edit anything. I already have this function level access control done by adding an additional permission level check on my pages. But to make sure that no one can edit anything without the right permission, it is important to detect whether this user is logged out on other tabs of the browser. And I think it might also be a potential feature that could make userspice more secure.
To help me understand the use case, if a user logs out in one tab, then they would not be able to do anything but view the other pages that are open. If they tried to make a change and submit a form or something like that, they will be prevented from doing so and be required to login again.
From a real security standpoint, client side JavaScript cannot be relied on, because a user could simply disable JS processing thereby adding no more security.
So that brings us back to how this could be implemented on server side with the technologies available on most web servers.
What types of edits are you trying to prevent? are these forms being submitted, or access to a specific file?
That would be one of the use cases. Another one would be some user might not even have read access to the page, but were still able to view it if the page is not signed out for the last user.
I'm outputing the form to a separate php file to update database. and yeah I think to prevent editing submission, I can add the permission check on my submit php file. But it would still be important to have this automatic logout detection, so that no one could read the page if the user is logged out.
Well, that will be tough with only client side operations. Once the data reaches the client and displayed in the browser, it is out of the hands of the server and the server can't do anything about it. The only thing the server could do is control access on the NEXT request where the server is once again involved in the transaction.
Even things like banking sites are at the mercy of the users browser. In that case, the session gets expired on the server side, and on the client side the pages are served with an expiry in the cache so they can't be displayed after the browser is closed.
So to me, it would appear that you could do what banks or other sides do, and run a JavaScript check and logout, but that can be disabled...just as a warning.
Well I guess the javascript check and logout method is still better than not having any check. And our users are mechanical engineers, I don't think they would want to disable javascript when they are opening the page.
I just googled but only found some javascript to timeout a user, instead of constantly checking the session. would you mind be more specific as to how to do the javascript check and logout?
Okay, just wanted to be sure that part was understood.
I can take a crack at it, I'm not sure how long it would take me though.
