Solved

how to control access

Posted on 2002-06-27
10
207 Views
Last Modified: 2006-11-17
I have a program writen in php and mysql for a company that runs on their intranet. I can restrict access to the main part of the program using apache.  My problem is in one part of the program it allows users to create a invoice base on products that are available. The problem is I want the program to only allow one person at a time access to this part of the program. So how do I go about this? It must ask the user for a username and password. Then it must know when they are done so it will make it avaiable again to others. I have concerns to what if the user doesn't exit properly or there computer crash the program must reconize this and log them off automaticlly. Maybe you could set a time limit.

Has anyone ever does this if so can you please tell me what you did and post any code if possiable.

I have never really used sessions or cookies in my scripts.

Thanks Onestar
0
Comment
Question by:onestar
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 40

Expert Comment

by:RQuadling
Comment Utility
Firstly.

When the user goes into the page that creates invoices, check to see if the "In Use" flag you will have just created in a control table is set.

If it is set, then say, someone else is logged in.

If it is not set, then set it.

Ideally, you would want to do this in a single query and check the results.

UPDATE ControlTable SET InUse = "Y" WHER InUse = "N";

Then check the rows affected/record count values to see if the query actually worked.

If it DID work, then the InUse flag is now set. If it did not work, then the flag was already set.


On the way out of an invoice, you do same sort of thing.

UPDATE ControlTable SET InUse = "N" WHER InUse = "Y";


Problem: What happens if the user forgets to "logout" or simply closes the browser?

You will need to be able to clear the in-use flag manually.



Question - Why only 1 user at a time?

Richard.


0
 
LVL 1

Author Comment

by:onestar
Comment Utility
I have products that get rented out. So once the user goes to the create invoice page is list all the products available. Then they pick what products they want to rent then they create the invoice. I do not want someone to try to rent out the same thing at the same time. If they are talking to a customer at the time and at first it looks like it is available but by the time they are done filling out all the info and confirm it might be gone and they will look kind of dumb and the customer will say "but you just said it was available" you know how disapointed people can get.


I agree to your idea but it cannot have a manual logout.
It has to know they closed the broswer in the middle or there computer froze or they left to eat and never came back. You get my point.

That's why there needs to be a time limit or it can tell if the connection get dropped and resets the flag.

I wonder if it would be better to do it through mysql. I am just thinking hear. I wonder if you can create a user and set it so only one single user can log in at a time with this username. And you can set a active time limit. I am pretty sure there is a default time limit in mysql. If you  are logged and you don't do anything for a while it will kick you out.

Onestar
 
0
 
LVL 40

Expert Comment

by:RQuadling
Comment Utility
If a machine hangs, there is nothing you can do to detect it.

You can use the onUnload="" javascript parameter to the <body> tag to open a new window with a url that logs the user out.

e.g.

You create a page that will log the current user out.

Your main pages have ...

<body onUnload="javascript:open.window('http://www.site.com/logout.php');return true">

sort of thing.

The logout page SHOULD do the logout and then have JS to close the window, or you could just leave the page up, saying they have been successfully logged out.

But, you can get pop-up blockers, so that would be a pain too.

I think the safest way is to use very short term sessions, which are reset everytime they load a page.

I've not yet tried doing realtime processing in PHP. I write commercial EPOS software and all of it is realtime, so 1 till knows when an item is sold by another till as all the data is on the server and accessible instantly.



You can add a redirect to the header ...

<meta name="redirect" value="360;http://www.site.com/too_long.php">

After 6 minutes (360 seconds), the page will be forced to too_long.php.



Another way is to change the way in which you process the invoices.

Allow multiple users and instead of thinking of them as "bookings", think of it as "checking availability".

If they CAN have it then mark it as booked for that user.

If they can't then don't worry, say it is "unavailable".

Reservations like this last, say 10 minutes. After that, the item is available again, UNLESS an invoice is processed to completion.

I use this sort of thing within the EPOS system. I call it allocation. We have 10 items in stock, the operator scans the items which mark the items as allocated. If negative stock is disallowed, then the allocated amount cannot exceed the actual amount. When the invoice is posted (sent to the accounting system), the actual stock and the allocated stock are reduced at the same time.

New stock coming in only affects the actual stock level.

If a sale is cancelled, I downgrade the allocated level.


Hope this is of some help.

Regards,

Richard Quadling.

0
 
LVL 2

Expert Comment

by:rogerhammond
Comment Utility
This would work...

Do what rquadling says...
UPDATE ControlTable SET InUse = "Y" WHER InUse = "N";

But change this so that it also sets the current time ...

UPDATE ControlTable SET InUse = "Y", TimeSet = time WHERE InUse = "N" OR TimeSet > (time - 300);

300 = 300 seconds ... or 5 minutes.

or you could break it into 2 separate update commands...try rquadling's one first...if it fails, then try the second one...if that also fails, then it is locked and not timed out...if it succeeds, then warn the user that someone may be stuffing around with it...I also usually stick in the machine name that set the lock so that the user can be hunted down and shot. ;-)
0
 
LVL 40

Expert Comment

by:RQuadling
Comment Utility
Oops. Watch out for my spelling mistake ...

WHER -> WHERE

Regards,

Richard.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Expert Comment

by:rogerhammond
Comment Utility
At least it was a faithful representation of your work - and fully acknowledged may I add. ;-)
0
 
LVL 1

Author Comment

by:onestar
Comment Utility
Ok I will give it a try. Do you guys ever use the lock command in mysql?

Onestar
0
 
LVL 40

Accepted Solution

by:
RQuadling earned 100 total points
Comment Utility
I haven't but basically a lock is put on the table whilst the client is connected or you issue another lock or you issue unlock.

A quick snippet from the MySQL manual ...


Normally, you don't have to lock tables, as all single UPDATE statements are atomic; no other thread can interfere with any other currently executing SQL statement. There are a few cases when you would like to lock tables anyway:

If you are going to run many operations on a bunch of tables, it's much faster to lock the tables you are going to use. The downside is, of course, that no other thread can update a READ-locked table and no other thread can read a WRITE-locked table. The reason some things are faster under LOCK TABLES is that MySQL will not flush the key cache for the locked tables until UNLOCK TABLES is called (normally the key cache is flushed after each SQL statement). This speeds up inserting/updateing/deletes on MyISAM tables.
If you are using a table handler in MySQL that doesn't support transactions, you must use LOCK TABLES if you want to ensure that no other thread comes between a SELECT and an UPDATE. The example shown here requires LOCK TABLES in order to execute safely:
mysql> LOCK TABLES trans READ, customer WRITE;
mysql> SELECT SUM(value) FROM trans WHERE customer_id=some_id;
mysql> UPDATE customer SET total_value=sum_from_previous_statement
    ->        WHERE customer_id=some_id;
mysql> UNLOCK TABLES;

Without LOCK TABLES, there is a chance that another thread might insert a new row in the trans table between execution of the SELECT and UPDATE statements.
By using incremental updates (UPDATE customer SET value=value+new_value) or the LAST_INSERT_ID() function, you can avoid using LOCK TABLES in many cases.


Hope this helps a bit.

Richard.
0
 
LVL 2

Expert Comment

by:rogerhammond
Comment Utility
locking is for when there is the risk of multiple people updating the same data at the same time.  In this instance, it would be good to use it...but you need to remember to unlock too...and if your app crashes, you may get left with locks to clear up.  I'd just include a username or machine name to uniquely identify who ended up scoring the lock (assuming both updates come back as success!) and then rechecking the table after the update to ensure that we were good to go.
0
 
LVL 11

Expert Comment

by:shmert
Comment Utility
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Split: rquadling/rogerhammond
Please leave any comments here within the next seven days.
               
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
               
Sam Barnum
EE Cleanup Volunteer              
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This article discusses how to create an extensible mechanism for linked drop downs.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now