I have been using this script for well over a year now and just last night i realized that the timeout settings found in constants.php don't have anything to do with automatically logging users out... call me dumb but i always just assumed they did.
Now it may not be necessary for every project to auto log out every user after a set amount of time. But security wise, it makes sense for every user logged in as an administrator to be logged off after X amount of minutes of inactivity.
After i realized how to correctly check for a timeout i could easily edit the "addActiveUser" function in database.php I just edited the function to look like:
This takes the existing function and adds a new section to query the database and check to see if the timestamp in the database has a greater value then the timeout value. If it does, then nothing happens and you are still logged in as usual; but if it doesn't, then you get redirected to process.php and get logged out.
This will log out all users who's last active timestamp value is less than the timeout value. If you wanted to alter this so just administrators get logged out automatically, it would be easy enough to add a conditional statement that checked to see if the user name has a user level of 9 before checking the timestamp against the timeout.
Has anyone else added anything like this to their script? I am curious to see how else it could have been done.
Now it may not be necessary for every project to auto log out every user after a set amount of time. But security wise, it makes sense for every user logged in as an administrator to be logged off after X amount of minutes of inactivity.
After i realized how to correctly check for a timeout i could easily edit the "addActiveUser" function in database.php I just edited the function to look like:
- Code:
function addActiveUser($username, $time){
$q = "SELECT * FROM ".TBL_USERS." WHERE username = '$username'";
$r = mysql_query($q, $this->connection);
$t = mysql_fetch_array($r);
$timeout = time()-USER_TIMEOUT*60;
if($t['timestamp'] < $timeout) header("Location: ./process.php");
$q = "UPDATE ".TBL_USERS." SET timestamp = '$time' WHERE username = '$username'";
mysql_query($q, $this->connection);
if(!TRACK_VISITORS) return;
$q = "REPLACE INTO ".TBL_ACTIVE_USERS." VALUES ('$username', '$time')";
mysql_query($q, $this->connection);
$this->calcNumActiveUsers();
}
This takes the existing function and adds a new section to query the database and check to see if the timestamp in the database has a greater value then the timeout value. If it does, then nothing happens and you are still logged in as usual; but if it doesn't, then you get redirected to process.php and get logged out.
This will log out all users who's last active timestamp value is less than the timeout value. If you wanted to alter this so just administrators get logged out automatically, it would be easy enough to add a conditional statement that checked to see if the user name has a user level of 9 before checking the timestamp against the timeout.
Has anyone else added anything like this to their script? I am curious to see how else it could have been done.