client-side time with PHP and JavaScript

As part of upgrading functionality and statistical delivery with sqwi.sh I’ve been looking at utilising client-side time. Obviously, PHP and other server-side languages do not have acces to this information. The solution is to use JavaScript and the ‘page-in-between’ method:

if(!$_REQUEST["client_time"]) 
{ 
	$vars = "?";
	foreach($_REQUEST as $key => $val) {
		$vars .= $key."=".$val."&";
	}
    echo "<script type=\"text/javascript\">"; 
    echo "localtime = new Date();"; 
    echo "document.location.href = '".$PHP_SELF.$vars."client_time=' 
            + localtime.getTime();"; 
    echo "</script>"; 
} 
else 
{ 
    // Process page as normal 
} 

What this does is first check whether we have been given a parameter “client_time”. If we have, everything is grand and we can nmove on to rendering the page. If not then we need to iterate through all parameters/variables passed through to the page (either $_POST or $_GET [which has security implications – to be discussed]) and keep track of them as a string formatted for passing through a URL.

Then we use PHP to write a JavaScript function to the page before anything else. This script (running on client-side) gets the client’s current date and time (localtime = new Date();) before redirecting the browser to the same page ($PHP_SELF) with parameters appended ($vars."client_time=' + localtime.getTime();").

Then end result of this is that the client returns to the page, but this time brings with them their (client-side) time for use within your (server-side) functionality.

** Security Issue **

As I mentioned, there are security implications to this approach. By passing all $_REQUEST parameters through the foreach() loop and passing them back through as $_GET parameters (as they are contained in the URL itself) they are all visible and able to be manipulated by the client user or anyone who wants to. Any hidden parameters (ie $_POST) are made visible in this method. If you don’t have any $_POST parameters, or they are not security issues, then this should not be a problem; if there are secure parameters, then this method will not work for you.

If you want to use the time as a parameter, and the page request is coming from a form on another page of yours (hence the $_POST parameters), then you should add a hidden field to THAT form as so:

<input type="hidden" id="time" name="client_time" 
          value="a6d27182b9803699dc15f56e9c0e8eb4" />

with the following script being called at onload():

<script type="text/javascript">
function loadTime() {
var localtime = new Date();
document.getElementById('time').value=localtime.getTime();
}
</script>

using:

<body onload="javascript:loadTime()" >

and then call the variable from there on the new page like so:

$clientTime = $_POST["client_time"];

This solution is more elegant than the ‘page-in-between’ method, and does eliminate the security weakness discussed.

Advertisements

About Cameron
I'm a final year Computer Science/Information Systems major. Already finished my BA in Politics/Philosophy. I do web and software freelance on the side, while I finish studying. Hoping to be self-employed by the end of my degree, otherwise off into the real-world I go....

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: