automatically logout deleted user with ajax no refresh

[ssscriptties]

from my last post I figured out how to logout users when they delete the accounts they're logged into and checking the sessions they're using, but it isn't automatic and needs a page refresh which means the user has time to delete other users on the admin page. I want to make it so the moment the account is deleted they're logged out without refresh... is that possible? this is the current code:

 

<?php

function pdo_connect_mysql() {
    
    $DATABASE_HOST = 'localhost';
    $DATABASE_USER = 'root';
    $DATABASE_PASS = '';
    $DATABASE_NAME = 'phpticket';
    try {
    	return new PDO('mysql:host=' . $DATABASE_HOST . ';dbname=' . $DATABASE_NAME . ';charset=utf8', $DATABASE_USER, $DATABASE_PASS);
    } catch (PDOException $exception) {
    	
    	exit('Failed to connect to database!');
    }
}



function getUser($email) {
    global $conn;
    
    if (empty($email)) {
        return null;
    }
    
    $stmt = $conn->prepare("SELECT id, username, email, role FROM users WHERE email = ?");
    $stmt->bind_param("s", $email);
    $stmt->execute();
    $result = $stmt->get_result();
    
    if ($result->num_rows > 0) {
        $userData = $result->fetch_assoc();
        $stmt->close();
        
        
        $user = new stdClass();
        $user->id = $userData['id'];
        $user->username = $userData['username'];
        $user->email = $userData['email'];
        $user->role = $userData['role'];
        $user->isActive = true; 
        
        return $user;
    }
    
    $stmt->close();
    return null; 
}


?>

<!DOCTYPE html>
<html>
	<head>
		<meta charset="utf-8">
		<title>ALnasser | Ticketing System</title>
		<link href="style.css" rel="stylesheet" type="text/css">
		<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.1/css/all.css">
	</head>
	<body>
    <nav class="navtop">
    	<div>
    		<img src="alnasser_nobg.png"><h1><a href="index.php" style="color:white;font-size:25px;font-weight: normal;">AlNasser Help Desk</a></h1>
            <a href="index.php"><i class="fas fa-ticket-alt"></i>Tickets</a>
    	</div>
    </nav>
    </body>
</html>

 

<?php
include 'functions.php';
include "config.php";

$currentUser = getUser($_SESSION['email']);
if (!$currentUser || !$currentUser->isActive) {
    session_destroy();
    
    setcookie('remember_token', '', time() - 3600, "/");
    setcookie('email', '', time() - 3600, "/");
    
    session_start();
    $_SESSION['login_error'] = 'Session has expired. Please log in again.';
    $_SESSION['active_form'] = 'login';
    
    header("Location: login&signup.php");
    exit();
}

 

<?php
$host = "localhost";
$user = "root";
$password = "";
$database = "phpticket";

$conn = new mysqli($host, $user, $password, $database);

if ($conn->connect_error) {
  die("Connection failed ". $conn->connect_error);
}

 

[mac_gyver]

the code for every page (http request) must enforce what the current user can do or see on that page. if you do what i wrote in one of your recent threads - 

Quote

the only user related value you should store in a session variable upon successful login is the user id (autoincrement primary index.) you should query on each page request to get any other user data, so that any changes made to the user data will take effect on the very next page request, without requiring the user to log out and back in again.

the code performing the admin actions will find that the current user is either not logged in, doesn't exist, or no longer has a role that allows access to the code on that page and the user will be prevented from performing any action.

Edited 13 hours ago by mac_gyver

[gizmola]

mac_gyver as usual provided you with a clear answer.  HTTP protocol is request/response.  Without some other streaming protocol, once a client has received a response, the tcp connection(s) required to get all the assets for the page, and the building of that page are close and the rendering of the page and any interactivity is entirely client side.  New requests can be initiated, or you can have some javascript (ajax) that makes requests using javascript that can then be used to update the page without having an entirely new HTTP request (GET/POST/PUT/DELETE).  There are ways to have a client poll ajax calls, or alternatively to use websocket protocol.  You often see websockets used to provide more real time functionality.

Regardless, for every Request sent to the server, checking for authorization of the client must be done.  

In other words, it should not matter if someone has their browser open to your site, as a logged in user who has now had their account deleted/suspended etc.  All that matters is that the deletion/suspension/logout is enforced on the CURRENT HTTP request.

[Psycho]

I'd like to add my two cents on this as well. Having a process that automatically logs a user out is a nice to have feature. Ensuring that all service calls check the current status and permissions of the user making a request is a must have feature. You specifically asked about "users when they delete the accounts they're logged into", but that should also include other users that may be logged on who are deleted by a different user. The former would be a fairly trivial task, but the latter would require some type of polling or websocket functionality (as gizmola stated) which, in my opinion, adds unnecessary complexity. If you have all your other value add features then, sure, add that ability. But you would still need to add server-side validation for every request anyway. For an edge case scenario where a user is "deleted" while they are logged in I would be OK with some unhandled errors in the UI as long as I was confident their calls were not being accepted/completed. Not saying there shouldn't be error handling - only that it is not as important as blocking the requests.

I would suggest the following:

• Create a single process/function that validates that a user is "Active" (or whatever that means for your application) and returns the permissions they have (assuming there are distinct permission)
• Every page load should run that common process. If the user is not active or does not have the requisite permissions for the page being loaded, redirect them to an appropriate error page
• I assume you have various AJAX driven features. All back-end AJAX calls should call the same common process and if the user is not active or does not have the requisite permissions for the process being called, have the AJAX response return an appropriate error. The client-side implementation will need to check for such errors and react accordingly (I'd redirect to the same error pages as noted above).