Improve company productivity with a Business Account.Sign Up


how to control access

Posted on 2002-06-27
Medium Priority
Last Modified: 2006-11-17
I have a program writen in php and mysql for a company that runs on their intranet. I can restrict access to the main part of the program using apache.  My problem is in one part of the program it allows users to create a invoice base on products that are available. The problem is I want the program to only allow one person at a time access to this part of the program. So how do I go about this? It must ask the user for a username and password. Then it must know when they are done so it will make it avaiable again to others. I have concerns to what if the user doesn't exit properly or there computer crash the program must reconize this and log them off automaticlly. Maybe you could set a time limit.

Has anyone ever does this if so can you please tell me what you did and post any code if possiable.

I have never really used sessions or cookies in my scripts.

Thanks Onestar
Question by:onestar
  • 4
  • 3
  • 2
  • +1
LVL 40

Expert Comment

by:Richard Quadling
ID: 7115944

When the user goes into the page that creates invoices, check to see if the "In Use" flag you will have just created in a control table is set.

If it is set, then say, someone else is logged in.

If it is not set, then set it.

Ideally, you would want to do this in a single query and check the results.

UPDATE ControlTable SET InUse = "Y" WHER InUse = "N";

Then check the rows affected/record count values to see if the query actually worked.

If it DID work, then the InUse flag is now set. If it did not work, then the flag was already set.

On the way out of an invoice, you do same sort of thing.

UPDATE ControlTable SET InUse = "N" WHER InUse = "Y";

Problem: What happens if the user forgets to "logout" or simply closes the browser?

You will need to be able to clear the in-use flag manually.

Question - Why only 1 user at a time?



Author Comment

ID: 7117475
I have products that get rented out. So once the user goes to the create invoice page is list all the products available. Then they pick what products they want to rent then they create the invoice. I do not want someone to try to rent out the same thing at the same time. If they are talking to a customer at the time and at first it looks like it is available but by the time they are done filling out all the info and confirm it might be gone and they will look kind of dumb and the customer will say "but you just said it was available" you know how disapointed people can get.

I agree to your idea but it cannot have a manual logout.
It has to know they closed the broswer in the middle or there computer froze or they left to eat and never came back. You get my point.

That's why there needs to be a time limit or it can tell if the connection get dropped and resets the flag.

I wonder if it would be better to do it through mysql. I am just thinking hear. I wonder if you can create a user and set it so only one single user can log in at a time with this username. And you can set a active time limit. I am pretty sure there is a default time limit in mysql. If you  are logged and you don't do anything for a while it will kick you out.

LVL 40

Expert Comment

by:Richard Quadling
ID: 7121308
If a machine hangs, there is nothing you can do to detect it.

You can use the onUnload="" javascript parameter to the <body> tag to open a new window with a url that logs the user out.


You create a page that will log the current user out.

Your main pages have ...

<body onUnload="javascript:open.window('');return true">

sort of thing.

The logout page SHOULD do the logout and then have JS to close the window, or you could just leave the page up, saying they have been successfully logged out.

But, you can get pop-up blockers, so that would be a pain too.

I think the safest way is to use very short term sessions, which are reset everytime they load a page.

I've not yet tried doing realtime processing in PHP. I write commercial EPOS software and all of it is realtime, so 1 till knows when an item is sold by another till as all the data is on the server and accessible instantly.

You can add a redirect to the header ...

<meta name="redirect" value="360;">

After 6 minutes (360 seconds), the page will be forced to too_long.php.

Another way is to change the way in which you process the invoices.

Allow multiple users and instead of thinking of them as "bookings", think of it as "checking availability".

If they CAN have it then mark it as booked for that user.

If they can't then don't worry, say it is "unavailable".

Reservations like this last, say 10 minutes. After that, the item is available again, UNLESS an invoice is processed to completion.

I use this sort of thing within the EPOS system. I call it allocation. We have 10 items in stock, the operator scans the items which mark the items as allocated. If negative stock is disallowed, then the allocated amount cannot exceed the actual amount. When the invoice is posted (sent to the accounting system), the actual stock and the allocated stock are reduced at the same time.

New stock coming in only affects the actual stock level.

If a sale is cancelled, I downgrade the allocated level.

Hope this is of some help.


Richard Quadling.

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.


Expert Comment

ID: 7123892
This would work...

Do what rquadling says...
UPDATE ControlTable SET InUse = "Y" WHER InUse = "N";

But change this so that it also sets the current time ...

UPDATE ControlTable SET InUse = "Y", TimeSet = time WHERE InUse = "N" OR TimeSet > (time - 300);

300 = 300 seconds ... or 5 minutes.

or you could break it into 2 separate update commands...try rquadling's one first...if it fails, then try the second one...if that also fails, then it is locked and not timed out...if it succeeds, then warn the user that someone may be stuffing around with it...I also usually stick in the machine name that set the lock so that the user can be hunted down and shot. ;-)
LVL 40

Expert Comment

by:Richard Quadling
ID: 7124054
Oops. Watch out for my spelling mistake ...




Expert Comment

ID: 7124084
At least it was a faithful representation of your work - and fully acknowledged may I add. ;-)

Author Comment

ID: 7124458
Ok I will give it a try. Do you guys ever use the lock command in mysql?

LVL 40

Accepted Solution

Richard Quadling earned 400 total points
ID: 7124468
I haven't but basically a lock is put on the table whilst the client is connected or you issue another lock or you issue unlock.

A quick snippet from the MySQL manual ...

Normally, you don't have to lock tables, as all single UPDATE statements are atomic; no other thread can interfere with any other currently executing SQL statement. There are a few cases when you would like to lock tables anyway:

If you are going to run many operations on a bunch of tables, it's much faster to lock the tables you are going to use. The downside is, of course, that no other thread can update a READ-locked table and no other thread can read a WRITE-locked table. The reason some things are faster under LOCK TABLES is that MySQL will not flush the key cache for the locked tables until UNLOCK TABLES is called (normally the key cache is flushed after each SQL statement). This speeds up inserting/updateing/deletes on MyISAM tables.
If you are using a table handler in MySQL that doesn't support transactions, you must use LOCK TABLES if you want to ensure that no other thread comes between a SELECT and an UPDATE. The example shown here requires LOCK TABLES in order to execute safely:
mysql> LOCK TABLES trans READ, customer WRITE;
mysql> SELECT SUM(value) FROM trans WHERE customer_id=some_id;
mysql> UPDATE customer SET total_value=sum_from_previous_statement
    ->        WHERE customer_id=some_id;

Without LOCK TABLES, there is a chance that another thread might insert a new row in the trans table between execution of the SELECT and UPDATE statements.
By using incremental updates (UPDATE customer SET value=value+new_value) or the LAST_INSERT_ID() function, you can avoid using LOCK TABLES in many cases.

Hope this helps a bit.


Expert Comment

ID: 7124475
locking is for when there is the risk of multiple people updating the same data at the same time.  In this instance, it would be good to use it...but you need to remember to unlock too...and if your app crashes, you may get left with locks to clear up.  I'd just include a username or machine name to uniquely identify who ended up scoring the lock (assuming both updates come back as success!) and then rechecking the table after the update to ensure that we were good to go.
LVL 11

Expert Comment

ID: 9643625
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Split: rquadling/rogerhammond
Please leave any comments here within the next seven days.
Sam Barnum
EE Cleanup Volunteer              

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Laravel is the most sought after web development framework. It comes with ample amount of features that make it easy for developers to work around it. Know about its features in detail.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to count occurrences of each item in an array.

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question