One of the greatest Security feature that provided by PHPMaker is the ability to disallow concurrent login in order to prevent the same account is being used at the same time, either by the same person or the other person. Let's say, if user A has already logged in, then when the other user is trying to login using the same account which is used by user A, then system will reject it. System will display a message User A already logged in!.
Unfortunately, the impact of this rule is, when the computer which is being used by user A suddenly is crash, or even if he closed the browser without logout explicitly, then when he opens the new window browser and tries to login after his computer back to normal, he will not be able to login. This can be happened since system will first check the active User Session ID that belongs to user A in database, and if there is an active User Session ID, then system will prevent him to login. He cannot login until someone which has Administrator level will clear his Session ID from the database, or the user has to wait until his Session ID ends.
I think this is not a good situation, since if you are the Administrator of your web application which has so many users, then you will be so busy to handle this issues from so many users at anytime.
To overcome this issue, I have successfully changed the rule by customizing PHPMaker template file. So, when the user A is trying to login when his Session ID is active, then it will automatically trigger system to remove the active User Session ID in the database, afterwards immediately create the new one in the database. In other words, user A will automatically be able to login again. Let system handles the User Session ID automatically.
The next question is, what will be happened if there are some browser's windows still be opened before the new rule is being implemented? The answer is, when user A is trying to continue working from those browser windows, then system will automatically log out the user, since the User Session ID which are being used by the browser are not valid anymore. This is a normal situation, in order to prevent system using the corrupted user profile.
Updated on June 17, 2013: This customization below has been handled by using MasinoFixedWidthSite extension. You don’t need to implement the customization below if you use my extensions together with the original PHPMaker Template and Extension files.
[hidepost]
-
Open your \Script\phpfn.php file, and find this code:
} else { $_SESSION[EW_SESSION_FAILURE_MESSAGE] = str_replace("%u", $usr, $Language->Phrase("UserLoggedIn")); <!--## if (PROJ.SecLogInOutAuditTrail) { ##--> ew_WriteAuditTrail("log", ew_StdCurrentDateTime(), ew_ScriptName(), ms_GetCurrentUserID($usr)." - ".$usr, $Language->Phrase("AuditTrailUserLoggedIn"), ew_CurrentUserIP(), "", "", "", ""); <!--## } ##--> $ValidateUser = FALSE; }
then replace it with the following code:
} else { $_SESSION[EW_SESSION_FAILURE_MESSAGE] = str_replace("%u", $usr, $Language->Phrase("UserLoggedIn")); <!--## if (PROJ.SecLogInOutAuditTrail) { ##--> ew_WriteAuditTrail("log", ew_StdCurrentDateTime(), ew_ScriptName(), ms_GetCurrentUserID($usr)." - ".$usr, $Language->Phrase("AuditTrailUserLoggedIn"), ew_CurrentUserIP(), "", "", "", ""); <!--## } ##--> // Begin of modification How to Overcome "User X already logged in" Issue, by Masino Sinaga, February 16, 2013 $UserProfile->SetValue(EW_USER_PROFILE_SESSION_ID, session_id()); // Use current Session ID $UserProfile->SaveProfileToDatabase($usr); // Save profile setcookie(EW_PROJECT_NAME . '[' . EW_USER_PROFILE_SESSION_ID . ']', session_id(), EW_COOKIE_EXPIRY_TIME); // Save current Session ID to Cookie $ValidateUser = FALSE; // End of modification How to Overcome "User X already logged in" Issue, by Masino Sinaga, February 16, 2013 }
-
Open your \Script\phpcommon-scripts.php file, and find this code:
<!--## if (CTRL.CtrlID != "login") { ##--> $UserProfile->LoadProfile(@$_SESSION[EW_SESSION_USER_PROFILE]); <!--## } ##-->
after the last line of that code, please insert the following code (if you have already had the following code below that came from the other my customization, then just skip this step):
// Begin of modification by Masino Sinaga, May 25, 2012 in order to not autologout after clear another user's session ID whenever back to another page. $UserProfile->LoadProfileFromDatabase(CurrentUserName()); // End of modification by Masino Sinaga, May 25, 2012 in order to not autologout after clear another user's session ID whenever back to another page.
-
Still in your \Script\phpcommon-scripts.php file, find again this code:
echo $Language->Phrase("UserProfileCorrupted");
then replace it with the following code:
// echo $Language->Phrase("UserProfileCorrupted"); header("Location: logout.php");
-
Open your C:\Program Files\PHPMaker 9\languages\english.xml file, and find this code:
<phrase id="UserLoggedIn" value="User '%u' already logged in!"/>
then replace it with the following code:
<phrase id="UserLoggedIn" value="User '%u' already logged in and the session has been automatically removed. <br /><br />Please re-login now!"/>
[/hidepost]
MasinoFixedWidthSite When will it be available to version 10.0.1?
I am still working on it. Hopefully it will be available within the next two weeks.