force a neat logout
Sheena
the logout button....before he moves to another site or clicks the x
button and quits the browser....so that my application is secured...
and no user can do a back and come into it
Any help is appreciated....
Jim Ley
>Is there any ways to force a user to always do a logout by clicking
>the logout button....before he moves to another site or clicks the x
>button and quits the browser....so that my application is secured...
>and no user can do a back and come into it
This is increasingly becoming a FAQ, in principle you can't, and you
certainly wouldn't really want to require javascript to log a user
out, as it's too easy for a user to circumvent either maliciously or
accidently (by virtue of proxies, or errors etc.) Fuller answers have
been given in recent posts (notably by Andrew Urquhart) search for
those, I'll be doing the same for a suitable FAQ entry at some point
(unless anyone wants to FAQENTRY a complete answer...)
Jim.
--
comp.lang.javascript FAQ - http://jibbering.com/faq/
FAQ will be moving servers shortly
apologies if any disruption, See Google Cache.
Andrew Urquhart
news:3c35c696...@west.usenetserver.com...
> On 4 Jan 2002 02:04:25 -0800, sheen...@hotmail.com (Sheena) wrote:
>
> >Is there any ways to force a user to always do a logout by clicking
> >the logout button....before he moves to another site or clicks the x
> >button and quits the browser....so that my application is secured...
> >and no user can do a back and come into it
>
> This is increasingly becoming a FAQ, in principle you can't, and you
> certainly wouldn't really want to require javascript to log a user
> out, as it's too easy for a user to circumvent either maliciously or
> accidently (by virtue of proxies, or errors etc.) Fuller answers have
> been given in recent posts (notably by Andrew Urquhart) search for
> those, I'll be doing the same for a suitable FAQ entry at some point
> (unless anyone wants to FAQENTRY a complete answer...)
>
> Jim.
Working on it now ....
--
Andrew Urquhart
____________________
http://andrewu.co.uk
. o O (Currently seeking UK employment, see cvHTML.asp)
Andrew Urquhart
news:BplZ7.55314$4x4.7...@news2-win.server.ntlworld.com...
OK, how's about this? It's a bit long and possibly a bit waffly and I may
not have covered all aspects of the problem. E&OE. I have tested the script
snippet at the end and it worked fine in IE6 talking to ASP (JScript).
#################
How do I log-out a user when they leave my site?
This cannot be done reliably. Here's why:
1. A user may disable javascript, or may not have a javascript capability,
so the log-out script will never execute.
2. A user may not be connected to the Internet/Intranet when they close your
web page.
3. Javascript errors elsewhere in the page may prevent the script executing.
In such circumstances sessions may be abandoned by the user but may still be
active at the server. The user may not be able to log-in again whilst this
session remains active. Alternatively a malicious user may find such a
session and start using it.
OK, how should I do it then? Firstly realise that this must always be done
at the server - this is the only thing you have direct control over.
Secondly the solution needs to be invoked at the design stage of your
application. Design your application such that restricted access is
controlled by session information in a database table on the server. When a
user logs-in insert the user's session identifier (SessionID) into the table
along with the current server time plus the allowed duration of their
session, e.g. 15 minutes. A user's session is valid whilst their SessionID
can be found in the session table and their timestamp is greater or equal to
the current server time. Logged-out now simply means any user who's
SessionID cannot be found and/or who's timestamp is less than the current
server time. To maintain a session update the timestamp field with the
current server time plus session duration. No client-side "log-out" button
is required because log-out will occur when the user stops visiting
pages/stops having their session updated. Use a server-side script, program
or database trigger to remove expired sessions from the session table. To
log-out early delete the record matching the SessionID from the session
table.
However, provided you realise that client-side javascript cannot completely
take care of automatic log-out's, there are some things it can do to help.
When a user navigates to a page on a different server or closes their
browser you can, in some cases, use the <CODE>window.unload</CODE> event to
send some information to the server to trigger a log-out.
<PRE>
function aidLogout() {
var i = new Image();
i.src = "aidlogout.asp?uid=1562&SessionID=ABCDEFGHIJKLMNOP"
}
window.unload = aidLogout;
</PRE>
The unload event triggers a request to the server to fetch the image named
"aidlogout.asp?uid=1562&SessionID=ABCDEFGHIJKLMNOP". The "aidlogout.asp"
page performs the server-side log-out and returns an image content-type
specified but with no actual content. If the above script doesn't get called
by the browser when the user leaves then no problem - your server-side
solution will catch it automatically later on. However, if it does run then
you are a little bit more secure and you've freed up resources at your
server sooner.
#################