5 Replies - 2904 Views - Last Post: 08 February 2012 - 07:45 AM Rate Topic: -----

#1 clarkeash  Icon User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 56
  • Joined: 04-February 11

PHP session timeout

Posted 07 February 2012 - 07:43 AM

I have the following code which logs out the user after 15minutes of inactivity.
<?php
session_cache_expire(15);
session_start();

$inactive = 900;
if(isset($_SESSION['start']) ) {
	$session_life = time() - $_SESSION['start'];
	if($session_life > $inactive){
		header("Location: logout.php");
	}
}
$_SESSION['start'] = time();
?>



whenever I try to log in the first attempt logs me out instantly, and on the 2nd attempt It allows me to log in.
any ideas as to what I am doing wrong? Thanks.

Is This A Good Question/Topic? 0
  • +

Replies To: PHP session timeout

#2 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6053
  • View blog
  • Posts: 23,488
  • Joined: 23-August 08

Re: PHP session timeout

Posted 07 February 2012 - 08:40 AM

You should call exit() after the header() call.

Also, does logout.php destroy the session?
Was This Post Helpful? 0
  • +
  • -

#3 codeprada  Icon User is offline

  • Changed Man With Different Priorities
  • member icon

Reputation: 946
  • View blog
  • Posts: 2,355
  • Joined: 15-February 11

Re: PHP session timeout

Posted 07 February 2012 - 09:13 AM

Also post your log-in script so we won't have to be guessing solutions.
Was This Post Helpful? 0
  • +
  • -

#4 clarkeash  Icon User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 56
  • Joined: 04-February 11

Re: PHP session timeout

Posted 07 February 2012 - 09:39 AM

sorry, here is the login script
<?php
	//Start session
	session_start();
	
	//Include database connection details
	require_once('config.php');
	
	//Array to store validation errors
	$errmsg_arr = array();
	
	//Validation error flag
	$errflag = false;
	
	//Connect to mysql server
	$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
	if(!$link) {
		die('Failed to connect to server: ' . mysql_error());
	}
	
	//Select database
	$db = mysql_select_db(DB_DATABASE);
	if(!$db) {
		die("Unable to select database");
	}
	
	//Function to sanitize values received from the form. Prevents SQL injection
	function clean($str) {
		$str = @trim($str);
		if(get_magic_quotes_gpc()) {
			$str = stripslashes($str);
		}
		return mysql_real_escape_string($str);
	}
	
	//Sanitize the POST values
	$email = clean($_POST['email']);
	$password = clean($_POST['password']);
	
	//Input Validations
	if($email == '') {
		$errmsg_arr[] = 'Email Address Required';
		$errflag = true;
	}
	if($password == '') {
		$errmsg_arr[] = 'Password Required';
		$errflag = true;
	}
	
	//If there are input validations, redirect back to the login form
	if($errflag) {
		$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
		session_write_close();
		header("location: ../index.php");
		exit();
	}
	
	$grab_row = mysql_query("SELECT * FROM tbl_user WHERE email = '".$email."'") or die ("MySQL Error: ".mysql_error());
	if (mysql_num_rows($grab_row) == 1) {
		$row = mysql_fetch_array($grab_row);
		$salt = $row['salt'];
		$email = $row['email'];
		$combine = $email . $password . $salt;
		$auth_pass = sha1($combine);
		$active = $row['active'];
	}
	
	if($active == '0') {
		$errmsg_arr[] = 'You account needs to be verified, please check your emails or to have the email sent again <a href="">click here</a>!';
		$errflag = true;
	}
	
	//If there are input validations, redirect back to the login form
	if($errflag) {
		$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
		session_write_close();
		header("location: ../index.php");
		exit();
	}
	
	
	//Create query
	$qry="SELECT * FROM tbl_user WHERE email='$email' AND password='$auth_pass'";
	$result=mysql_query($qry);
	
	//Check whether the query was successful or not
	if($result) {
		if(mysql_num_rows($result) == 1) {
			//Login Successful
			$year = date(Y);
			$month = date(m);
			$day = date(d);
			$date = $year.'-'.$month.'-'.$day;
			$log_ip = $_SERVER['REMOTE_ADDR'];
			$insert = mysql_query("UPDATE tbl_user SET last_login = '$date', log_ip = '$log_ip' WHERE email = '$email'");
			//create sessions
			session_regenerate_id();
			$member = mysql_fetch_assoc($result);
			$_SESSION['SESS_MEMBER_ID'] = $member['id_user'];
			$_SESSION['SESS_FIRST_NAME'] = $member['f_name'];
			$_SESSION['SESS_LAST_NAME'] = $member['s_name'];
			session_write_close();
			header("location: ../main.php");
			exit();
		}else {
			//Login failed
			$errmsg_arr[] = 'Invalid Credentials';
			$errflag = true;
			$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
			session_write_close();
			header("location: ../index.php");
			exit();
		}
	}else {
		die("Query failed");
	}
?>



and here is logout.php

<?php
	//Start session
	session_start();
	
	//Unset the variables stored in session
	unset($_SESSION['SESS_MEMBER_ID']);
	unset($_SESSION['SESS_FIRST_NAME']);
	unset($_SESSION['SESS_LAST_NAME']);
	
	
	$errmsg_arr[] = 'You Have Been Logged Out!';
	$errflag = true;
	
	
	//If there are input validations, redirect back to the login form
	if($errflag) {
		$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
		session_write_close();
		header("location: index.php");
		exit();
	}
?>


Was This Post Helpful? 0
  • +
  • -

#5 codeprada  Icon User is offline

  • Changed Man With Different Priorities
  • member icon

Reputation: 946
  • View blog
  • Posts: 2,355
  • Joined: 15-February 11

Re: PHP session timeout

Posted 07 February 2012 - 11:24 AM

So basically a user is logged in as long as these are set?
$_SESSION['SESS_MEMBER_ID']
$_SESSION['SESS_FIRST_NAME']
$_SESSION['SESS_LAST_NAME']



And which script verifies if a user is logged in or not?

A few things to note
  • MySQL has a function COUNT which should be used if you only need to verify if a row exists or not.
    e.g.
    $qry="SELECT COUNT(`email`) `total` FROM tbl_user WHERE email='$email' AND password='$auth_pass'";
    $result = mysql_query($qry);
    $row = mysql_fetch_assoc($result);
    if((int)$row['total'] == 1)
    {
        //row exists
    }
    
    

  • Check out prepared statements offered by PDO and MySQLi which will omit the need for a clean function.
  • Don't base your authentication on if a variables is set or not but make sure it's set with the right information.

Was This Post Helpful? 1
  • +
  • -

#6 clarkeash  Icon User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 56
  • Joined: 04-February 11

Re: PHP session timeout

Posted 08 February 2012 - 07:45 AM

Thanks for advice i will look into prepared statements offered by PDO, It was just a simple variable not being set.

Thanks
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1