Hey guys, please help.
I'm testing some applications at work that are developed in ASP. For security reasons, I want the webpage program to know when the user hits the "X" to exit the webpage. The programmers tell me that this can't be done. In my guts, I feel that there giving me bull crap.
The issue is simple. If the program cannot detect when the user exits, then he can sign-on again to the same or other application from the same or other terminal (PC), all of which are security violations.
So, are these guys right, or can you detect when the user exits?
Sorry if I'm not using all the right terminology.
*****
If you use session variables, they will expire when the browser is closed. Does that help at all?
Well, ASP has nothing to do with event trapping. The ASP is finished before your web page is even rendered. Even trapping's a job for javascript. The closest thing you have is the onUnload event, which will be called not only when it's closed, but when the url changes and stuff. I dont know of any other way around this. It's also browser-relient, so there's ways around it. But should you want to trap when the 'x' is clicked...
Code:
<html>
<head>
<script language="javascript">
function onClosing() {
// javascript code when 'x' is hit
}
</script>
</head>
<body onUnload="onClosing()">
<!--MAIN HTML CODE
</body>
</html>
But yeah, you can set when your cookies expire, and sessions, and everything.
It's all done with sessions.
Every time a user logs on, they should be given a "session key". That's the big long string like this one: dkl389cn983n290n23n30 that may appear for you when you're browsing this forum (try hovering on the "Log out [ Moneo ]" button and you'll see it).
Every time a page in the secure area is accessed, the page should check to see if there is a session key. If there is not a session key, a login should be presented, or if the session key relates to a user not logged on (in phpBB even guests have session keys).
Thanks for your input and info, guys. Frankly I don't understand all of what you're talking about.
ADOSORKEN, you mentioned session variabes. I can't say whether the programmers are using these.
TOONSKI, you mentioned using Javascripts. Again, I don't knoe if these programmers are using them. You also mentioned cookies. I do know that storing cookies was eliminated for security reasons.
ORACLE, you talk about sessions and session keys. I tried hovering over the log out, but didn't notice anything.
Since this business of webpages is an unknown factor for me, I can only look at it from a logical point of view. Here's the solution that I need:
1) The user signs on with UserID and password. There obviously is a file (or database) with UserID information. In the record for this UserId, there should be an additional field containing a switch saying whether this guy is already signed on.
2) If he is already signed on, I want the program to deny him access, as well as logging a security violation to an audit trail.
3) If the user is not currently signed on, we verify his password, turn on the "logged on" switch, and give him access to the application.
4) When the user exits the application, either by returning to the Sign-on screen or by exiting the Intranet session by hitting "X", I want the program to detect either of these conditions and turn off the "logged on" switch.
Given the above, the program that handles the sign-on can determine any attempt of multiple sign-ons. Multiple sign-ons from the same terminal or PC are not too bad, but not recommended because he could cause a record to be blocked on the suspended session, and also that he's trying to do too many things at the same time. What's worse is using another terminal. This runs the risk of his giving another person use of his UserID.
What I'm asking is can this be done relatively easy? Please don't give me the precise solutions, I won't understand them. Just give me your opinion. Also consider that these applications do not have this logic today. How difficult would it be to add this logic? Are we talking about more or less than 1 man/week?
I would think that this would be common practice on any webbased application where there was a certain degree of security required.
*****
What you talk about is sessions, pure and simple. If you paid someone they should be able to either come up with, or get one that's already made, in a day.
Quite simply, you cannot detect when someone closes their browser window. However, you can make some code to check when they last did something, and if the time they last did something was more than a certain amount of time ago, log them out, and present the login screen.
When you haver over the logout button, check your browser's status bar (that's normally at the bottom of your browser window).
Quote:What you talk about is sessions, pure and simple. If you paid someone they should be able to either come up with, or get one that's already made, in a day.
Quite simply, you cannot detect when someone closes their browser window. However, you can make some code to check when they last did something, and if the time they last did something was more than a certain amount of time ago, log them out, and present the login screen.
When you haver over the logout button, check your browser's status bar (that's normally at the bottom of your browser window).
Too bad you can't detect the browser closing. But your idea for checking the time sounds good. Ok, I get it, like a time-out. If he's been in the application for say 2 minutes and hasn't done anything (hit a key or clicked the mouse), blow him out back to the login-screen.
However, I think we've only solved part of the problem. I thing we still need the "logged on" switch to handle the case when the user is signed on to 2 or more terminals. I have to think about this in more detail. Another problem is that when he closes the browser, the program has no way of knowing that he exited, so the switch is still on. Now when he signs on again, it will deny him access. Got any ideas for this scenario?
Is it possible to inhibit him hitting the "X" to close the browser? If this can be done, the program can have its own "exit" where it first turns the switch off and then exits the browser (if he can do this directly).
Thanks Oracle.
PS: I saw the browser status bar, like you said. But what can I do with this info?
*****
Let's think of it this way: You log into QBnews, and you're logged on. If you go to another computer without your session cookie on it, and you visit QBnews, you're a "guest", and have to log on. If you try to log on at this computer, your old session is logged out. All that needs to be changed for you, is that you're denied access on the new computer, rather than being logged in at the expense of the old computer.
Though something that would be better would be to have a list of "safe" IP addresses, and check the computer trying to sign in by a list of those addresses. phpBB does a ban system based on IP, that could be changed to an allow system.
Oracle,
Your ida of "safe" IP address sounds interesting. I'll investigate at work if this could be a viable solution.
Thanks.
*****