Certainly if you want to grab the user’s time from his machine someone must use JS.
In my case though I cannot do that…let me explain:
Upon user registration the usual verification mail is sent to the user.Instead of telling the user to verify his/her mail in 24 hours(for example)I want to grab their time from their machine and say “You must verify your mail till 10:00pm tomorrow”.
Any idea how to grab the user’s time upon the e-mail arriving at his inbox? Unless of course I choose another route.
P.S this post could be posted as well in the JS forum,I think it is related to both languages.
Why not? When the user hits the submit button on your registration form you can use js to grab his machine time, put it into a hidden field and send it to the server with the other data.
If I wanted to do such a thing I would only grab the user’s time zone and calculate the expiry time based on the server time. What if the user’s clock is way off? Your message “You must verify your mail till 10:00pm tomorrow” would either need to be incorrect (that is correct only according to his incorrect machine clock) or you would need to make the expiry period dependent on the accuracy of the user’s machine clock (which means he could extend or contract the period by shifting his clock).
I believe the question is: why can’t you get the user’s machine time or time-zone via javascript and use that to present a time limit in whichever way you wish to present it?
Lemon is also talking about the user manipulating their own time on their machine to extend the wait period. I would never ever trust any user input no matter how desperate I was to find a solution. If the solution is either to have an option and have it exploitable or don’t have the option and keep my server safe, I would choose the latter.
It isn’t impossible. It’s just that it can be manipulated just like trusting a user not to edit cookies with a cookie editor.
I’m not saying it’s unrealistic to implement such a message, I’m saying it’s unrealistic to rely on user’s local time for that. If the user’s clock is correct then your message will be correct but if it’s not correct then it will not be correct. And you have no guarantee that the user’s clock is correct.
You can implement it but not in the way you originally thought. There is no way to know when the user opens the email message - well, sometimes a hidden image can be used for that but it doesn’t always work. Even if you knew the time of opening the message you would not be able to do anything with it because you have already sent the message and you can’t change it once the user opens it - you’d have to send another message, which wouldn’t make sense in this case.
So my suggestion is this: grab the user’s machine time zone in the registration form and then create your expiry message in PHP based on the server time and convert the expiry time to the user’s time zone and send it like that in the email.
This will fail if the user’s time zone is incorrect on his machine but that would be rare and I wouldn’t worry about it since it’s not a critical message anyway. This will also fail if the user is travelling and changing time zones but there is not much you can do about it. However, you can prepare messages that mention the time zone like this: “You must verify your mail till 10:00pm tomorrow CET”. But then you’d need to grab the user’s time zone name and present it to him in the way you want - see this method, works only in most recent browsers including Firefox but not IE.
It will be far less prone to error/manipulation if the time is based on your server time, offset by the user’s time-zone, relative to yours.
Even in the unlikely event that their time-zone is wrong, it can’t possibly be more than a day out, which I guess would not be an earth shattering fault.
If for example your server time is 12:00 (noon) GMT, then the user’s timezone is PDT, that’s GMT -7.
You offset your time by the difference: 12 - 7 = 5 so their time is 05:00am