1

I'm working on a mobile based web application that's mostly AJAX and Javascript powered. To access the main page a login page sends the data via post to the main page where it is checked with a mySQL query. If there's a problem with the login it will return you to the login page, else it will continue to the main page. I'm trying to find the best way to implement a time out to force a user to re-authenticate past a threshold.

Everything is controlled from the main page via jQuery and AJAX so they don't leave main.html at any point. My issue is how do mobile browsers handle being minimized or closed? For example I'm using Chrome on my Android device and I login to the web app. I do some actions and then minimize the browser to do other things on my phone. 3 hours later I open up Chrome with the tab still on the page and continue on with what I was doing earlier on the page. How can I intercept that and force them back to the login page after that time? I was thinking about storing the login time in a cookie and running a check against it every time a function is called but that doesn't seem very elegant.

Darren
  • 23
  • 3
  • 1
    Why isn't a session cookie that expires, not "elegant"? Afaik there aren't any other methods besides sockets, but you're already using ajax. – Dave Chen May 03 '13 at 14:29
  • You were thinking about cookies... have you _tried_ using anything? have you head of sessions? How do you handle this kind of scenario with non-mobile browsers? – Elias Van Ootegem May 03 '13 at 14:31
  • I'd recommend cookies so it can be better managed by the databasree, session works fine too. – Dave Chen May 03 '13 at 14:34
  • I have a general idea of how sessions work. The issue is I know Javascript and PHP are two totally different things and I am not sure how to get them to interface together. Since they aren't leaving the main page at all I can't just use an if statement and see if the session variables are present when the page loads. I've never actually had to do this before on a desktop site and this is my first attempt into the fray. – Darren May 03 '13 at 15:29

2 Answers2

0

Use session. Not use cookie. I think you miss some issues about PHP.

kodmanyagha
  • 932
  • 12
  • 20
0

Cookies can always be changed.

This should be very simple if you're using PHP, just keep track of the last action performed:

$_SESSION['last_action'] = time();

Then, when there is an Ajax request to your server, check that value. If it's too long ago, force the user to login again (so, the response would return some value indicating that you need to show the login screen again).

I assume that you now how sessions work and you do start_session() etc..

You can also set an expiry date on your session if you don't mind doing that, but it might not be reliable.

Community
  • 1
  • 1
MMM
  • 7,221
  • 2
  • 24
  • 42
  • Should the session comparison go in all the php scripts ajax calls? Ex: process_menu.php would have session_start(); if(time() < ($_SESSION['login_time']+60)){ //Process } else{ Return a redirect call } – Darren May 03 '13 at 16:00
  • I would assume that each of your pages have a way of evaluating whether the user is logged (at least they should). So it should happen then. – MMM May 03 '13 at 16:57