php sessions problem - wrong logic maybe

I need help with sessions.
I createt set of web site for nav with authorization.

first I go into main.php which looks like this:

<?php
//common functions
include_once '../login/common.php';
global $LOGINDIR;

//nav- navigation
//auth- authorization
include ("$LOGINDIR/nav.htm");
include ("$LOGINDIR/auth.php");

$menu = $_GET['menu'];
switch($menu)
{
case 1:
include "$LOGINDIR/menu1.php";
global $LOGINDIR;
break;

case 2:
include "$LOGINDIR/menu2.php";
global $LOGINDIR;
break;

case 3:
include "$LOGINDIR/menu3.php";
global $LOGINDIR;
break;

case 4:
include "$LOGINDIR/menu4.php";
global $LOGINDIR;
break;

case 5:
include "$LOGINDIR/menu5.php";
global $LOGINDIR;
break;

default:
include "$LOGINDIR/menudef.htm";
break;
}

include ("$LOGINDIR/footer.htm");
?>

</td>
</tr>
</table>
</body>
</html>

My auth.php looks like this:

[root@lexon login]# cat auth.php
<?php
// auth.php
include_once 'common.php';
include_once 'db.php';
dbConnect("corp orate");

// start session
session_start() ;
echo $_SESSION['username'];
echo $_SESSION['password'];
// convert username and password from _POST or _SESSION

if($_POST){
if (!$_SESSION['username'] && !$_SESSION['password']) {
$_SESSION['username']=$_POST["username"];
$_SESSION['password']=$_POST["password"];
}
}

echo "before the query";
echo $_SESSION['username'];
echo $_SESSION['password'];
// query for a user/pass match
$result=mysql_q uery("select * from users
where username='" . $_SESSION['username'] . "' and password='" .
$_SESSION['password'] . "'");

if ($result) {

// retrieve number of rows resulted
$num=mysql_num_ rows($result);

// print login form and exit if failed.
if($num < 1){

echo "<center><BR><B R>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

$phonenumber = mysql_result($r esult,0,'phonen umber');
$username = mysql_result($r esult,0,'userna me');
$userlevel = mysql_result($r esult,0,'userle vel');

//check the logon time, logoff after 5min idle
if (!$_SESSION['login_time']) {

$_SESSION['login_time']=time();
};
$lg_time = intval($_SESSIO N['login_time']);

// If the session start time is greater than the current time...
if ($lg_time > time() ||
// If they have been logged in for longer than 5 minutes...
(time() - $lg_time) > 60*5) {

unset ($_SESSION['login_time']);
unset ($_SESSION['username']);
unset ($_SESSION['password']);

include ("logoutexp.php ");
exit;
}
$_SESSION['login_time']=time();
};
mysql_close();
?>

After the time out php goes to logoutexp.php which looks like this:
[root@lexon login]# cat logoutexp.php
<?
// Login & Session example by sde
// logout.php

include "\login\common. php";
global $LOGINDIR;

// you must start session before destroying it
session_start() ;
session_destroy ();

echo "<center>Fo r security reasons your session has expired.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\"> ";
exit;
?>
It goes back to main.php and asks for auth.
The problem is if I try to navigate the page and I will go to for example
to main.php?menu=4 I need to enter password again.

The only org aroun is to click logoutexp.php link and then everything is
ok. I debug the script and I found out that the $_session['username'] and
password is lost.

and ideas what is wrong?

thanks

bart

If 'menu' is suppost to be ur session variable, then you need to do
$_SESSION['menu'];

You also need to call session_start() ;

- Ali

"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
news:th******** *******@newssvr 31.news.prodigy .com...

I need help with sessions.
I createt set of web site for nav with authorization.

first I go into main.php which looks like this:

<?php
//common functions
include_onc e '../login/common.php';
global $LOGINDIR;

//nav- navigation
//auth- authorization
include ("$LOGINDIR/nav.htm");
include ("$LOGINDIR/auth.php");

$menu = $_GET['menu'];
switch($men u)
{
case 1:
include "$LOGINDIR/menu1.php";
global $LOGINDIR;
break;

case 2:
include "$LOGINDIR/menu2.php";
global $LOGINDIR;
break;

case 3:
include "$LOGINDIR/menu3.php";
global $LOGINDIR;
break;

case 4:
include "$LOGINDIR/menu4.php";
global $LOGINDIR;
break;

case 5:
include "$LOGINDIR/menu5.php";
global $LOGINDIR;
break;

default:
include "$LOGINDIR/menudef.htm";
break;
}

include ("$LOGINDIR/footer.htm");
?>

</td>
</tr>
</table>
</body>
</html>

My auth.php looks like this:

[root@lexon login]# cat auth.php
<?php
// auth.php
include_onc e 'common.php';
include_onc e 'db.php';
dbConnect("co rporate");

// start session
session_start ();
echo $_SESSION['username'];
echo $_SESSION['password'];
// convert username and password from _POST or _SESSION

if($_POST){
if (!$_SESSION['username'] && !$_SESSION['password']) {
$_SESSION['username']=$_POST["username"];
$_SESSION['password']=$_POST["password"];
}
}

echo "before the query";
echo $_SESSION['username'];
echo $_SESSION['password'];
// query for a user/pass match
$result=mysql _query("select * from users
where username='" . $_SESSION['username'] . "' and password='" .
$_SESSION['password'] . "'");

if ($result) {

// retrieve number of rows resulted
$num=mysql_nu m_rows($result) ;

// print login form and exit if failed.
if($num < 1){

echo "<center><BR><B R>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

$phonenumbe r = mysql_result($r esult,0,'phonen umber');
$username = mysql_result($r esult,0,'userna me');
$userlevel = mysql_result($r esult,0,'userle vel');

//check the logon time, logoff after 5min idle
if (!$_SESSION['login_time']) {

$_SESSION['login_time']=time();
};
$lg_time = intval($_SESSIO N['login_time']);

// If the session start time is greater than the current time...
if ($lg_time > time() ||
// If they have been logged in for longer than 5 minutes...
(time() - $lg_time) > 60*5) {

unset ($_SESSION['login_time']);
unset ($_SESSION['username']);
unset ($_SESSION['password']);

include ("logoutexp.php ");
exit;
}
$_SESSION['login_time']=time();
};
mysql_close() ;
?>

After the time out php goes to logoutexp.php which looks like this:
[root@lexon login]# cat logoutexp.php
<?
// Login & Session example by sde
// logout.php

include "\login\common. php";
global $LOGINDIR;

// you must start session before destroying it
session_start ();
session_destr oy();

echo "<center>Fo r security reasons your session has expired.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\"> ";
exit;
?>
It goes back to main.php and asks for auth.
The problem is if I try to navigate the page and I will go to for example
to main.php?menu=4 I need to enter password again.

The only org aroun is to click logoutexp.php link and then everything is
ok. I debug the script and I found out that the $_session['username'] and
password is lost.

and ideas what is wrong?

thanks

bart

I call session_start() in my auth.php.
The think is that if I use the browser first time, it works.
Also when I logoff (wchich destroys session and goes back to login screen)
everything works fine.

The problem starts when I close the browser without login off.
Then I have to login to every page.
My logout script does this:

session_start() ;
session_destroy ();
<META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\">

So what I though, is that if I put:
session_start() ;
session_destroy ();
in this part of the code:

// print login form and exit if failed.
if($num < 1){
echo "<center><BR><B R>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

It shoud do the same what logout does.
Unfortunately it does not.

I thing that there is something that I dont know about sessions.
I don't like the thing that the user have to press logout.
It should automatically destroy the session, if the browser was closed.

Any ideas

Bart

Alistair Baillie SS2002 wrote:

If 'menu' is suppost to be ur session variable, then you need to do
$_SESSION['menu'];

You also need to call session_start() ;

- Ali

"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
news:th******** *******@newssvr 31.news.prodigy .com...

I need help with sessions.
I createt set of web site for nav with authorization.

first I go into main.php which looks like this:

<?php
//common functions
include_on ce '../login/common.php';
global $LOGINDIR;

//nav- navigation
//auth- authorization
include ("$LOGINDIR/nav.htm");
include ("$LOGINDIR/auth.php");

$menu = $_GET['menu'];
switch($menu )
{
case 1:
include "$LOGINDIR/menu1.php";
global $LOGINDIR;
break;

case 2:
include "$LOGINDIR/menu2.php";
global $LOGINDIR;
break;

case 3:
include "$LOGINDIR/menu3.php";
global $LOGINDIR;
break;

case 4:
include "$LOGINDIR/menu4.php";
global $LOGINDIR;
break;

case 5:
include "$LOGINDIR/menu5.php";
global $LOGINDIR;
break;

default:
include "$LOGINDIR/menudef.htm";
break;
}

include ("$LOGINDIR/footer.htm");
?>

</td>
</tr>
</table>
</body>
</html>

My auth.php looks like this:

[root@lexon login]# cat auth.php
<?php
// auth.php
include_on ce 'common.php';
include_on ce 'db.php';
dbConnect("c orporate");

// start session
session_star t();
echo $_SESSION['username'];
echo $_SESSION['password'];
// convert username and password from _POST or _SESSION

if($_POST) {
if (!$_SESSION['username'] && !$_SESSION['password']) {
$_SESSION['username']=$_POST["username"];
$_SESSION['password']=$_POST["password"];
}
}

echo "before the query";
echo $_SESSION['username'];
echo $_SESSION['password'];
// query for a user/pass match
$result=mysq l_query("select * from users
where username='" . $_SESSION['username'] . "' and password='" .
$_SESSION['password'] . "'");

if ($result) {

// retrieve number of rows resulted
$num=mysql_n um_rows($result );

// print login form and exit if failed.
if($num < 1){

echo "<center><BR><B R>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

$phonenumb er = mysql_result($r esult,0,'phonen umber');
$username = mysql_result($r esult,0,'userna me');
$userlevel = mysql_result($r esult,0,'userle vel');

//check the logon time, logoff after 5min idle
if (!$_SESSION['login_time']) {

$_SESSION['login_time']=time();
};
$lg_time = intval($_SESSIO N['login_time']);

// If the session start time is greater than the current time...
if ($lg_time > time() ||
// If they have been logged in for longer than 5 minutes...
(time() - $lg_time) > 60*5) {

unset ($_SESSION['login_time']);
unset ($_SESSION['username']);
unset ($_SESSION['password']);

include ("logoutexp.php ");
exit;
}
$_SESSION['login_time']=time();
};
mysql_close( );
?>

After the time out php goes to logoutexp.php which looks like this:
[root@lexon login]# cat logoutexp.php
<?
// Login & Session example by sde
// logout.php

include "\login\common. php";
global $LOGINDIR;

// you must start session before destroying it
session_star t();
session_dest roy();

echo "<center>Fo r security reasons your session has expired.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\"> ";
exit;
?>
It goes back to main.php and asks for auth.
The problem is if I try to navigate the page and I will go to for example
to main.php?menu=4 I need to enter password again.

The only org aroun is to click logoutexp.php link and then everything is
ok. I debug the script and I found out that the $_session['username'] and
password is lost.

and ideas what is wrong?

thanks

bart

Im not quite sure what you are meaning but;

PHP will automatically destroy a session after a set amount of time, the
default varies dependant on your server settings, mine is set to 20 minutes,
so there is no need for you to catch out of date sessions!

I would presume that this is where your problem lies, and you are
incorrectly destroying a session when it hasnt actually expired.

Also, as session variables cant be modified without your script, you dont
really need to confirm the username and password from the sesion, simply
storing the username would be enough. (You can assume if the username was
stored, the password was correct).

I suggest you have a look at the session documentation at
http://uk.php.net/manual/en/function.session-start.php if you havnt already
done so, as it does provide some examples.

If you are still having problems, if you reply telling me exactly what you
are trying to achieve, (Step by step), ill try and knock some code up as an
example for you.

- Alistair

"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
news:tl******** *********@newss vr17.news.prodi gy.com...

I call session_start() in my auth.php.
The think is that if I use the browser first time, it works.
Also when I logoff (wchich destroys session and goes back to login screen)
everything works fine.

The problem starts when I close the browser without login off.
Then I have to login to every page.
My logout script does this:

session_start ();
session_destr oy();
<META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\">

So what I though, is that if I put:
session_start ();
session_destr oy();
in this part of the code:

// print login form and exit if failed.
if($num < 1){
echo "<center><BR><B R>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

It shoud do the same what logout does.
Unfortunate ly it does not.

I thing that there is something that I dont know about sessions.
I don't like the thing that the user have to press logout.
It should automatically destroy the session, if the browser was closed.

Any ideas

Bart

Alistair Baillie SS2002 wrote:

If 'menu' is suppost to be ur session variable, then you need to do
$_SESSION['menu'];

You also need to call session_start() ;

- Ali

"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
news:th***** **********@news svr31.news.prod igy.com...
I need help with sessions.
I createt set of web site for nav with authorization.

first I go into main.php which looks like this:

<?php
//common functions
include_onc e '../login/common.php';
global $LOGINDIR;

//nav- navigation
//auth- authorization
include ("$LOGINDIR/nav.htm");
include ("$LOGINDIR/auth.php");

$menu = $_GET['menu'];
switch($men u)
{
case 1:
include "$LOGINDIR/menu1.php";
global $LOGINDIR;
break;

case 2:
include "$LOGINDIR/menu2.php";
global $LOGINDIR;
break;

case 3:
include "$LOGINDIR/menu3.php";
global $LOGINDIR;
break;

case 4:
include "$LOGINDIR/menu4.php";
global $LOGINDIR;
break;

case 5:
include "$LOGINDIR/menu5.php";
global $LOGINDIR;
break;

default:
include "$LOGINDIR/menudef.htm";
break;
}

include ("$LOGINDIR/footer.htm");
?>

</td>
</tr>
</table>
</body>
</html>

My auth.php looks like this:

[root@lexon login]# cat auth.php
<?php
// auth.php
include_onc e 'common.php';
include_onc e 'db.php';
dbConnect(" corporate");

// start session
session_sta rt();
echo $_SESSION['username'];
echo $_SESSION['password'];
// convert username and password from _POST or _SESSION

if($_POST ){
if (!$_SESSION['username'] && !$_SESSION['password']) {
$_SESSION['username']=$_POST["username"];
$_SESSION['password']=$_POST["password"];
}
}

echo "before the query";
echo $_SESSION['username'];
echo $_SESSION['password'];
// query for a user/pass match
$result=mys ql_query("selec t * from users
where username='" . $_SESSION['username'] . "' and password='" .
$_SESSION['password'] . "'");

if ($result) {

// retrieve number of rows resulted
$num=mysql_ num_rows($resul t);

// print login form and exit if failed.
if($num < 1){

echo "<center><BR><B R>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

$phonenumbe r = mysql_result($r esult,0,'phonen umber');
$username = mysql_result($r esult,0,'userna me');
$userleve l = mysql_result($r esult,0,'userle vel');

//check the logon time, logoff after 5min idle
if (!$_SESSION['login_time']) {

$_SESSION['login_time']=time();
};
$lg_time = intval($_SESSIO N['login_time']);

// If the session start time is greater than the current time...
if ($lg_time > time() ||
// If they have been logged in for longer than 5 minutes...
(time() - $lg_time) > 60*5) {

unset ($_SESSION['login_time']);
unset ($_SESSION['username']);
unset ($_SESSION['password']);

include ("logoutexp.php ");
exit;
}
$_SESSION['login_time']=time();
};
mysql_close ();
?>

After the time out php goes to logoutexp.php which looks like this:
[root@lexon login]# cat logoutexp.php
<?
// Login & Session example by sde
// logout.php

include "\login\common. php";
global $LOGINDIR;

// you must start session before destroying it
session_sta rt();
session_des troy();

echo "<center>Fo r security reasons your session has expired.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\"> ";
exit;
?>
It goes back to main.php and asks for auth.
The problem is if I try to navigate the page and I will go to for example
to main.php?menu=4 I need to enter password again.

The only org aroun is to click logoutexp.php link and then everything is
ok. I debug the script and I found out that the $_session['username'] and
password is lost.

and ideas what is wrong?

thanks

bart

Alistair Baillie SS2002 wrote:

Im not quite sure what you are meaning but;

PHP will automatically destroy a session after a set amount of time,
the default varies dependant on your server settings, mine is set to
20 minutes, so there is no need for you to catch out of date sessions!

I would presume that this is where your problem lies, and you are
incorrectly destroying a session when it hasnt actually expired.

Also, as session variables cant be modified without your script, you
dont really need to confirm the username and password from the sesion,
simply storing the username would be enough. (You can assume if the
username was stored, the password was correct).

I suggest you have a look at the session documentation at
http://uk.php.net/manual/en/function.session-start.php if you havnt
already done so, as it does provide some examples.

If you are still having problems, if you reply telling me exactly what
you are trying to achieve, (Step by step), ill try and knock some code
up as an example for you.

- Alistair

"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
news:tl******** *********@newss vr17.news.prodi gy.com...

I call session_start() in my auth.php.
The think is that if I use the browser first time, it works.
Also when I logoff (wchich destroys session and goes back to login
screen) everything works fine.

The problem starts when I close the browser without login off.
Then I have to login to every page.
My logout script does this:

session_start() ;
session_destroy ();
<META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\">

So what I though, is that if I put:
session_start() ;
session_destroy ();
in this part of the code:

// print login form and exit if failed.
if($num < 1){
echo "<center><BR><B R>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

It shoud do the same what logout does.
Unfortunately it does not.

I thing that there is something that I dont know about sessions.
I don't like the thing that the user have to press logout.
It should automatically destroy the session, if the browser was closed.

Any ideas

Bart

Alistair Baillie SS2002 wrote:

If 'menu' is suppost to be ur session variable, then you need to do
$_SESSION['menu'];

You also need to call session_start() ;

- Ali

"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
news:th******** *******@newssvr 31.news.prodigy .com...
> I need help with sessions.
> I createt set of web site for nav with authorization.
>
> first I go into main.php which looks like this:
>
> <?php
> //common functions
> include_once '../login/common.php';
> global $LOGINDIR;
>
> //nav- navigation
> //auth- authorization
> include ("$LOGINDIR/nav.htm");
> include ("$LOGINDIR/auth.php");
>
> $menu = $_GET['menu'];
> switch($menu)
> {
> case 1:
> include "$LOGINDIR/menu1.php";
> global $LOGINDIR;
> break;
>
> case 2:
> include "$LOGINDIR/menu2.php";
> global $LOGINDIR;
> break;
>
> case 3:
> include "$LOGINDIR/menu3.php";
> global $LOGINDIR;
> break;
>
> case 4:
> include "$LOGINDIR/menu4.php";
> global $LOGINDIR;
> break;
>
> case 5:
> include "$LOGINDIR/menu5.php";
> global $LOGINDIR;
> break;
>
> default:
> include "$LOGINDIR/menudef.htm";
> break;
> }
>
> include ("$LOGINDIR/footer.htm");
> ?>
>
> </td>
> </tr>
> </table>
>
>
> </body>
> </html>
>
> My auth.php looks like this:
>
> [root@lexon login]# cat auth.php
> <?php
> // auth.php
> include_once 'common.php';
> include_once 'db.php';
> dbConnect("corp orate");
>
> // start session
> session_start() ;
> echo $_SESSION['username'];
> echo $_SESSION['password'];
> // convert username and password from _POST or _SESSION
>
> if($_POST){
> if (!$_SESSION['username'] && !$_SESSION['password']) {
> $_SESSION['username']=$_POST["username"];
> $_SESSION['password']=$_POST["password"];
> }
> }
>
> echo "before the query";
> echo $_SESSION['username'];
> echo $_SESSION['password'];
>
>
> // query for a user/pass match
> $result=mysql_q uery("select * from users
> where username='" . $_SESSION['username'] . "' and password='" .
> $_SESSION['password'] . "'");
>
> if ($result) {
>
> // retrieve number of rows resulted
> $num=mysql_num_ rows($result);
>
> // print login form and exit if failed.
> if($num < 1){
>
> echo "<center><BR><B R>You are not authenticated. Please
> login.<br><br>
> <form method=POST action=''>
> username: <input type=text name=\"username \"> <BR><BR>
> password: <input type=password name=\"password \"> <BR><BR><BR>
> <input value=login type=submit>
> </form></center>";
> exit;
> }
>
> $phonenumber = mysql_result($r esult,0,'phonen umber');
> $username = mysql_result($r esult,0,'userna me');
> $userlevel = mysql_result($r esult,0,'userle vel');
>
> //check the logon time, logoff after 5min idle
> if (!$_SESSION['login_time']) {
>
> $_SESSION['login_time']=time();
> };
> $lg_time = intval($_SESSIO N['login_time']);
>
> // If the session start time is greater than the current time...
> if ($lg_time > time() ||
> // If they have been logged in for longer than 5 minutes...
> (time() - $lg_time) > 60*5) {
>
> unset ($_SESSION['login_time']);
> unset ($_SESSION['username']);
> unset ($_SESSION['password']);
>
> include ("logoutexp.php ");
> exit;
> }
> $_SESSION['login_time']=time();
> };
> mysql_close();
> ?>
>
> After the time out php goes to logoutexp.php which looks like this:
> [root@lexon login]# cat logoutexp.php
> <?
> // Login & Session example by sde
> // logout.php
>
> include "\login\common. php";
> global $LOGINDIR;
>
> // you must start session before destroying it
> session_start() ;
> session_destroy ();
>
> echo "<center>Fo r security reasons your session has expired.
>
>
> <br><br>
> You will now be returned to the login page.
>
> </center>
>
> <META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\"> ";
> exit;
> ?>
>
>
> It goes back to main.php and asks for auth.
> The problem is if I try to navigate the page and I will go to for
> example to main.php?menu=4 I need to enter password again.
>
> The only org aroun is to click logoutexp.php link and then
> everything is ok. I debug the script and I found out that the
> $_session['username'] and password is lost.
>
> and ideas what is wrong?
>
> thanks
>
> bart

Thanks for your advices.
I modified mu authorization script, so it will wail until the session is
destroyed by closing the browser. This is the script:

<?php
// auth.php
error_reporting (E_ALL);
include_once 'common.php';
include_once 'db.php';
dbConnect("corp orate");

// start session
session_start() ;

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysql_q uery("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_num_ rows($result);
// print login form and exit if failed.
if($num < 1){

echo "<center><B R>
<BR>
You are not authenticated. Please
login.<br><br>
<form method=POST action='main.ph p'>
username: <input type=text
name=\"username \"> <BR><BR>
password: <input type=password
name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] =
mysql_result($r esult,0,'phonen umber');
$_SESSION['username'] =
mysql_result($r esult,0,'userna me');
$_SESSION['userlevel'] =
mysql_result($r esult,0,'userle vel');

};

};
//close connection to db
mysql_close();

?>
Now, the php.ini is set with default values.
On my website I have logout link which takes me to site which code is:
<?
// Login & Session example by sde
// logout.php

include "\login\common. php";
global $LOGINDIR;

// you must start session before destroying it
session_start() ;
session_destroy ();

echo "<center>Yo u have been successfully logged out.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh \" content=\"2; URL=\login/main.php\"> ";
?>

If I click the link the session is destroyed (on the server session id
file becomes empty) and everything works fine if I want to log in
again. The new session has the same ID as before.

But, when I close the browser without loggin off, the session file on
the server is not empty. It still contains the session data.

I have to log in to every page in order to access data.
This causes to create a lot of session files on the server because every
time the auth script starts it calls session_start() .

Something is wrong, but what. Why the sessions are not destroyed if I
close the browser?
Thanks

Alistair Baillie SS2002 wrote:

Im not quite sure what you are meaning but;

PHP will automatically destroy a session after a set amount of time, the
default varies dependant on your server settings, mine is set to 20
minutes, so there is no need for you to catch out of date sessions!

I would presume that this is where your problem lies, and you are
incorrectly destroying a session when it hasnt actually expired.

Also, as session variables cant be modified without your script, you dont
really need to confirm the username and password from the sesion, simply
storing the username would be enough. (You can assume if the username was
stored, the password was correct).

I suggest you have a look at the session documentation at
http://uk.php.net/manual/en/function.session-start.php if you havnt
already done so, as it does provide some examples.

If you are still having problems, if you reply telling me exactly what
you are trying to achieve, (Step by step), ill try and knock some code up
as an example for you.

- Alistair

"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
news:tl******** *********@newss vr17.news.prodi gy.com...

I call session_start() in my auth.php.
The think is that if I use the browser first time, it works.
Also when I logoff (wchich destroys session and goes back to login
screen) everything works fine.

The problem starts when I close the browser without login off.
Then I have to login to every page.
My logout script does this:

session_star t();
session_dest roy();
<META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\">

So what I though, is that if I put:
session_star t();
session_dest roy();
in this part of the code:

// print login form and exit if failed.
if($num < 1){
echo "<center><BR><B R>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

It shoud do the same what logout does.
Unfortunatel y it does not.

I thing that there is something that I dont know about sessions.
I don't like the thing that the user have to press logout.
It should automatically destroy the session, if the browser was closed.

Any ideas

Bart

Alistair Baillie SS2002 wrote:

If 'menu' is suppost to be ur session variable, then you need to do
$_SESSION['menu'];

You also need to call session_start() ;

- Ali

"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
news:th**** ***********@new ssvr31.news.pro digy.com...
>I need help with sessions.
>I createt set of web site for nav with authorization.
>
>first I go into main.php which looks like this:
>
><?php
>//common functions
>include_on ce '../login/common.php';
>global $LOGINDIR;
>
>//nav- navigation
>//auth- authorization
>include ("$LOGINDIR/nav.htm");
>include ("$LOGINDIR/auth.php");
>
>$menu = $_GET['menu'];
>switch($me nu)
>{
>case 1:
>include "$LOGINDIR/menu1.php";
>global $LOGINDIR;
>break;
>
>case 2:
>include "$LOGINDIR/menu2.php";
>global $LOGINDIR;
>break;
>
>case 3:
>include "$LOGINDIR/menu3.php";
>global $LOGINDIR;
>break;
>
>case 4:
>include "$LOGINDIR/menu4.php";
>global $LOGINDIR;
>break;
>
>case 5:
>include "$LOGINDIR/menu5.php";
>global $LOGINDIR;
>break;
>
>default:
>include "$LOGINDIR/menudef.htm";
>break;
>}
>
>include ("$LOGINDIR/footer.htm");
>?>
>
></td>
> </tr>
></table>
>
>
></body>
></html>
>
>My auth.php looks like this:
>
>[root@lexon login]# cat auth.php
><?php
>// auth.php
>include_on ce 'common.php';
>include_on ce 'db.php';
>dbConnect( "corporate" );
>
>// start session
>session_st art();
>echo $_SESSION['username'];
>echo $_SESSION['password'];
>// convert username and password from _POST or _SESSION
>
>if($_POST) {
>if (!$_SESSION['username'] && !$_SESSION['password']) {
>$_SESSIO N['username']=$_POST["username"];
>$_SESSIO N['password']=$_POST["password"];
>}
>}
>
>echo "before the query";
>echo $_SESSION['username'];
>echo $_SESSION['password'];
>
>
>// query for a user/pass match
>$result=my sql_query("sele ct * from users
> where username='" . $_SESSION['username'] . "' and password='" .
> $_SESSION['password'] . "'");
>
>if ($result) {
>
>// retrieve number of rows resulted
>$num=mysql _num_rows($resu lt);
>
>// print login form and exit if failed.
>if($num < 1){
>
> echo "<center><BR><B R>You are not authenticated. Please
> login.<br><br>
> <form method=POST action=''>
> username: <input type=text name=\"username \"> <BR><BR>
> password: <input type=password name=\"password \"> <BR><BR><BR>
> <input value=login type=submit>
> </form></center>";
>exit;
>}
>
>$phonenumb er = mysql_result($r esult,0,'phonen umber');
>$usernam e = mysql_result($r esult,0,'userna me');
>$userlev el = mysql_result($r esult,0,'userle vel');
>
>//check the logon time, logoff after 5min idle
>if (!$_SESSION['login_time']) {
>
>$_SESSIO N['login_time']=time();
>};
>$lg_time = intval($_SESSIO N['login_time']);
>
>// If the session start time is greater than the current time...
>if ($lg_time > time() ||
>// If they have been logged in for longer than 5 minutes...
> (time() - $lg_time) > 60*5) {
>
> unset ($_SESSION['login_time']);
> unset ($_SESSION['username']);
> unset ($_SESSION['password']);
>
> include ("logoutexp.php ");
> exit;
>}
>$_SESSIO N['login_time']=time();
>};
>mysql_clos e();
>?>
>
>After the time out php goes to logoutexp.php which looks like this:
>[root@lexon login]# cat logoutexp.php
><?
>// Login & Session example by sde
>// logout.php
>
>include "\login\common. php";
>global $LOGINDIR;
>
>// you must start session before destroying it
>session_st art();
>session_de stroy();
>
>echo "<center>Fo r security reasons your session has expired.
>
>
><br><br>
>You will now be returned to the login page.
>
></center>
>
><META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\"> ";
>exit;
>?>
>
>
>It goes back to main.php and asks for auth.
>The problem is if I try to navigate the page and I will go to for
>example to main.php?menu=4 I need to enter password again.
>
>The only org aroun is to click logoutexp.php link and then everything
>is ok. I debug the script and I found out that the
>$_sessio n['username'] and password is lost.
>
>and ideas what is wrong?
>
>thanks
>
>bart

Thanks for your advices.
I modified mu authorization script, so it will wail until the session is
destroyed by closing the browser. This is the script:

<?php
// auth.php
error_reporting (E_ALL);
include_once 'common.php';
include_once 'db.php';
dbConnect("corp orate");

// start session
session_start() ;

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysql_q uery("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_num_ rows($result);
// print login form and exit if failed.
if($num < 1){

echo "<center><B R>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action='main.ph p'>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] = mysql_result($r esult,0,'phonen umber');
$_SESSION['username'] = mysql_result($r esult,0,'userna me');
$_SESSION['userlevel'] = mysql_result($r esult,0,'userle vel');

};

};
//close connection to db
mysql_close();

?>
Now, the php.ini is set with default values.
On my website I have logout link which takes me to site which code is:
<?
// Login & Session example by sde
// logout.php

include "\login\common. php";
global $LOGINDIR;

// you must start session before destroying it
session_start() ;
session_destroy ();

echo "<center>Yo u have been successfully logged out.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh \" content=\"2; URL=\login/main.php\"> ";
?>

If I click the link the session is destroyed (on the server session id
file becomes empty) and everything works fine if I want to log in again.
The new session has the same ID as before.

But, when I close the browser without loggin off, the session file on the
server is not empty. It still contains the session data.

I have to log in to every page in order to access data.
This causes to create a lot of session files on the server because every
time the auth script starts it calls session_start() .

Something is wrong, but what. Why the sessions are not destroyed if I
close the browser?
Thanks

The session files on the server, will remain until the time has expired (And
the web server deletes the old files, this only seems to work in linux, it
doesnt work correctly in windows).

However, if u have closed the browser, the link to that session will no
longer exist, so there is no way to re access the session. (Or its hghly
unlikley the user would be able to guess the session id).

Make sure you only call session_start() ; once per execution, if it appears
multiple times, I would presume it would over write each other.
I have stuck a very simple example on my web site;

http://www.alistairbaillie.co.uk/tmp/ Will run it

http://www.alistairbaillie.co.uk/tmp/source.php Will show you the source
code.
- Alistair
"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
news:fs******** *******@newssvr 33.news.prodigy .com...

Alistair Baillie SS2002 wrote:

Im not quite sure what you are meaning but;

PHP will automatically destroy a session after a set amount of time, the
default varies dependant on your server settings, mine is set to 20
minutes, so there is no need for you to catch out of date sessions!

I would presume that this is where your problem lies, and you are
incorrectl y destroying a session when it hasnt actually expired.

Also, as session variables cant be modified without your script, you dont
really need to confirm the username and password from the sesion, simply
storing the username would be enough. (You can assume if the username was
stored, the password was correct).

I suggest you have a look at the session documentation at
http://uk.php.net/manual/en/function.session-start.php if you havnt
already done so, as it does provide some examples.

If you are still having problems, if you reply telling me exactly what
you are trying to achieve, (Step by step), ill try and knock some code up
as an example for you.

- Alistair

"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
news:tl***** ************@ne wssvr17.news.pr odigy.com...
I call session_start() in my auth.php.
The think is that if I use the browser first time, it works.
Also when I logoff (wchich destroys session and goes back to login
screen) everything works fine.

The problem starts when I close the browser without login off.
Then I have to login to every page.
My logout script does this:

session_sta rt();
session_des troy();
<META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\">

So what I though, is that if I put:
session_sta rt();
session_des troy();
in this part of the code:

// print login form and exit if failed.
if($num < 1){
echo "<center><BR><B R>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

It shoud do the same what logout does.
Unfortunate ly it does not.

I thing that there is something that I dont know about sessions.
I don't like the thing that the user have to press logout.
It should automatically destroy the session, if the browser was closed.

Any ideas

Bart

Alistair Baillie SS2002 wrote:
>If 'menu' is suppost to be ur session variable, then you need to do
>$_SESSIO N['menu'];
>
>You also need to call session_start() ;
>
>- Ali
>
>"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
>news:th*** ************@ne wssvr31.news.pr odigy.com...
>
>
>
>>I need help with sessions.
>>I createt set of web site for nav with authorization.
>>
>>first I go into main.php which looks like this:
>>
>><?php
>>//common functions
>>include_o nce '../login/common.php';
>>global $LOGINDIR;
>>
>>//nav- navigation
>>//auth- authorization
>>include ("$LOGINDIR/nav.htm");
>>include ("$LOGINDIR/auth.php");
>>
>>$menu = $_GET['menu'];
>>switch($m enu)
>>{
>>case 1:
>>include "$LOGINDIR/menu1.php";
>>global $LOGINDIR;
>>break;
>>
>>case 2:
>>include "$LOGINDIR/menu2.php";
>>global $LOGINDIR;
>>break;
>>
>>case 3:
>>include "$LOGINDIR/menu3.php";
>>global $LOGINDIR;
>>break;
>>
>>case 4:
>>include "$LOGINDIR/menu4.php";
>>global $LOGINDIR;
>>break;
>>
>>case 5:
>>include "$LOGINDIR/menu5.php";
>>global $LOGINDIR;
>>break;
>>
>>default :
>>include "$LOGINDIR/menudef.htm";
>>break;
>>}
>>
>>include ("$LOGINDIR/footer.htm");
>>?>
>>
>></td>
>></tr>
>></table>
>>
>>
>></body>
>></html>
>>
>>My auth.php looks like this:
>>
>>[root@lexon login]# cat auth.php
>><?php
>>// auth.php
>>include_o nce 'common.php';
>>include_o nce 'db.php';
>>dbConnect ("corporate" );
>>
>>// start session
>>session_s tart();
>>echo $_SESSION['username'];
>>echo $_SESSION['password'];
>>// convert username and password from _POST or _SESSION
>>
>>if($_POST ){
>>if (!$_SESSION['username'] && !$_SESSION['password']) {
>>$_SESSI ON['username']=$_POST["username"];
>>$_SESSI ON['password']=$_POST["password"];
>>}
>>}
>>
>>echo "before the query";
>>echo $_SESSION['username'];
>>echo $_SESSION['password'];
>>
>>
>>// query for a user/pass match
>>$result=m ysql_query("sel ect * from users
>>where username='" . $_SESSION['username'] . "' and password='" .
>>$_SESSI ON['password'] . "'");
>>
>>if ($result) {
>>
>>// retrieve number of rows resulted
>>$num=mysq l_num_rows($res ult);
>>
>>// print login form and exit if failed.
>>if($num < 1){
>>
>>echo "<center><BR><B R>You are not authenticated. Please
>>login.<br ><br>
>><form method=POST action=''>
>>usernam e: <input type=text name=\"username \"> <BR><BR>
>>passwor d: <input type=password name=\"password \"> <BR><BR><BR>
>><input value=login type=submit>
>></form></center>";
>>exit;
>>}
>>
>>$phonenum ber = mysql_result($r esult,0,'phonen umber');
>>$userna me = mysql_result($r esult,0,'userna me');
>>$userleve l = mysql_result($r esult,0,'userle vel');
>>
>>//check the logon time, logoff after 5min idle
>>if (!$_SESSION['login_time']) {
>>
>>$_SESSI ON['login_time']=time();
>>};
>>$lg_tim e = intval($_SESSIO N['login_time']);
>>
>>// If the session start time is greater than the current time...
>>if ($lg_time > time() ||
>>// If they have been logged in for longer than 5 minutes...
>> (time() - $lg_time) > 60*5) {
>>
>> unset ($_SESSION['login_time']);
>> unset ($_SESSION['username']);
>> unset ($_SESSION['password']);
>>
>> include ("logoutexp.php ");
>> exit;
>>}
>>$_SESSI ON['login_time']=time();
>>};
>>mysql_clo se();
>>?>
>>
>>After the time out php goes to logoutexp.php which looks like this:
>>[root@lexon login]# cat logoutexp.php
>><?
>>// Login & Session example by sde
>>// logout.php
>>
>>include "\login\common. php";
>>global $LOGINDIR;
>>
>>// you must start session before destroying it
>>session_s tart();
>>session_d estroy();
>>
>>echo "<center>Fo r security reasons your session has expired.
>>
>>
>><br><br >
>>You will now be returned to the login page.
>>
>></center>
>>
>><META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\"> ";
>>exit;
>>?>
>>
>>
>>It goes back to main.php and asks for auth.
>>The problem is if I try to navigate the page and I will go to for
>>example to main.php?menu=4 I need to enter password again.
>>
>>The only org aroun is to click logoutexp.php link and then everything
>>is ok. I debug the script and I found out that the
>>$_sessi on['username'] and password is lost.
>>
>>and ideas what is wrong?
>>
>>thanks
>>
>>bart
>
>

Thanks for your advices.
I modified mu authorization script, so it will wail until the session is
destroyed by closing the browser. This is the script:

<?php
// auth.php
error_reporti ng(E_ALL);
include_onc e 'common.php';
include_onc e 'db.php';
dbConnect("co rporate");

// start session
session_start ();

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysql _query("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_nu m_rows($result) ;
// print login form and exit if failed.
if($num < 1){

echo "<center><B R>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action='main.ph p'>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] = mysql_result($r esult,0,'phonen umber');
$_SESSION['username'] = mysql_result($r esult,0,'userna me');
$_SESSION['userlevel'] = mysql_result($r esult,0,'userle vel');

};

};
//close connection to db
mysql_close() ;

?>
Now, the php.ini is set with default values.
On my website I have logout link which takes me to site which code is:
<?
// Login & Session example by sde
// logout.php

include "\login\common. php";
global $LOGINDIR;

// you must start session before destroying it
session_start ();
session_destr oy();

echo "<center>Yo u have been successfully logged out.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh \" content=\"2; URL=\login/main.php\"> ";
?>

If I click the link the session is destroyed (on the server session id
file becomes empty) and everything works fine if I want to log in again.
The new session has the same ID as before.

But, when I close the browser without loggin off, the session file on the
server is not empty. It still contains the session data.

I have to log in to every page in order to access data.
This causes to create a lot of session files on the server because every
time the auth script starts it calls session_start() .

Something is wrong, but what. Why the sessions are not destroyed if I
close the browser?
Thanks

Alistair Baillie SS2002 wrote:

The session files on the server, will remain until the time has expired
(And the web server deletes the old files, this only seems to work in
linux, it doesnt work correctly in windows).

However, if u have closed the browser, the link to that session will no
longer exist, so there is no way to re access the session. (Or its hghly
unlikley the user would be able to guess the session id).

Make sure you only call session_start() ; once per execution, if it
appears multiple times, I would presume it would over write each other.
I have stuck a very simple example on my web site;

http://www.alistairbaillie.co.uk/tmp/ Will run it

http://www.alistairbaillie.co.uk/tmp/source.php Will show you the source
code.
- Alistair
"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
news:fs******** *******@newssvr 33.news.prodigy .com...

Alistair Baillie SS2002 wrote:

Im not quite sure what you are meaning but;

PHP will automatically destroy a session after a set amount of time, the
default varies dependant on your server settings, mine is set to 20
minutes, so there is no need for you to catch out of date sessions!

I would presume that this is where your problem lies, and you are
incorrect ly destroying a session when it hasnt actually expired.

Also, as session variables cant be modified without your script, you
dont really need to confirm the username and password from the sesion,
simply storing the username would be enough. (You can assume if the
username was stored, the password was correct).

I suggest you have a look at the session documentation at
http://uk.php.net/manual/en/function.session-start.php if you havnt
already done so, as it does provide some examples.

If you are still having problems, if you reply telling me exactly what
you are trying to achieve, (Step by step), ill try and knock some code
up as an example for you.

- Alistair

"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
news:tl**** *************@n ewssvr17.news.p rodigy.com...
>I call session_start() in my auth.php.
>The think is that if I use the browser first time, it works.
>Also when I logoff (wchich destroys session and goes back to login
>screen) everything works fine.
>
>The problem starts when I close the browser without login off.
>Then I have to login to every page.
>My logout script does this:
>
>session_st art();
>session_de stroy();
><META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\">
>
>So what I though, is that if I put:
>session_st art();
>session_de stroy();
>in this part of the code:
>
>// print login form and exit if failed.
>if($num < 1){
>echo "<center><BR><B R>You are not authenticated. Please login.<br><br>
><form method=POST action=''>
>username : <input type=text name=\"username \"> <BR><BR>
>password : <input type=password name=\"password \"> <BR><BR><BR>
><input value=login type=submit>
></form></center>";
>exit;
>}
>
>It shoud do the same what logout does.
>Unfortunat ely it does not.
>
>I thing that there is something that I dont know about sessions.
>I don't like the thing that the user have to press logout.
>It should automatically destroy the session, if the browser was closed.
>
>Any ideas
>
>Bart
>
>Alistair Baillie SS2002 wrote:
>
>
>>If 'menu' is suppost to be ur session variable, then you need to do
>>$_SESSI ON['menu'];
>>
>>You also need to call session_start() ;
>>
>>- Ali
>>
>>"Bartos z Wegrzyn" <bt**@sbcglobal .net> wrote in message
>>news:th** *************@n ewssvr31.news.p rodigy.com...
>>
>>
>>
>>>I need help with sessions.
>>>I createt set of web site for nav with authorization.
>>>
>>>first I go into main.php which looks like this:
>>>
>>><?php
>>>//common functions
>>>include_ once '../login/common.php';
>>>global $LOGINDIR;
>>>
>>>//nav- navigation
>>>//auth- authorization
>>>includ e ("$LOGINDIR/nav.htm");
>>>includ e ("$LOGINDIR/auth.php");
>>>
>>>$menu = $_GET['menu'];
>>>switch($ menu)
>>>{
>>>case 1:
>>>includ e "$LOGINDIR/menu1.php";
>>>global $LOGINDIR;
>>>break;
>>>
>>>case 2:
>>>includ e "$LOGINDIR/menu2.php";
>>>global $LOGINDIR;
>>>break;
>>>
>>>case 3:
>>>includ e "$LOGINDIR/menu3.php";
>>>global $LOGINDIR;
>>>break;
>>>
>>>case 4:
>>>includ e "$LOGINDIR/menu4.php";
>>>global $LOGINDIR;
>>>break;
>>>
>>>case 5:
>>>includ e "$LOGINDIR/menu5.php";
>>>global $LOGINDIR;
>>>break;
>>>
>>>defaul t:
>>>includ e "$LOGINDIR/menudef.htm";
>>>break;
>>>}
>>>
>>>includ e ("$LOGINDIR/footer.htm");
>>>?>
>>>
>>></td>
>>></tr>
>>></table>
>>>
>>>
>>></body>
>>></html>
>>>
>>>My auth.php looks like this:
>>>
>>>[root@lexon login]# cat auth.php
>>><?php
>>>// auth.php
>>>include_ once 'common.php';
>>>include_ once 'db.php';
>>>dbConnec t("corporate" );
>>>
>>>// start session
>>>session_ start();
>>>echo $_SESSION['username'];
>>>echo $_SESSION['password'];
>>>// convert username and password from _POST or _SESSION
>>>
>>>if($_POS T){
>>>if (!$_SESSION['username'] && !$_SESSION['password']) {
>>>$_SESSIO N['username']=$_POST["username"];
>>>$_SESSIO N['password']=$_POST["password"];
>>>}
>>>}
>>>
>>>echo "before the query";
>>>echo $_SESSION['username'];
>>>echo $_SESSION['password'];
>>>
>>>
>>>// query for a user/pass match
>>>$result= mysql_query("se lect * from users
>>>where username='" . $_SESSION['username'] . "' and password='" .
>>>$_SESSIO N['password'] . "'");
>>>
>>>if ($result) {
>>>
>>>// retrieve number of rows resulted
>>>$num=mys ql_num_rows($re sult);
>>>
>>>// print login form and exit if failed.
>>>if($nu m < 1){
>>>
>>>echo "<center><BR><B R>You are not authenticated. Please
>>>login.<b r><br>
>>><form method=POST action=''>
>>>username : <input type=text name=\"username \"> <BR><BR>
>>>password : <input type=password name=\"password \"> <BR><BR><BR>
>>><input value=login type=submit>
>>></form></center>";
>>>exit;
>>>}
>>>
>>>$phonenu mber = mysql_result($r esult,0,'phonen umber');
>>>$usernam e = mysql_result($r esult,0,'userna me');
>>>$userlev el = mysql_result($r esult,0,'userle vel');
>>>
>>>//check the logon time, logoff after 5min idle
>>>if (!$_SESSION['login_time']) {
>>>
>>>$_SESSIO N['login_time']=time();
>>>};
>>>$lg_ti me = intval($_SESSIO N['login_time']);
>>>
>>>// If the session start time is greater than the current time...
>>>if ($lg_time > time() ||
>>>// If they have been logged in for longer than 5 minutes...
>>> (time() - $lg_time) > 60*5) {
>>>
>>> unset ($_SESSION['login_time']);
>>> unset ($_SESSION['username']);
>>> unset ($_SESSION['password']);
>>>
>>> include ("logoutexp.php ");
>>> exit;
>>>}
>>>$_SESSIO N['login_time']=time();
>>>};
>>>mysql_cl ose();
>>>?>
>>>
>>>After the time out php goes to logoutexp.php which looks like this:
>>>[root@lexon login]# cat logoutexp.php
>>><?
>>>// Login & Session example by sde
>>>// logout.php
>>>
>>>includ e "\login\common. php";
>>>global $LOGINDIR;
>>>
>>>// you must start session before destroying it
>>>session_ start();
>>>session_ destroy();
>>>
>>>echo "<center>Fo r security reasons your session has expired.
>>>
>>>
>>><br><b r>
>>>You will now be returned to the login page.
>>>
>>></center>
>>>
>>><META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\"> ";
>>>exit;
>>>?>
>>>
>>>
>>>It goes back to main.php and asks for auth.
>>>The problem is if I try to navigate the page and I will go to for
>>>exampl e to main.php?menu=4 I need to enter password again.
>>>
>>>The only org aroun is to click logoutexp.php link and then everything
>>>is ok. I debug the script and I found out that the
>>>$_sessio n['username'] and password is lost.
>>>
>>>and ideas what is wrong?
>>>
>>>thanks
>>>
>>>bart
>>
>>
Thanks for your advices.
I modified mu authorization script, so it will wail until the session is
destroyed by closing the browser. This is the script:

<?php
// auth.php
error_report ing(E_ALL);
include_on ce 'common.php';
include_on ce 'db.php';
dbConnect("c orporate");

// start session
session_star t();

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysq l_query("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_n um_rows($result );
// print login form and exit if failed.
if($num < 1){

echo "<center><B R>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action='main.ph p'>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] = mysql_result($r esult,0,'phonen umber');
$_SESSION['username'] = mysql_result($r esult,0,'userna me');
$_SESSION['userlevel'] = mysql_result($r esult,0,'userle vel');

};

};
//close connection to db
mysql_close( );

?>
Now, the php.ini is set with default values.
On my website I have logout link which takes me to site which code is:
<?
// Login & Session example by sde
// logout.php

include "\login\common. php";
global $LOGINDIR;

// you must start session before destroying it
session_star t();
session_dest roy();

echo "<center>Yo u have been successfully logged out.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh \" content=\"2; URL=\login/main.php\"> ";
?>

If I click the link the session is destroyed (on the server session id
file becomes empty) and everything works fine if I want to log in again.
The new session has the same ID as before.

But, when I close the browser without loggin off, the session file on the
server is not empty. It still contains the session data.

I have to log in to every page in order to access data.
This causes to create a lot of session files on the server because every
time the auth script starts it calls session_start() .

Something is wrong, but what. Why the sessions are not destroyed if I
close the browser?
Thanks

Thanks for explaining.
I created this code and it works:

<?php
// auth.php
error_reporting (E_ALL);
include_once 'common.php';
include_once 'db.php';
dbConnect("corp orate");

// start session
session_start() ;

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysql_q uery("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_num_ rows($result);
// print login form and exit if failed.
if($num < 1){

echo "<center><B R>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] = mysql_result($r esult,0,'phonen umber');
$_SESSION['username'] = mysql_result($r esult,0,'userna me');
$_SESSION['userlevel'] = mysql_result($r esult,0,'userle vel');
header("Locatio n: main.php?".Sess ion_Name()."=". Session_ID());
exit();
};

};
header("Locatio n: main.php?".Sess ion_Name()."=". Session_ID()); //close
connection to db
mysql_close();
?>
Now on every page I want to check the auth I simply do this:
if ($_SESSION['authenticated']==1) {

}
else {
echo ("
<center>
<p>You are not authenticated!! !</p>
<p>Please go to login page <a href='auth.php' >&lt;login&gt ;</a></p>
</center>
");
exit;
};
One more question: is there any way to add include statements in the code?
If I try to add something, the header (" ... is not working.

Thanks

Header requests must occur before any output is sent to the browser.

(In my example the header() functions are simply redirecting the user to
another file, and dont serve any other use.)

- Ali

"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
news:b5******** ********@newssv r17.news.prodig y.com...

Alistair Baillie SS2002 wrote:

The session files on the server, will remain until the time has expired
(And the web server deletes the old files, this only seems to work in
linux, it doesnt work correctly in windows).

However, if u have closed the browser, the link to that session will no
longer exist, so there is no way to re access the session. (Or its hghly
unlikley the user would be able to guess the session id).

Make sure you only call session_start() ; once per execution, if it
appears multiple times, I would presume it would over write each other.
I have stuck a very simple example on my web site;

http://www.alistairbaillie.co.uk/tmp/ Will run it

http://www.alistairbaillie.co.uk/tmp/source.php Will show you the source
code.
- Alistair
"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
news:fs***** **********@news svr33.news.prod igy.com...
Alistair Baillie SS2002 wrote:
>Im not quite sure what you are meaning but;
>
>PHP will automatically destroy a session after a set amount of time, the
>default varies dependant on your server settings, mine is set to 20
>minutes, so there is no need for you to catch out of date sessions!
>
>I would presume that this is where your problem lies, and you are
>incorrectl y destroying a session when it hasnt actually expired.
>
>Also, as session variables cant be modified without your script, you
>dont really need to confirm the username and password from the sesion,
>simply storing the username would be enough. (You can assume if the
>username was stored, the password was correct).
>
>I suggest you have a look at the session documentation at
>http://uk.php.net/manual/en/function.session-start.php if you havnt
>already done so, as it does provide some examples.
>
>If you are still having problems, if you reply telling me exactly what
>you are trying to achieve, (Step by step), ill try and knock some code
>up as an example for you.
>
>- Alistair
>
>"Bartosz Wegrzyn" <bt**@sbcglobal .net> wrote in message
>news:tl*** **************@ newssvr17.news. prodigy.com...
>
>
>
>>I call session_start() in my auth.php.
>>The think is that if I use the browser first time, it works.
>>Also when I logoff (wchich destroys session and goes back to login
>>screen) everything works fine.
>>
>>The problem starts when I close the browser without login off.
>>Then I have to login to every page.
>>My logout script does this:
>>
>>session_s tart();
>>session_d estroy();
>><META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\">
>>
>>So what I though, is that if I put:
>>session_s tart();
>>session_d estroy();
>>in this part of the code:
>>
>>// print login form and exit if failed.
>>if($num < 1){
>>echo "<center><BR><B R>You are not authenticated. Please login.<br><br>
>><form method=POST action=''>
>>usernam e: <input type=text name=\"username \"> <BR><BR>
>>passwor d: <input type=password name=\"password \"> <BR><BR><BR>
>><input value=login type=submit>
>></form></center>";
>>exit;
>>}
>>
>>It shoud do the same what logout does.
>>Unfortuna tely it does not.
>>
>>I thing that there is something that I dont know about sessions.
>>I don't like the thing that the user have to press logout.
>>It should automatically destroy the session, if the browser was closed.
>>
>>Any ideas
>>
>>Bart
>>
>>Alistai r Baillie SS2002 wrote:
>>
>>
>>
>>>If 'menu' is suppost to be ur session variable, then you need to do
>>>$_SESSIO N['menu'];
>>>
>>>You also need to call session_start() ;
>>>
>>>- Ali
>>>
>>>"Barto sz Wegrzyn" <bt**@sbcglobal .net> wrote in message
>>>news:th* **************@ newssvr31.news. prodigy.com...
>>>
>>>
>>>
>>>
>>>>I need help with sessions.
>>>>I createt set of web site for nav with authorization.
>>>>
>>>>first I go into main.php which looks like this:
>>>>
>>>><?php
>>>>//common functions
>>>>include _once '../login/common.php';
>>>>globa l $LOGINDIR;
>>>>
>>>>//nav- navigation
>>>>//auth- authorization
>>>>inclu de ("$LOGINDIR/nav.htm");
>>>>inclu de ("$LOGINDIR/auth.php");
>>>>
>>>>$menu = $_GET['menu'];
>>>>switch( $menu)
>>>>{
>>>>case 1:
>>>>inclu de "$LOGINDIR/menu1.php";
>>>>globa l $LOGINDIR;
>>>>break ;
>>>>
>>>>case 2:
>>>>inclu de "$LOGINDIR/menu2.php";
>>>>globa l $LOGINDIR;
>>>>break ;
>>>>
>>>>case 3:
>>>>inclu de "$LOGINDIR/menu3.php";
>>>>globa l $LOGINDIR;
>>>>break ;
>>>>
>>>>case 4:
>>>>inclu de "$LOGINDIR/menu4.php";
>>>>globa l $LOGINDIR;
>>>>break ;
>>>>
>>>>case 5:
>>>>inclu de "$LOGINDIR/menu5.php";
>>>>globa l $LOGINDIR;
>>>>break ;
>>>>
>>>>default :
>>>>inclu de "$LOGINDIR/menudef.htm";
>>>>break ;
>>>>}
>>>>
>>>>inclu de ("$LOGINDIR/footer.htm");
>>>>?>
>>>>
>>>></td>
>>>></tr>
>>>></table>
>>>>
>>>>
>>>></body>
>>>></html>
>>>>
>>>>My auth.php looks like this:
>>>>
>>>>[root@lexon login]# cat auth.php
>>>><?php
>>>>// auth.php
>>>>include _once 'common.php';
>>>>include _once 'db.php';
>>>>dbConne ct("corporate") ;
>>>>
>>>>// start session
>>>>session _start();
>>>>echo $_SESSION['username'];
>>>>echo $_SESSION['password'];
>>>>// convert username and password from _POST or _SESSION
>>>>
>>>>if($_PO ST){
>>>>if (!$_SESSION['username'] && !$_SESSION['password']) {
>>>>$_SESSI ON['username']=$_POST["username"];
>>>>$_SESSI ON['password']=$_POST["password"];
>>>>}
>>>>}
>>>>
>>>>echo "before the query";
>>>>echo $_SESSION['username'];
>>>>echo $_SESSION['password'];
>>>>
>>>>
>>>>// query for a user/pass match
>>>>$result =mysql_query("s elect * from users
>>>>where username='" . $_SESSION['username'] . "' and password='" .
>>>>$_SESSI ON['password'] . "'");
>>>>
>>>>if ($result) {
>>>>
>>>>// retrieve number of rows resulted
>>>>$num=my sql_num_rows($r esult);
>>>>
>>>>// print login form and exit if failed.
>>>>if($n um < 1){
>>>>
>>>>echo "<center><BR><B R>You are not authenticated. Please
>>>>login.< br><br>
>>>><form method=POST action=''>
>>>>usernam e: <input type=text name=\"username \"> <BR><BR>
>>>>passwor d: <input type=password name=\"password \"> <BR><BR><BR>
>>>><inpu t value=login type=submit>
>>>></form></center>";
>>>>exit;
>>>>}
>>>>
>>>>$phonen umber = mysql_result($r esult,0,'phonen umber');
>>>>$userna me = mysql_result($r esult,0,'userna me');
>>>>$userle vel = mysql_result($r esult,0,'userle vel');
>>>>
>>>>//check the logon time, logoff after 5min idle
>>>>if (!$_SESSION['login_time']) {
>>>>
>>>>$_SESSI ON['login_time']=time();
>>>>};
>>>>$lg_tim e = intval($_SESSIO N['login_time']);
>>>>
>>>>// If the session start time is greater than the current time...
>>>>if ($lg_time > time() ||
>>>>// If they have been logged in for longer than 5 minutes...
>>>>(time () - $lg_time) > 60*5) {
>>>>
>>>> unset ($_SESSION['login_time']);
>>>> unset ($_SESSION['username']);
>>>> unset ($_SESSION['password']);
>>>>
>>>> include ("logoutexp.php ");
>>>> exit;
>>>>}
>>>>$_SESSI ON['login_time']=time();
>>>>};
>>>>mysql_c lose();
>>>>?>
>>>>
>>>>After the time out php goes to logoutexp.php which looks like this:
>>>>[root@lexon login]# cat logoutexp.php
>>>><?
>>>>// Login & Session example by sde
>>>>// logout.php
>>>>
>>>>inclu de "\login\common. php";
>>>>globa l $LOGINDIR;
>>>>
>>>>// you must start session before destroying it
>>>>session _start();
>>>>session _destroy();
>>>>
>>>>echo "<center>Fo r security reasons your session has expired.
>>>>
>>>>
>>>><br><br >
>>>>You will now be returned to the login page.
>>>>
>>>></center>
>>>>
>>>><META HTTP-EQUIV=\"refresh \" content=\"5; URL=\login/main.php\"> ";
>>>>exit;
>>>>?>
>>>>
>>>>
>>>>It goes back to main.php and asks for auth.
>>>>The problem is if I try to navigate the page and I will go to for
>>>>examp le to main.php?menu=4 I need to enter password again.
>>>>
>>>>The only org aroun is to click logoutexp.php link and then everything
>>>>is ok. I debug the script and I found out that the
>>>>$_sessi on['username'] and password is lost.
>>>>
>>>>and ideas what is wrong?
>>>>
>>>>thank s
>>>>
>>>>bart
>>>
>>>
Thanks for your advices.
I modified mu authorization script, so it will wail until the session is
destroyed by closing the browser. This is the script:

<?php
// auth.php
error_repor ting(E_ALL);
include_onc e 'common.php';
include_onc e 'db.php';
dbConnect(" corporate");

// start session
session_sta rt();

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mys ql_query("selec t * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_ num_rows($resul t);
// print login form and exit if failed.
if($num < 1){

echo "<center><B R>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action='main.ph p'>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] = mysql_result($r esult,0,'phonen umber');
$_SESSION['username'] = mysql_result($r esult,0,'userna me');
$_SESSION['userlevel'] = mysql_result($r esult,0,'userle vel');

};

};
//close connection to db
mysql_close ();

?>
Now, the php.ini is set with default values.
On my website I have logout link which takes me to site which code is:
<?
// Login & Session example by sde
// logout.php

include "\login\common. php";
global $LOGINDIR;

// you must start session before destroying it
session_sta rt();
session_des troy();

echo "<center>Yo u have been successfully logged out.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh \" content=\"2; URL=\login/main.php\"> ";
?>

If I click the link the session is destroyed (on the server session id
file becomes empty) and everything works fine if I want to log in again.
The new session has the same ID as before.

But, when I close the browser without loggin off, the session file on the
server is not empty. It still contains the session data.

I have to log in to every page in order to access data.
This causes to create a lot of session files on the server because every
time the auth script starts it calls session_start() .

Something is wrong, but what. Why the sessions are not destroyed if I
close the browser?
Thanks

Thanks for explaining.
I created this code and it works:

<?php
// auth.php
error_reporti ng(E_ALL);
include_onc e 'common.php';
include_onc e 'db.php';
dbConnect("co rporate");

// start session
session_start ();

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysql _query("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_nu m_rows($result) ;
// print login form and exit if failed.
if($num < 1){

echo "<center><B R>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username \"> <BR><BR>
password: <input type=password name=\"password \"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] = mysql_result($r esult,0,'phonen umber');
$_SESSION['username'] = mysql_result($r esult,0,'userna me');
$_SESSION['userlevel'] = mysql_result($r esult,0,'userle vel');
header("Locat ion: main.php?".Sess ion_Name()."=". Session_ID());
exit();
};

};
header("Locat ion: main.php?".Sess ion_Name()."=". Session_ID()); //close
connection to db
mysql_close() ;
?>
Now on every page I want to check the auth I simply do this:
if ($_SESSION['authenticated']==1) {

}
else {
echo ("
<center>
<p>You are not authenticated!! !</p>
<p>Please go to login page <a href='auth.php' >&lt;login&gt ;</a></p>
</center>
");
exit;
};
One more question: is there any way to add include statements in the code?
If I try to add something, the header (" ... is not working.

Thanks