February 17th, 2013, 09:32 PM
Problem with login script - Could use help
I am having an issue where I am getting logged out of my session even though I am actively using the site. It is currently set to 30 minutes of inactivity before logging a user out, but it is not working correctly.
Here is the function:
echo "You must be logged in to view this page:<br/>";
echo "<meta http-equiv=\"refresh\" content=\"2;url=login.php?action=login\">";
$_SESSION['CREATED'] = time();
else if (time() - $_SESSION['CREATED'] > 1800)
// session started more than 30 minates ago
session_regenerate_id(true); // change session ID for the current session and invalidate old session ID
$_SESSION['CREATED'] = time(); // update creation time
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800))
// last request was more than 30 minates ago
session_destroy(); // destroy session data in storage
session_unset(); // unset $_SESSION variable for the runtime
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
}; // end FUNCTION logincheck()
So, as far as how I expected this to work, if the user is logged in and does nothing for 30 minutes (I.e., doesn't change pages) he/she will be logged out after 30 min. (session destroyed)
However, if they go to another page that calls logincheck(), which each page does, it should check last activity time and if less than 1800 seconds, reset the last activity time to current, thereby keeping the session active. But like I said, I can be on the site for 30 minutes, changing pages, performing actions, and it still logs me out. I can't find any error in this script. Can you?
February 17th, 2013, 10:25 PM
are you sure you actually start the session on each page? Because for some reason, there is no session_start() in your function.
Apart from that, I don't see any error, nor could I reproduce the problem you described. If the above doesn't work, start debugging your code:
- Turn on all error messages with error_reporting(-1)
- Does the session actually get destroyed by the function? Check that by outputting something in the corresponding if statement.
- If it does get destroyed by the function, check the concrete value of LAST_ACTIVITY
You should also fix several style issues in your code:
- Remove the semicolon at the end of the function block. It has no use and generates an empty statement.
- Fix the code indentation.
- else if should be elseif.
- Unless your PHP is out of date, consider using the DateTime class instead of the low-level time function
February 17th, 2013, 10:31 PM
Thanks for the reply, and yes, the code is a bit sloppy
As far as session_start(), yes, that is at the top of the page -- this code is included in functions.inc.php ... Every page does indeed have session_start() as the first command.
I will try putting an echo in after the session_destroy and see what it says. I see no reason why it should be doing this.
February 20th, 2013, 10:32 PM
I have tried to echo the session_destroy() but I am getting nothing. I can be working on the site for 30 minutes, and without fail, the next time I refresh a page or go to another, I am logged out.
This is going to be very problematic as logged in users are working with time consuming data entry, and if they get logged out before it gets saved, I just lost a user.
I have tried using the site in both firefox and chrome and get the same situation.
I have gone over the code again, and still cannot find any reason why it wouldn't be working. Anyone smarter than me able to find a problem?
February 20th, 2013, 11:47 PM
What is the expiration date on the session cookie that PHP is sending?
Remove all of the code from your logincheck() method except the first if block; does the problem still happen?
What does phpinfo say are your settings for the session configuration?
February 27th, 2013, 12:02 AM
So far I have not found any error, you need to debug the code at each level and see what is happening. Check the variables name if they are being used correctly, i mean the spelling and all that. Also you need to check with your configuration settings. Hope this will helps you.