tags:

views:

854

answers:

5
+2  Q: 

Firefox extension to log out user after the page has been closed

Hello all. I am writing my first FireFox extension and I have some questions. Maybe someone can help.

I have a website which requires login. The sign-in is one user per login type. So if I am logged with the username "tom" from one PC and go to other PC and try to login with the same details, it fails. When I click the log-out button from my authenticated page, the new location executes a PHP function to log-out the user (updates the "logged" status of the user in MySQL). The problem is that if a user is logged in from his work desk and surfing the page then suddenly he gets a call by a friend to quickly grab lunch in his break and has to meet him in short time, he just clicks the X (close) button from Firefox, forgetting to press the log-out button so the status of the logged is still 1. Later on, if he wants to access the page again from home, he won't be able to log in.

So, I need to grab the "close" event from firefox somehow. I am thinking about looking for the ones that contain the "website.com" domain only. Then, if a tab is closed or the main window of Firefox is closed, send an unique key, and the username to that URL that logs out the user and the problem may be solved. I don't know if this is possible. Please post any idea (followed by code if you can) for this extension to be built.

Thank you.

+3  A: 

By design, this is wrong.

If a user's PC crashes (harddisk failure, power failure) your plugin won't be able to log out the user. And so, the user won't be able to login on any PC.

--

Let's revisit the premise,

a. why does logging in from another PC need to fail?

b. How about invalidating the login from the previous PC (log out) when the user logs in to another PC. THis is kind of like how chat applications like Yahoo! Messenger work.

From your answers, here's what i would suggest: if the user is logged in on another PC, warn and present the user with options:

  • cancel logging in
  • forcibly log out the other user and proceed to logging in
moogs  2009-05-25 04:49:35
I would also add that logins should expire after a certain amount of time or just a certain amount of time of inactivity.
Daniel Straight  2009-05-25 04:58:55
a. because each username is generating content gathered from multiple tables into one temporary table. If 2 users are logged in, then one user would generate something and the other user would generate something else so when they need to see the result, each would see the eachothers selection result so this is wrong.b. If one user is composing a message for like 5 minutes and in the meantime the 2nd user logs in, the 1st user would be logged = 0 in database. The new user would browse happy, the 1st user would click "Send message" and an error saying "You are not logged in." would come up.
Manny Calavera  2009-05-25 04:59:53
Additional info: It's for a company. Each department has a username. Each employee can use it but one at a time. Thanks.
Manny Calavera  2009-05-25 05:01:45
see my updated answer
moogs  2009-05-25 05:19:11
I thought of that but I kept it as a last choice. I am thinking about the Yahoo Webmessenger: how do they automatically sing you out after you close the browser tab or main window ? I mean that instance, not later... Beats me..
Manny Calavera  2009-05-25 05:32:28
+1 for this answer, warning of a previous session to me is the simplest technique to apply, better still combine time out + warning before logging.
gath  2009-05-25 05:36:48
It's wrong by design indeed. If you have some per-session state just keep it separate for different sessions and don't identify it with a user id.
Gleb  2009-05-25 18:50:19
A better implementation would be to implement some sort of locking on the records you say should not be edited at the same time.
moogs  2009-05-27 03:29:43
+1  A: 

Logging the user out after a certain time of inactivity is the (application or web) server's responsibility, not (only) the client-browser's. This is called a session timeout.

You might be able to avoid the timeout by a browser implementation as you describe it, but this should not be the primary solution.

Here's an off hand approach you might take:
In your case I would include a timestamp in the table where the 'locked' state is stored. Every time a user does an action that timestamp is updated. When you try to login again ad the timestamp is older that a certain threshold (e.g. 15min) your login code should silently logout the previous user.

lexu  2009-05-25 05:06:29
Yes, but a user may take 30 mins to read an article and would be logged off by another user as he is still reading.
Manny Calavera  2009-05-25 05:09:30
The user session/login is apparently a scarce ressource. Allowing a user to block it inactvely ("read an article for 30min") would dictate individual loggins, not one per departement.
lexu  2009-05-25 05:14:49
Patrick Gryciuk solution looks good! Pinging every 1-2minutes just to refresh the timestamp would keep the session open while the browser is open, but close the session if the user closes the browser or hibernates the computer. I'm not to sure what happens if the user locks his windows session (windowkey + L), though. Does the browser still refresh?
lexu  2009-05-25 15:24:42
+1  A: 

You could use ajax that would ping a page on the site - all the session info will be passed and you can verify that the user still has an active browser/page open. If Firefox crashes it won't be able to ping the website anymore and the session could time-out after 15 minutes. I think that allowing a forced logout on another sign-in would be best. Usually when I leave work at the end of the day I wouldn't close all the programs or logout or anything - just lock my computer to prevent anyone from using it. Next morning I come back with all my programs still running so I can continue where I left off.

BTW, Yahoo Web messenger probably uses some form of session-based cookies. That is, cookies are stored in memory and are gone when the tab or browser are closed.

Patrick Gryciuk  2009-05-25 06:20:31
hmmmm...how about Java ? You think I can use a servlet on my page to grab the windows close actions and do something like post some values to a PHP file on my server ? Thanks.
Manny Calavera  2009-05-25 06:35:26
Servlets are server-side and are equivalent to something like PHP or CGI. Applets are client-side and you could do pretty much anything with a signed applet (even operating-system specific functions.. but it gets complicated.) IMO the easiest solution for you (short of letting more than one user log in, or having forced logouts) is to use ajax to ping the server and have a session timeout after awhile.
Patrick Gryciuk  2009-05-25 06:57:46
Yeah, but won't that create more load on the server ? I mean...How many seconds should I set ?
Manny Calavera  2009-05-25 09:45:53
Well, you can set the ping time to something high. It would depend what kind of timeout you think is reasonable. 10 minutes would be plenty for scenarios where a user hastily closes the browser to leave work, but it would be annoying for a user who restarts his computer without having properly logged out and wants to access the site right away (they would wait a few more minutes.) The load on the server will be minimal. The server doesn't need to send a formatted reply and updates to the session time (whether db or file based) would use indexed lookups (quick).
Patrick Gryciuk  2009-05-25 10:00:47
+1  A: 

In order to receive a notice about the tab being closed, you'll want to do something like this sample code. However, instead of listening for load, you'll want to listen for unload.

When you do end up getting notified about unload, you'll have to do a request to the logout page just like the web application does. You can figure out what the location of the document that is unloading is by checking aEvent.originalTarget.location.href. Note that aEvent.originalTarget will give you the document object of the tab that is closing. You'll then want to use an XLMHttpRequest for this in your event handler.

sdwilsh  2009-05-25 18:19:47
A: 

Just enable to the user to re-login from another machine. And if you get a request from the user on first machine, ask him to re-login too. So you get a single logged in user at a time.

Kamarey  2009-05-25 18:38:26
Are you kidding me ?
Manny Calavera  2009-05-25 19:54:20
No, why? What the problem to do this?
Kamarey  2009-05-25 20:22:54
They would keep loging each other out... Yes, it's just one user logged at a time but none of them would be comfortable to work.
Manny Calavera  2009-05-26 02:11:20
But this is the same "instance" of the user. How he could work from two machines at a time? This is a standard flow, it wasn't invented by me.
Kamarey  2009-05-26 06:05:34
There are more than 1 user that are using the same username. I just want them to be logged in one at a time and not to kick each other out. I think I'll give them a choice window: to log the other user out or to stay put.
Manny Calavera  2009-05-26 12:46:41
Sorry, didn't understand about "many user per account" before.
Kamarey  2009-05-26 14:41:37

related questions

Firefox vs. IE: innerHTML handling
Firefox add-ons
How do you make a post request into a new browser tab using JavaScript / XUL?
Checking if userinput is a valid URI in XUL
Ubiquity Hack
Printing DOM Changes
HTML Select Tag with black background - dropdown triangle is invisible in Firefox 3
What is your best tool or techniques for getting the same display on IE6/7 and Firefox?
SPAN Height in Firefox
Debugging asp.net with firefox and visual studio.net - very slow compared to IE
How do I write a Firefox Addon?
Is there a way to make Firefox ignore invalid ssl-certificates?
Convince Firefox to send an If-Modified-Since header over HTTPS
Firefox extension for website interaction recording and repetition
Browser Sync accross many machines
Firefox plugin - sockets
Printing Flex components in FireFox 3
Some kind of task manager for JavaScript in Firefox 3?
How to make a Flash movie with a transparent background
Why no favicon for my web site?
FF3 WinXP != FF3 Ubuntu - why?
Firebug won't display console feeds for some of my sites
Upload form does not work in Firefox 3 with Mac OS X
Http Auth in a Firefox 3 bookmarklet
How can I turn a string of HTML into a DOM object in a Firefox extension?