Multiple Windows - A Solution

sunsetsystems wrote on Thursday, July 26, 2007:

This old thread: http://sourceforge.net/forum/forum.php?thread_id=1307624&forum_id=202506 discusses a problem that has been annoying me for a long time… that OpenEMR works poorly, even dangerously, when used in multiple top-level browser windows on the same machine.  There is more information about the general issue at http://aranea.zuavra.net/index.php/80/ .

I think I finally have a solution that does not involve extensive code mangling.  It takes advantage of the ability of JavaScript to change cookies (and thus the session ID) in the browser.

First, I added a bit of JavaScript to interface/login/login.php to delete the session cookie when a new login occurs.  This ensures that a unique session ID is generated for each login (we assume you start each new browser window session with a login).

Then, I added this to interface/main/main_screen.php and other top-level windows:

<script language=‘JavaScript’>
function restoreSession() {
document.cookie = ‘<?php echo session_name() . ‘=’ . session_id(); ?>; path=/’;
return true;
}
</script>

What this does is restore the session cookie’s value to the session ID that was supplied when the window was created.  This is meaningful if another OpenEMR window has changed the cookie to its own session ID.

Thus by calling the JavaScript function top.restoreSession(), which can be done from just about anywhere, the correct session ID will be available to your PHP scripts.  This you would want to do just before invoking any server-side script that depends on good PHP session data, since the browser sends the session cookie along with every request sent to the web server.

What remains, then, is adding little snippets like “onclick=‘top.restoreSession()’” or “onsubmit=‘return top.restoreSession()’” wherever the web server is invoked.  I’m working on that part now.  Testing so far is giving very good results.

Of course it’s not totally foolproof.  For example the user can hit the Refresh button on their browser to bypass restoreSession(), but it’s a lot better than it was.

Rod
www.sunsetsystems.com

sunsetsystems wrote on Saturday, July 28, 2007:

Most of these changes are now checked in.  What remains is mostly the “contrib” encounter forms.  To see what I’ve changed, search the code for the string “restoreSession”.  This will give you a good blueprint for fixing any remaining areas that I might have missed.  With any luck I have not broken anything that used to work.

Rod
www.sunsetsystems.com

sunsetsystems wrote on Thursday, August 02, 2007:

This is about done, pending a bit more testing.

I’d like to emphasize that this affects future development.  Developers will need to call “top.restoreSession()” wherever new links or forms are created that invoke PHP scripts dependent on current session data, which is most of them.  This is very easy to do.  For a link (<a href=…>) this normally means inserting “onclick=‘top.restoreSession()’”, and for a <form> tag you want “onsubmit=‘return top.restoreSession()’”.  You can search existing code for “restoreSession” to see other less common examples.

Rod
www.sunsetsystems.com