8 Replies - 1179 Views - Last Post: 01 April 2013 - 05:59 PM Rate Topic: -----

#1 andre1011  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 87
  • Joined: 12-January 11

Detect if users leave the domain

Posted 30 March 2013 - 10:03 AM

Hello all, I would like to know if there is a way to user PHP Sessions to detect if the user leaves the domain. My domain has multiple pages and the user should be able to move within the domain to any page without having to log back in, but if the user leaves the website or closes the browser, I need a way to detect that action so I can log him out.

I am using PHP version 5.4 on a Linux server
Is This A Good Question/Topic? 0
  • +

Replies To: Detect if users leave the domain

#2 StefanOnRails  Icon User is offline

  • D.I.C Head

Reputation: 35
  • View blog
  • Posts: 105
  • Joined: 31-July 12

Re: Detect if users leave the domain

Posted 30 March 2013 - 11:45 AM

Well, the session is tied to the lifespan of the browser window. In other words, when user closes the browser the session ends, so there's no need for you to log him out. I don't know any reliable way to detect when the user leaves the website.

You must understand that the HTTP protocol is stateless. In other words, it doesn't know what happend before the current page was requested. In order to pass data between pages you can use a session, which by the way, once created it injects a cookie on client's computer, cookie which contains the session id (or the name of a tiny file located on your server which holds the user information stored by your scripts). When a page wants to use some session information it looks inside that cookie to get the correct id, then based on that it looks for the corresponding file on the server and retrieves the data.

When the user clicks a link or changes the url address a request is sent to a server in order to obtain a specific page, which is then downloaded on your local machine by browser. The request however can be sent towards any server, but your scripts are located on YOUR server.
Plus, even the event of page unloading is hard to track (if possible). However, I can't understand why would you want to log out the user when he leaves the website, but doesn't close the browser window.
Was This Post Helpful? 3
  • +
  • -

#3 andre1011  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 87
  • Joined: 12-January 11

Re: Detect if users leave the domain

Posted 30 March 2013 - 08:19 PM

I am trying to write a basic eCommerce web site where the same user can add items to a shopping cart with a click and php will know that it is the same user for the same session. (For this web site the user has no log in button, stupid I know but these are my requirements) If the user closes the window or goes to another website a new session should be started.
Was This Post Helpful? 0
  • +
  • -

#4 StefanOnRails  Icon User is offline

  • D.I.C Head

Reputation: 35
  • View blog
  • Posts: 105
  • Joined: 31-July 12

Re: Detect if users leave the domain

Posted 31 March 2013 - 04:03 AM

What are you asking is quite unusual, at least for me. The only idea I have would be to pass a value from page to page via POST method every time the user clicks a link, asking for a new page. Then you can check if the value was set, if not it means the request wasn't sent from one of your pages.

page template:
<?php
	include 'checker.php';
?>
	
	<form id="next-page" action="" method="POST">
		<input name="session" type="hidden" value="current" />
	</form>

	<a class="internal-link" href="page.php">Page</a>
	
	<script src="redirect.js"></script>

checker.php
<?php
	if (!isset($_POST['session'])) {
		echo 'New Session';
	} else {
		echo 'Old session';
	}

redirect.js
var form = document.getElementById('next-page');

var addListener = function (element, event, handler) {
		if (element.addEventListener) {
			element.addEventListener(event, handler, false);
		} else if (element.attachEvent) {
			element.attachEvent('on' + event, handler);
		} else {
			element['on' + event] = handler;
		}
};

addListener(document.body, 'click', function (event) {
	var e = event || window.event,
		target = e.target || e.srcElement;
	if (target.className === 'internal-link') {
		if (e.preventDefault) { e.preventDefault(); }
		else { e.returnValue = false; }
		form.action = target.href;
		form.submit();
	}
});

However, there's a major problem in this design and I'm talking about the user ability to change the url via address bar. There's no problem if they want to go on a different website, but if they access another one of your pages a new session is created, even though the user never left the website.

This post has been edited by StefanOnRails: 31 March 2013 - 04:15 AM

Was This Post Helpful? 0
  • +
  • -

#5 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2951
  • View blog
  • Posts: 10,172
  • Joined: 08-August 08

Re: Detect if users leave the domain

Posted 31 March 2013 - 06:20 AM

View Postandre1011, on 30 March 2013 - 11:19 PM, said:

If the user closes the window or goes to another website a new session should be started.

Suppose you somehow got this working. What would you want to do if the user left your window open but used another browser? Would you kill the session then too if you could? Why would you, and if you wouldn't then why do you want to if they browse a different page on the same browser?
Was This Post Helpful? 0
  • +
  • -

#6 andre1011  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 87
  • Joined: 12-January 11

Re: Detect if users leave the domain

Posted 01 April 2013 - 08:38 AM

YES this was helpful THANK YOU

View PostStefanOnRails, on 31 March 2013 - 03:03 AM, said:

What are you asking is quite unusual, at least for me. The only idea I have would be to pass a value from page to page via POST method every time the user clicks a link, asking for a new page. Then you can check if the value was set, if not it means the request wasn't sent from one of your pages.

[snip]

However, there's a major problem in this design and I'm talking about the user ability to change the url via address bar. There's no problem if they want to go on a different website, but if they access another one of your pages a new session is created, even though the user never left the website.


I see your point, but how much security should you have for an eCommerce website? Also If the browser is using tabs like Firefox, closing the tab does not kill the session.

View PostCTphpnwb, on 31 March 2013 - 05:20 AM, said:

View Postandre1011, on 30 March 2013 - 11:19 PM, said:

If the user closes the window or goes to another website a new session should be started.

Suppose you somehow got this working. What would you want to do if the user left your window open but used another browser? Would you kill the session then too if you could? Why would you, and if you wouldn't then why do you want to if they browse a different page on the same browser?

This post has been edited by Dormilich: 01 April 2013 - 08:51 AM

Was This Post Helpful? 0
  • +
  • -

#7 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 2951
  • View blog
  • Posts: 10,172
  • Joined: 08-August 08

Re: Detect if users leave the domain

Posted 01 April 2013 - 10:24 AM

View Postandre1011, on 01 April 2013 - 11:38 AM, said:

I see your point, but how much security should you have for an eCommerce website? Also If the browser is using tabs like Firefox, closing the tab does not kill the session.

This makes no sense to me. Other than reducing the amount of time available for a man in the middle attack and I'm not sure that would help how would killing the session increase security?
Was This Post Helpful? 0
  • +
  • -

#8 andre1011  Icon User is offline

  • D.I.C Head

Reputation: 1
  • View blog
  • Posts: 87
  • Joined: 12-January 11

Re: Detect if users leave the domain

Posted 01 April 2013 - 05:11 PM

I thought by killing the session I could stop someone from getting sensitive data like Social Security Numbers or Credit Card Numbers, how secure are sessions? Am I worrying too much about nothing?
Was This Post Helpful? 0
  • +
  • -

#9 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3718
  • View blog
  • Posts: 5,988
  • Joined: 08-June 10

Re: Detect if users leave the domain

Posted 01 April 2013 - 05:59 PM

The main vulnerability for sessions are so called "man in the middle" attacks, where some 3rd party sniffs out the session ID by intercepting and reading the HTTP request as it travels from the client to the server. (That and XSS attacks, but those aren't that hard to prevent.)

So the main line of defense against session hijacking is securing the connection between the client and server using HTTPS (SSL/TSL) connections. Any sort of secure website should send all requests that include a session ID - which are pretty much all requests for the main domain - through a https:// URL.

Trying to force the session to be destroyed based on what the user does (browsing to a different URL, closing the browser/tab, or any such actions) will never be reliable, as those all rely on the client-side to provide events, which is extremely easy to bypass. You don't want to rely on anything the user does for security. - The best thing you can do is use a low session timeout value, so that sessions timeout faster, giving hijackers less time to do their thing before their hijacked session is void.

Quote

Am I worrying too much about nothing?

As far as security goes, worrying to much is far better than too little. Paranoia is actually a pretty good trade for a developer in this line of work :)
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1