onestar
asked on
how to control access
I have a program writen in php and mysql for a company that runs on their intranet. I can restrict access to the main part of the program using apache. My problem is in one part of the program it allows users to create a invoice base on products that are available. The problem is I want the program to only allow one person at a time access to this part of the program. So how do I go about this? It must ask the user for a username and password. Then it must know when they are done so it will make it avaiable again to others. I have concerns to what if the user doesn't exit properly or there computer crash the program must reconize this and log them off automaticlly. Maybe you could set a time limit.
Has anyone ever does this if so can you please tell me what you did and post any code if possiable.
I have never really used sessions or cookies in my scripts.
Thanks Onestar
Has anyone ever does this if so can you please tell me what you did and post any code if possiable.
I have never really used sessions or cookies in my scripts.
Thanks Onestar
ASKER
I have products that get rented out. So once the user goes to the create invoice page is list all the products available. Then they pick what products they want to rent then they create the invoice. I do not want someone to try to rent out the same thing at the same time. If they are talking to a customer at the time and at first it looks like it is available but by the time they are done filling out all the info and confirm it might be gone and they will look kind of dumb and the customer will say "but you just said it was available" you know how disapointed people can get.
I agree to your idea but it cannot have a manual logout.
It has to know they closed the broswer in the middle or there computer froze or they left to eat and never came back. You get my point.
That's why there needs to be a time limit or it can tell if the connection get dropped and resets the flag.
I wonder if it would be better to do it through mysql. I am just thinking hear. I wonder if you can create a user and set it so only one single user can log in at a time with this username. And you can set a active time limit. I am pretty sure there is a default time limit in mysql. If you are logged and you don't do anything for a while it will kick you out.
Onestar
I agree to your idea but it cannot have a manual logout.
It has to know they closed the broswer in the middle or there computer froze or they left to eat and never came back. You get my point.
That's why there needs to be a time limit or it can tell if the connection get dropped and resets the flag.
I wonder if it would be better to do it through mysql. I am just thinking hear. I wonder if you can create a user and set it so only one single user can log in at a time with this username. And you can set a active time limit. I am pretty sure there is a default time limit in mysql. If you are logged and you don't do anything for a while it will kick you out.
Onestar
If a machine hangs, there is nothing you can do to detect it.
You can use the onUnload="" javascript parameter to the <body> tag to open a new window with a url that logs the user out.
e.g.
You create a page that will log the current user out.
Your main pages have ...
<body onUnload="javascript:open.
sort of thing.
The logout page SHOULD do the logout and then have JS to close the window, or you could just leave the page up, saying they have been successfully logged out.
But, you can get pop-up blockers, so that would be a pain too.
I think the safest way is to use very short term sessions, which are reset everytime they load a page.
I've not yet tried doing realtime processing in PHP. I write commercial EPOS software and all of it is realtime, so 1 till knows when an item is sold by another till as all the data is on the server and accessible instantly.
You can add a redirect to the header ...
<meta name="redirect" value="360;http://www.site.com/too_long.php">
After 6 minutes (360 seconds), the page will be forced to too_long.php.
Another way is to change the way in which you process the invoices.
Allow multiple users and instead of thinking of them as "bookings", think of it as "checking availability".
If they CAN have it then mark it as booked for that user.
If they can't then don't worry, say it is "unavailable".
Reservations like this last, say 10 minutes. After that, the item is available again, UNLESS an invoice is processed to completion.
I use this sort of thing within the EPOS system. I call it allocation. We have 10 items in stock, the operator scans the items which mark the items as allocated. If negative stock is disallowed, then the allocated amount cannot exceed the actual amount. When the invoice is posted (sent to the accounting system), the actual stock and the allocated stock are reduced at the same time.
New stock coming in only affects the actual stock level.
If a sale is cancelled, I downgrade the allocated level.
Hope this is of some help.
Regards,
Richard Quadling.
You can use the onUnload="" javascript parameter to the <body> tag to open a new window with a url that logs the user out.
e.g.
You create a page that will log the current user out.
Your main pages have ...
<body onUnload="javascript:open.
sort of thing.
The logout page SHOULD do the logout and then have JS to close the window, or you could just leave the page up, saying they have been successfully logged out.
But, you can get pop-up blockers, so that would be a pain too.
I think the safest way is to use very short term sessions, which are reset everytime they load a page.
I've not yet tried doing realtime processing in PHP. I write commercial EPOS software and all of it is realtime, so 1 till knows when an item is sold by another till as all the data is on the server and accessible instantly.
You can add a redirect to the header ...
<meta name="redirect" value="360;http://www.site.com/too_long.php">
After 6 minutes (360 seconds), the page will be forced to too_long.php.
Another way is to change the way in which you process the invoices.
Allow multiple users and instead of thinking of them as "bookings", think of it as "checking availability".
If they CAN have it then mark it as booked for that user.
If they can't then don't worry, say it is "unavailable".
Reservations like this last, say 10 minutes. After that, the item is available again, UNLESS an invoice is processed to completion.
I use this sort of thing within the EPOS system. I call it allocation. We have 10 items in stock, the operator scans the items which mark the items as allocated. If negative stock is disallowed, then the allocated amount cannot exceed the actual amount. When the invoice is posted (sent to the accounting system), the actual stock and the allocated stock are reduced at the same time.
New stock coming in only affects the actual stock level.
If a sale is cancelled, I downgrade the allocated level.
Hope this is of some help.
Regards,
Richard Quadling.
This would work...
Do what rquadling says...
UPDATE ControlTable SET InUse = "Y" WHER InUse = "N";
But change this so that it also sets the current time ...
UPDATE ControlTable SET InUse = "Y", TimeSet = time WHERE InUse = "N" OR TimeSet > (time - 300);
300 = 300 seconds ... or 5 minutes.
or you could break it into 2 separate update commands...try rquadling's one first...if it fails, then try the second one...if that also fails, then it is locked and not timed out...if it succeeds, then warn the user that someone may be stuffing around with it...I also usually stick in the machine name that set the lock so that the user can be hunted down and shot. ;-)
Do what rquadling says...
UPDATE ControlTable SET InUse = "Y" WHER InUse = "N";
But change this so that it also sets the current time ...
UPDATE ControlTable SET InUse = "Y", TimeSet = time WHERE InUse = "N" OR TimeSet > (time - 300);
300 = 300 seconds ... or 5 minutes.
or you could break it into 2 separate update commands...try rquadling's one first...if it fails, then try the second one...if that also fails, then it is locked and not timed out...if it succeeds, then warn the user that someone may be stuffing around with it...I also usually stick in the machine name that set the lock so that the user can be hunted down and shot. ;-)
Oops. Watch out for my spelling mistake ...
WHER -> WHERE
Regards,
Richard.
WHER -> WHERE
Regards,
Richard.
At least it was a faithful representation of your work - and fully acknowledged may I add. ;-)
ASKER
Ok I will give it a try. Do you guys ever use the lock command in mysql?
Onestar
Onestar
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
locking is for when there is the risk of multiple people updating the same data at the same time. In this instance, it would be good to use it...but you need to remember to unlock too...and if your app crashes, you may get left with locks to clear up. I'd just include a username or machine name to uniquely identify who ended up scoring the lock (assuming both updates come back as success!) and then rechecking the table after the update to ensure that we were good to go.
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Split: rquadling/rogerhammond
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Sam Barnum
EE Cleanup Volunteer
I will leave a recommendation in the Cleanup topic area that this question is:
Split: rquadling/rogerhammond
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Sam Barnum
EE Cleanup Volunteer
When the user goes into the page that creates invoices, check to see if the "In Use" flag you will have just created in a control table is set.
If it is set, then say, someone else is logged in.
If it is not set, then set it.
Ideally, you would want to do this in a single query and check the results.
UPDATE ControlTable SET InUse = "Y" WHER InUse = "N";
Then check the rows affected/record count values to see if the query actually worked.
If it DID work, then the InUse flag is now set. If it did not work, then the flag was already set.
On the way out of an invoice, you do same sort of thing.
UPDATE ControlTable SET InUse = "N" WHER InUse = "Y";
Problem: What happens if the user forgets to "logout" or simply closes the browser?
You will need to be able to clear the in-use flag manually.
Question - Why only 1 user at a time?
Richard.