By fatfish on

Hi there.
I found a strang behavior with my drupal system - once a user havn't log out prorerly (using the logout link) and someone is tring to log in later with a different user name and passward - the next user will login the previus user acount. how strang...
Any idea how to solve that one?

Categories: Drupal 4.6.x

Comments

raveoli’s picture

raveoli commented

if the user is not logged out it is of course still that user who is active in that particular browser. Log out and problem is solved.

fatfish’s picture

fatfish commented

I can not force my writers to log Off and if other user, a reader will use the same computer later on, he will suddenly have writing premonitions. Is there a way to overcome this situation (except from putting labels on PC screens saying "do not forget to logOut")

..:| Tomer Fish |:..
fatFish - Lean Mean Coding Machine

dman’s picture

dman commented

... if you don't want to educate the users, you have to force them to re-authenticate each time they want to do anything interesting.

From session.inc:

  /*
  **  Be sure to adjust 'php_value session.gc_maxlifetime' to a large enough
  **   value.  For example, if you want user sessions to stay in your database
  **   for three weeks before deleting them, you need to set gc_maxlifetime
  **   to '1814400'.  At that value, only after a user doesn't log in after
  **   three weeks (1814400 seconds) will his/her session be removed.
  */

... so you want to bring that down to 20 minutes (or however long you think it takes for someone to get up from their chair and someone else to sit down)
Then, as long as nobody spends more than that length of time actually thinking about or composing a post - all will be good.

If your authors however DO have an attention span longer than a goldfish or you want actual content rather that shoutbox posts, this expiry will be annoying as it will actually trash everyones hard-typed work if they are a second slower than your magic limit.
(It can be recovered from, but how to do so would be hard to explain to folk who can't understand the concept of logging off)

Basically, it's not a perfect solution, but it's the balance between convenience and security.

Either enter your password every page - or run the risk that someone else might NOT have to enter your password ... if you are lazy. This is why computer labs and many corporate environments enforce passworded screensavers.

Given that it sounds like you are in a shared computing environment - a REAL solution is to stop having everyone logged in as the same user. The cookie problem then takes care of itself.

.dan.

See also admin/help/user for more

.dan. is the New Zealand Drupal Developer working on Government Web Standards

fatfish’s picture

fatfish commented

2 things remain unclear:
A. The strang thing is a new user get the log-in screen, and yet, once he type his user name and password he get into the previous user account (the one that haven't log-out properly). Is it possible to clear that session as first thing in the log-in process ? isn't it suppose to work that way? is it me massing too mach with the code ?
B. "...span longer then a goldfish..." ?

..:| Tomer Fish |:..
fatFish - Lean Mean Coding Machine

dman’s picture

dman commented

A: That does sound wrong. May be a genuine issue. I haven't tried it myself.
Things like that happen when cookie input is combined with form input - I've done so in my own code before now.

B: Goldfish are rumoured to have a memory so short that every circut of the bowl is a new experience. I dunno how true that is. Maybe it's just because their eyes bug out at everything they see...

.dan.

.dan. is the New Zealand Drupal Developer working on Government Web Standards

lucyconnuk’s picture

lucyconnuk commented

How do you change php_value session.gc_maxlifetime?

Lucy C

dman’s picture

dman commented

The global way in php.ini
The site-specific way in your apache httpd.conf or .htaccess
Or each time via code with ini_set()
http://nz.php.net/manual/en/configuration.changes.php

.dan.

http://www.coders.co.nz/

.dan. is the New Zealand Drupal Developer working on Government Web Standards

januario’s picture

januario commented

I'd also like to see this. I have written some simple php to allow users to log into an account through a hyperlink. It works fine, unless the user is already logged in with a different account. If he he is logged in with a different account, he is taken through the login process but the original logged in account remains active.

Perhaps this can be accomplished by adding an automatic logout to the start of each login attempt.

januario’s picture

januario commented

As you can tell from my post above, I also wanted this functionality and couldn't find it here, so I have written a script that will do this. You can find it at my site. This script is added to a post or front page and allows you to login to a different account by creating a bookmark with that account information. It has helped me as I work on Drupal and find myself repeatedly logging in/out. It also allows you to send a link to someone that will log that person in to your site.

I had done something similar to this in the past, but ran into the same problem of it not working if someone was already logged into a different account. This new version resolves that problem.

dvessel’s picture

dvessel commented

Couldn't you just set set the cache lifetime to zero inside your settings.php file? Doing so should remove the how the browser remembers the site as soon as the application is quit. So just instruct them to quit the browser when they are done.

I haven't fully tested it but it works in Safari. And remember to clear the browsers cookies since they will hold their old values which is about 23 days.. Here are the lines

/**
 * PHP settings:
 *
 * To see what PHP settings are possible, including whether they can
 * be set at runtime (ie., when ini_set() occurs), read the PHP
 * documentation at http://www.php.net/manual/en/ini.php#ini.list
 * and take a look at the .htaccess file to see which non-runtime
 * settings are used there. Settings defined here should not be
 * duplicated there so as to avoid conflict issues.
 */
ini_set('arg_separator.output',     '&');
ini_set('magic_quotes_runtime',     0);
ini_set('magic_quotes_sybase',      0);
ini_set('session.cache_expire',     200000);
ini_set('session.cache_limiter',    'none');
ini_set('session.cookie_lifetime',  2000000); <---- set to zero
ini_set('session.gc_maxlifetime',   200000);
ini_set('session.save_handler',     'user');
ini_set('session.use_only_cookies', 1);
ini_set('session.use_trans_sid',    0);
ini_set('url_rewriter.tags',        '');

-joon
www.dvessel.com

edit:: just noticed this is a different issue but you can see where the 'session.gc_maxlifetime' value is located.

rajaajar’s picture

rajaajar commented

I want to create a two user in my website, one is admin user & another one is normal user. when admin user is login he can view all the pages but normal user login he view some pages only, so help me how create the user in php code