At 17:03 14.03.2003, Luis Lebron said:
--------------------[snip]--------------------
>This may be more of a javascript question than a php question. But how can I
>set up an inactivity timeout that will logout a person after let's say 20
>minutes of inactivity?
--------------------[snip]--------------------
That's an interesting question - something that might be handled
server-side (which is usually a lot safer than on the client side),
supporting (javascript-based) client requests if it is still logged-in.
I have tried a quick sample and believe a scenario like this could work
quite well in a production environment:
(1) handle login status server-side:
After authenticating the user, establish a timeout until that the login
will be valid WITHOUT user interaction (you may e.g. choose 5 minutes, i.e.
time() + (5*60)). Store this timeout value in session data
($_SESSION['login_valid_until']);
(2) update the timeout on every user interaction
Simply refresh the session based timeout value using the same formula.
(3) Have a special entry (either a special script, or a certain parameter)
where the client may ask if the login is still valid. Make sure this script
(and only this!) DOES NOT increment the timeout value since it will be
called by client javascript, not by user interaction.
(A) Header pseudocode for "interactive" pages (normal application scripts):
login valid and validates against timeout?
NO: transfer to "you have been logged out" page
YES: increase timeout; continue processing;
(B) Pseudocode for timeout-checking script:
login valid and validates against timeout?
NO: transfer to "you have been logged out" page
YES: return "204 no response" status code
(C) Javascript to be used on any page:
<script language="JavaScript">
function checkHandler() {
window.location.href="yourcheckscripthere.php?<?php echo SID; ?>";
onloadHandler();
}
function onloadHandler() {
setTimeout('checkHandler();', 60000);
}
</script>
<body onLoad="onloadHandler();">
The main feature here is the use of the server status code 204 which means
"No Response". Cited from RFC2616 (HTTP 1.1 draft standard):
10.2.5 204 No Content
The server has fulfilled the request but does not need to return an
entity-body,
[...]
If the client is a user agent, it SHOULD NOT change its document view from
that which caused the request to be sent. This response is primarily
intended to allow input for actions to take place without causing a change
to the user agent's active document view, [...]
The 204 response MUST NOT include a message-body, and thus is always
terminated by the first empty line after the header fields.
--------------------
So: if the server sees the login status (in session data) is still valid,
the reload request issued by JavaScript doesn't lead to a new page but lets
the browser remain in "idle" mode. However the timeout needs to be set
again; it seems that the JS engine clears all timers _before_ the reload
request (which would make sense; it can't clean them up on another page).
However if the server sees the user has exceeded its timeout (by not
activating some "interactive" action that would cause the timeout to be
extended), the javascript reload will immediately transfer the user agent
to the "you're outta here" page.
--
>O Ernest E. Vogelsinger
(\) ICQ #13394035
^ http://www.vogelsinger.at/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
