#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2007
    Posts
    31
    Rep Power
    8

    Problem with login script - Could use help


    I am having an issue where I am getting logged out of my session even though I am actively using the site. It is currently set to 30 minutes of inactivity before logging a user out, but it is not working correctly.

    Here is the function:

    PHP Code:
    function logincheck()
    {
    if (
    $_SESSION['UserLoggedIn']!="yes"
        {
    echo 
    "You must be logged in to view this page:<br/>";
    echo 
    "<meta http-equiv=\"refresh\" content=\"2;url=login.php?action=login\">";
    die();
        }

    if (!isset(
    $_SESSION['CREATED'])) 
        {
        
    $_SESSION['CREATED'] = time();
        } 
    else if (
    time() - $_SESSION['CREATED'] > 1800
        {
        
    // session started more than 30 minates ago
        
    session_regenerate_id(true);    // change session ID for the current session and invalidate old session ID
        
    $_SESSION['CREATED'] = time();  // update creation time
        
    }

    if (isset(
    $_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) 
        {
        
    // last request was more than 30 minates ago
        
    session_destroy();   // destroy session data in storage
        
    session_unset();     // unset $_SESSION variable for the runtime
        
    }
    $_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp

    }; // end FUNCTION logincheck() 

    So, as far as how I expected this to work, if the user is logged in and does nothing for 30 minutes (I.e., doesn't change pages) he/she will be logged out after 30 min. (session destroyed)

    However, if they go to another page that calls logincheck(), which each page does, it should check last activity time and if less than 1800 seconds, reset the last activity time to current, thereby keeping the session active. But like I said, I can be on the site for 30 minutes, changing pages, performing actions, and it still logs me out. I can't find any error in this script. Can you?

    Thanks all.
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    are you sure you actually start the session on each page? Because for some reason, there is no session_start() in your function.

    Apart from that, I don't see any error, nor could I reproduce the problem you described. If the above doesn't work, start debugging your code:
    • Turn on all error messages with error_reporting(-1)
    • Does the session actually get destroyed by the function? Check that by outputting something in the corresponding if statement.
    • If it does get destroyed by the function, check the concrete value of LAST_ACTIVITY


    You should also fix several style issues in your code:
    • Remove the semicolon at the end of the function block. It has no use and generates an empty statement.
    • Fix the code indentation.
    • else if should be elseif.
    • Unless your PHP is out of date, consider using the DateTime class instead of the low-level time function
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2007
    Posts
    31
    Rep Power
    8
    Thanks for the reply, and yes, the code is a bit sloppy

    As far as session_start(), yes, that is at the top of the page -- this code is included in functions.inc.php ... Every page does indeed have session_start() as the first command.

    I will try putting an echo in after the session_destroy and see what it says. I see no reason why it should be doing this.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2007
    Posts
    31
    Rep Power
    8
    I have tried to echo the session_destroy() but I am getting nothing. I can be working on the site for 30 minutes, and without fail, the next time I refresh a page or go to another, I am logged out.

    This is going to be very problematic as logged in users are working with time consuming data entry, and if they get logged out before it gets saved, I just lost a user.

    I have tried using the site in both firefox and chrome and get the same situation.

    I have gone over the code again, and still cannot find any reason why it wouldn't be working. Anyone smarter than me able to find a problem?

    Thanks again...
  8. #5
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    What is the expiration date on the session cookie that PHP is sending?

    Remove all of the code from your logincheck() method except the first if block; does the problem still happen?

    What does phpinfo say are your settings for the session configuration?
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  10. #6
  11. No Profile Picture
    Permanently Banned
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2010
    Location
    Tustin, ca
    Posts
    39
    Rep Power
    0
    So far I have not found any error, you need to debug the code at each level and see what is happening. Check the variables name if they are being used correctly, i mean the spelling and all that. Also you need to check with your configuration settings. Hope this will helps you.

IMN logo majestic logo threadwatch logo seochat tools logo