By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
434,572 Members | 963 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 434,572 IT Pros & Developers. It's quick & easy.

php sessions problem - wrong logic maybe

P: n/a
I need help with sessions.
I createt set of web site for nav with authorization.

first I go into main.php which looks like this:

<?php
//common functions
include_once '../login/common.php';
global $LOGINDIR;

//nav- navigation
//auth- authorization
include ("$LOGINDIR/nav.htm");
include ("$LOGINDIR/auth.php");

$menu = $_GET['menu'];
switch($menu)
{
case 1:
include "$LOGINDIR/menu1.php";
global $LOGINDIR;
break;

case 2:
include "$LOGINDIR/menu2.php";
global $LOGINDIR;
break;

case 3:
include "$LOGINDIR/menu3.php";
global $LOGINDIR;
break;

case 4:
include "$LOGINDIR/menu4.php";
global $LOGINDIR;
break;

case 5:
include "$LOGINDIR/menu5.php";
global $LOGINDIR;
break;

default:
include "$LOGINDIR/menudef.htm";
break;
}

include ("$LOGINDIR/footer.htm");
?>

</td>
</tr>
</table>
</body>
</html>

My auth.php looks like this:

[root@lexon login]# cat auth.php
<?php
// auth.php
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");

// start session
session_start();
echo $_SESSION['username'];
echo $_SESSION['password'];
// convert username and password from _POST or _SESSION

if($_POST){
if (!$_SESSION['username'] && !$_SESSION['password']) {
$_SESSION['username']=$_POST["username"];
$_SESSION['password']=$_POST["password"];
}
}

echo "before the query";
echo $_SESSION['username'];
echo $_SESSION['password'];
// query for a user/pass match
$result=mysql_query("select * from users
where username='" . $_SESSION['username'] . "' and password='" .
$_SESSION['password'] . "'");

if ($result) {

// retrieve number of rows resulted
$num=mysql_num_rows($result);

// print login form and exit if failed.
if($num < 1){

echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

$phonenumber = mysql_result($result,0,'phonenumber');
$username = mysql_result($result,0,'username');
$userlevel = mysql_result($result,0,'userlevel');

//check the logon time, logoff after 5min idle
if (!$_SESSION['login_time']) {

$_SESSION['login_time']=time();
};
$lg_time = intval($_SESSION['login_time']);

// If the session start time is greater than the current time...
if ($lg_time > time() ||
// If they have been logged in for longer than 5 minutes...
(time() - $lg_time) > 60*5) {

unset ($_SESSION['login_time']);
unset ($_SESSION['username']);
unset ($_SESSION['password']);

include ("logoutexp.php");
exit;
}
$_SESSION['login_time']=time();
};
mysql_close();
?>

After the time out php goes to logoutexp.php which looks like this:
[root@lexon login]# cat logoutexp.php
<?
// Login & Session example by sde
// logout.php

include "\login\common.php";
global $LOGINDIR;

// you must start session before destroying it
session_start();
session_destroy();

echo "<center>For security reasons your session has expired.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\"> ";
exit;
?>
It goes back to main.php and asks for auth.
The problem is if I try to navigate the page and I will go to for
example to main.php?menu=4 I need to enter password again.

The only org aroun is to click logoutexp.php link and then everything is
ok. I debug the script and I found out that the
$_session['username'] and password is lost.

and ideas what is wrong?

thanks

bart
Jul 17 '05 #1
Share this Question
Share on Google+
9 Replies


P: n/a
If 'menu' is suppost to be ur session variable, then you need to do
$_SESSION['menu'];

You also need to call session_start();

- Ali

"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:th***************@newssvr31.news.prodigy.com. ..
I need help with sessions.
I createt set of web site for nav with authorization.

first I go into main.php which looks like this:

<?php
//common functions
include_once '../login/common.php';
global $LOGINDIR;

//nav- navigation
//auth- authorization
include ("$LOGINDIR/nav.htm");
include ("$LOGINDIR/auth.php");

$menu = $_GET['menu'];
switch($menu)
{
case 1:
include "$LOGINDIR/menu1.php";
global $LOGINDIR;
break;

case 2:
include "$LOGINDIR/menu2.php";
global $LOGINDIR;
break;

case 3:
include "$LOGINDIR/menu3.php";
global $LOGINDIR;
break;

case 4:
include "$LOGINDIR/menu4.php";
global $LOGINDIR;
break;

case 5:
include "$LOGINDIR/menu5.php";
global $LOGINDIR;
break;

default:
include "$LOGINDIR/menudef.htm";
break;
}

include ("$LOGINDIR/footer.htm");
?>

</td>
</tr>
</table>
</body>
</html>

My auth.php looks like this:

[root@lexon login]# cat auth.php
<?php
// auth.php
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");

// start session
session_start();
echo $_SESSION['username'];
echo $_SESSION['password'];
// convert username and password from _POST or _SESSION

if($_POST){
if (!$_SESSION['username'] && !$_SESSION['password']) {
$_SESSION['username']=$_POST["username"];
$_SESSION['password']=$_POST["password"];
}
}

echo "before the query";
echo $_SESSION['username'];
echo $_SESSION['password'];
// query for a user/pass match
$result=mysql_query("select * from users
where username='" . $_SESSION['username'] . "' and password='" .
$_SESSION['password'] . "'");

if ($result) {

// retrieve number of rows resulted
$num=mysql_num_rows($result);

// print login form and exit if failed.
if($num < 1){

echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

$phonenumber = mysql_result($result,0,'phonenumber');
$username = mysql_result($result,0,'username');
$userlevel = mysql_result($result,0,'userlevel');

//check the logon time, logoff after 5min idle
if (!$_SESSION['login_time']) {

$_SESSION['login_time']=time();
};
$lg_time = intval($_SESSION['login_time']);

// If the session start time is greater than the current time...
if ($lg_time > time() ||
// If they have been logged in for longer than 5 minutes...
(time() - $lg_time) > 60*5) {

unset ($_SESSION['login_time']);
unset ($_SESSION['username']);
unset ($_SESSION['password']);

include ("logoutexp.php");
exit;
}
$_SESSION['login_time']=time();
};
mysql_close();
?>

After the time out php goes to logoutexp.php which looks like this:
[root@lexon login]# cat logoutexp.php
<?
// Login & Session example by sde
// logout.php

include "\login\common.php";
global $LOGINDIR;

// you must start session before destroying it
session_start();
session_destroy();

echo "<center>For security reasons your session has expired.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\"> ";
exit;
?>
It goes back to main.php and asks for auth.
The problem is if I try to navigate the page and I will go to for example
to main.php?menu=4 I need to enter password again.

The only org aroun is to click logoutexp.php link and then everything is
ok. I debug the script and I found out that the $_session['username'] and
password is lost.

and ideas what is wrong?

thanks

bart

Jul 17 '05 #2

P: n/a
I call session_start() in my auth.php.
The think is that if I use the browser first time, it works.
Also when I logoff (wchich destroys session and goes back to login
screen) everything works fine.

The problem starts when I close the browser without login off.
Then I have to login to every page.
My logout script does this:

session_start();
session_destroy();
<META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\">

So what I though, is that if I put:
session_start();
session_destroy();
in this part of the code:

// print login form and exit if failed.
if($num < 1){
echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

It shoud do the same what logout does.
Unfortunately it does not.

I thing that there is something that I dont know about sessions.
I don't like the thing that the user have to press logout.
It should automatically destroy the session, if the browser was closed.

Any ideas

Bart

Alistair Baillie SS2002 wrote:
If 'menu' is suppost to be ur session variable, then you need to do
$_SESSION['menu'];

You also need to call session_start();

- Ali

"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:th***************@newssvr31.news.prodigy.com. ..
I need help with sessions.
I createt set of web site for nav with authorization.

first I go into main.php which looks like this:

<?php
//common functions
include_once '../login/common.php';
global $LOGINDIR;

//nav- navigation
//auth- authorization
include ("$LOGINDIR/nav.htm");
include ("$LOGINDIR/auth.php");

$menu = $_GET['menu'];
switch($menu)
{
case 1:
include "$LOGINDIR/menu1.php";
global $LOGINDIR;
break;

case 2:
include "$LOGINDIR/menu2.php";
global $LOGINDIR;
break;

case 3:
include "$LOGINDIR/menu3.php";
global $LOGINDIR;
break;

case 4:
include "$LOGINDIR/menu4.php";
global $LOGINDIR;
break;

case 5:
include "$LOGINDIR/menu5.php";
global $LOGINDIR;
break;

default:
include "$LOGINDIR/menudef.htm";
break;
}

include ("$LOGINDIR/footer.htm");
?>

</td>
</tr>
</table>
</body>
</html>

My auth.php looks like this:

[root@lexon login]# cat auth.php
<?php
// auth.php
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");

// start session
session_start();
echo $_SESSION['username'];
echo $_SESSION['password'];
// convert username and password from _POST or _SESSION

if($_POST){
if (!$_SESSION['username'] && !$_SESSION['password']) {
$_SESSION['username']=$_POST["username"];
$_SESSION['password']=$_POST["password"];
}
}

echo "before the query";
echo $_SESSION['username'];
echo $_SESSION['password'];
// query for a user/pass match
$result=mysql_query("select * from users
where username='" . $_SESSION['username'] . "' and password='" .
$_SESSION['password'] . "'");

if ($result) {

// retrieve number of rows resulted
$num=mysql_num_rows($result);

// print login form and exit if failed.
if($num < 1){

echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

$phonenumber = mysql_result($result,0,'phonenumber');
$username = mysql_result($result,0,'username');
$userlevel = mysql_result($result,0,'userlevel');

//check the logon time, logoff after 5min idle
if (!$_SESSION['login_time']) {

$_SESSION['login_time']=time();
};
$lg_time = intval($_SESSION['login_time']);

// If the session start time is greater than the current time...
if ($lg_time > time() ||
// If they have been logged in for longer than 5 minutes...
(time() - $lg_time) > 60*5) {

unset ($_SESSION['login_time']);
unset ($_SESSION['username']);
unset ($_SESSION['password']);

include ("logoutexp.php");
exit;
}
$_SESSION['login_time']=time();
};
mysql_close();
?>

After the time out php goes to logoutexp.php which looks like this:
[root@lexon login]# cat logoutexp.php
<?
// Login & Session example by sde
// logout.php

include "\login\common.php";
global $LOGINDIR;

// you must start session before destroying it
session_start();
session_destroy();

echo "<center>For security reasons your session has expired.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\"> ";
exit;
?>
It goes back to main.php and asks for auth.
The problem is if I try to navigate the page and I will go to for example
to main.php?menu=4 I need to enter password again.

The only org aroun is to click logoutexp.php link and then everything is
ok. I debug the script and I found out that the $_session['username'] and
password is lost.

and ideas what is wrong?

thanks

bart


Jul 17 '05 #3

P: n/a
Im not quite sure what you are meaning but;

PHP will automatically destroy a session after a set amount of time, the
default varies dependant on your server settings, mine is set to 20 minutes,
so there is no need for you to catch out of date sessions!

I would presume that this is where your problem lies, and you are
incorrectly destroying a session when it hasnt actually expired.

Also, as session variables cant be modified without your script, you dont
really need to confirm the username and password from the sesion, simply
storing the username would be enough. (You can assume if the username was
stored, the password was correct).

I suggest you have a look at the session documentation at
http://uk.php.net/manual/en/function.session-start.php if you havnt already
done so, as it does provide some examples.

If you are still having problems, if you reply telling me exactly what you
are trying to achieve, (Step by step), ill try and knock some code up as an
example for you.

- Alistair

"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:tl*****************@newssvr17.news.prodigy.co m...
I call session_start() in my auth.php.
The think is that if I use the browser first time, it works.
Also when I logoff (wchich destroys session and goes back to login screen)
everything works fine.

The problem starts when I close the browser without login off.
Then I have to login to every page.
My logout script does this:

session_start();
session_destroy();
<META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\">

So what I though, is that if I put:
session_start();
session_destroy();
in this part of the code:

// print login form and exit if failed.
if($num < 1){
echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

It shoud do the same what logout does.
Unfortunately it does not.

I thing that there is something that I dont know about sessions.
I don't like the thing that the user have to press logout.
It should automatically destroy the session, if the browser was closed.

Any ideas

Bart

Alistair Baillie SS2002 wrote:
If 'menu' is suppost to be ur session variable, then you need to do
$_SESSION['menu'];

You also need to call session_start();

- Ali

"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:th***************@newssvr31.news.prodigy.com. ..
I need help with sessions.
I createt set of web site for nav with authorization.

first I go into main.php which looks like this:

<?php
//common functions
include_once '../login/common.php';
global $LOGINDIR;

//nav- navigation
//auth- authorization
include ("$LOGINDIR/nav.htm");
include ("$LOGINDIR/auth.php");

$menu = $_GET['menu'];
switch($menu)
{
case 1:
include "$LOGINDIR/menu1.php";
global $LOGINDIR;
break;

case 2:
include "$LOGINDIR/menu2.php";
global $LOGINDIR;
break;

case 3:
include "$LOGINDIR/menu3.php";
global $LOGINDIR;
break;

case 4:
include "$LOGINDIR/menu4.php";
global $LOGINDIR;
break;

case 5:
include "$LOGINDIR/menu5.php";
global $LOGINDIR;
break;

default:
include "$LOGINDIR/menudef.htm";
break;
}

include ("$LOGINDIR/footer.htm");
?>

</td>
</tr>
</table>
</body>
</html>

My auth.php looks like this:

[root@lexon login]# cat auth.php
<?php
// auth.php
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");

// start session
session_start();
echo $_SESSION['username'];
echo $_SESSION['password'];
// convert username and password from _POST or _SESSION

if($_POST){
if (!$_SESSION['username'] && !$_SESSION['password']) {
$_SESSION['username']=$_POST["username"];
$_SESSION['password']=$_POST["password"];
}
}

echo "before the query";
echo $_SESSION['username'];
echo $_SESSION['password'];
// query for a user/pass match
$result=mysql_query("select * from users
where username='" . $_SESSION['username'] . "' and password='" .
$_SESSION['password'] . "'");

if ($result) {

// retrieve number of rows resulted
$num=mysql_num_rows($result);

// print login form and exit if failed.
if($num < 1){

echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

$phonenumber = mysql_result($result,0,'phonenumber');
$username = mysql_result($result,0,'username');
$userlevel = mysql_result($result,0,'userlevel');

//check the logon time, logoff after 5min idle
if (!$_SESSION['login_time']) {

$_SESSION['login_time']=time();
};
$lg_time = intval($_SESSION['login_time']);

// If the session start time is greater than the current time...
if ($lg_time > time() ||
// If they have been logged in for longer than 5 minutes...
(time() - $lg_time) > 60*5) {

unset ($_SESSION['login_time']);
unset ($_SESSION['username']);
unset ($_SESSION['password']);

include ("logoutexp.php");
exit;
}
$_SESSION['login_time']=time();
};
mysql_close();
?>

After the time out php goes to logoutexp.php which looks like this:
[root@lexon login]# cat logoutexp.php
<?
// Login & Session example by sde
// logout.php

include "\login\common.php";
global $LOGINDIR;

// you must start session before destroying it
session_start();
session_destroy();

echo "<center>For security reasons your session has expired.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\"> ";
exit;
?>
It goes back to main.php and asks for auth.
The problem is if I try to navigate the page and I will go to for example
to main.php?menu=4 I need to enter password again.

The only org aroun is to click logoutexp.php link and then everything is
ok. I debug the script and I found out that the $_session['username'] and
password is lost.

and ideas what is wrong?

thanks

bart



Jul 17 '05 #4

P: n/a
Alistair Baillie SS2002 wrote:
Im not quite sure what you are meaning but;

PHP will automatically destroy a session after a set amount of time, the
default varies dependant on your server settings, mine is set to 20 minutes,
so there is no need for you to catch out of date sessions!

I would presume that this is where your problem lies, and you are
incorrectly destroying a session when it hasnt actually expired.

Also, as session variables cant be modified without your script, you dont
really need to confirm the username and password from the sesion, simply
storing the username would be enough. (You can assume if the username was
stored, the password was correct).

I suggest you have a look at the session documentation at
http://uk.php.net/manual/en/function.session-start.php if you havnt already
done so, as it does provide some examples.

If you are still having problems, if you reply telling me exactly what you
are trying to achieve, (Step by step), ill try and knock some code up as an
example for you.

- Alistair

"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:tl*****************@newssvr17.news.prodigy.co m...
I call session_start() in my auth.php.
The think is that if I use the browser first time, it works.
Also when I logoff (wchich destroys session and goes back to login screen)
everything works fine.

The problem starts when I close the browser without login off.
Then I have to login to every page.
My logout script does this:

session_start();
session_destroy();
<META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\">

So what I though, is that if I put:
session_start();
session_destroy();
in this part of the code:

// print login form and exit if failed.
if($num < 1){
echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

It shoud do the same what logout does.
Unfortunately it does not.

I thing that there is something that I dont know about sessions.
I don't like the thing that the user have to press logout.
It should automatically destroy the session, if the browser was closed.

Any ideas

Bart

Alistair Baillie SS2002 wrote:
If 'menu' is suppost to be ur session variable, then you need to do
$_SESSION['menu'];

You also need to call session_start();

- Ali

"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:th***************@newssvr31.news.prodigy.c om...
I need help with sessions.
I createt set of web site for nav with authorization.

first I go into main.php which looks like this:

<?php
//common functions
include_once '../login/common.php';
global $LOGINDIR;

//nav- navigation
//auth- authorization
include ("$LOGINDIR/nav.htm");
include ("$LOGINDIR/auth.php");

$menu = $_GET['menu'];
switch($menu)
{
case 1:
include "$LOGINDIR/menu1.php";
global $LOGINDIR;
break;

case 2:
include "$LOGINDIR/menu2.php";
global $LOGINDIR;
break;

case 3:
include "$LOGINDIR/menu3.php";
global $LOGINDIR;
break;

case 4:
include "$LOGINDIR/menu4.php";
global $LOGINDIR;
break;

case 5:
include "$LOGINDIR/menu5.php";
global $LOGINDIR;
break;

default:
include "$LOGINDIR/menudef.htm";
break;
}

include ("$LOGINDIR/footer.htm");
?>

</td>
</tr>
</table>
</body>
</html>

My auth.php looks like this:

[root@lexon login]# cat auth.php
<?php
// auth.php
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");

// start session
session_start();
echo $_SESSION['username'];
echo $_SESSION['password'];
// convert username and password from _POST or _SESSION

if($_POST){
if (!$_SESSION['username'] && !$_SESSION['password']) {
$_SESSION['username']=$_POST["username"];
$_SESSION['password']=$_POST["password"];
}
}

echo "before the query";
echo $_SESSION['username'];
echo $_SESSION['password'];
// query for a user/pass match
$result=mysql_query("select * from users
where username='" . $_SESSION['username'] . "' and password='" .
$_SESSION['password'] . "'");

if ($result) {

// retrieve number of rows resulted
$num=mysql_num_rows($result);

// print login form and exit if failed.
if($num < 1){

echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

$phonenumber = mysql_result($result,0,'phonenumber');
$username = mysql_result($result,0,'username');
$userlevel = mysql_result($result,0,'userlevel');

//check the logon time, logoff after 5min idle
if (!$_SESSION['login_time']) {

$_SESSION['login_time']=time();
};
$lg_time = intval($_SESSION['login_time']);

// If the session start time is greater than the current time...
if ($lg_time > time() ||
// If they have been logged in for longer than 5 minutes...
(time() - $lg_time) > 60*5) {

unset ($_SESSION['login_time']);
unset ($_SESSION['username']);
unset ($_SESSION['password']);

include ("logoutexp.php");
exit;
}
$_SESSION['login_time']=time();
};
mysql_close();
?>

After the time out php goes to logoutexp.php which looks like this:
[root@lexon login]# cat logoutexp.php
<?
// Login & Session example by sde
// logout.php

include "\login\common.php";
global $LOGINDIR;

// you must start session before destroying it
session_start();
session_destroy();

echo "<center>For security reasons your session has expired.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\"> ";
exit;
?>
It goes back to main.php and asks for auth.
The problem is if I try to navigate the page and I will go to for example
to main.php?menu=4 I need to enter password again.

The only org aroun is to click logoutexp.php link and then everything is
ok. I debug the script and I found out that the $_session['username'] and
password is lost.

and ideas what is wrong?

thanks

bart


Thanks for your advices.
I modified mu authorization script, so it will wail until the session is
destroyed by closing the browser. This is the script:

<?php
// auth.php
error_reporting(E_ALL);
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");

// start session
session_start();

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysql_query("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_num_rows($result);
// print login form and exit if failed.
if($num < 1){

echo "<center><BR>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action='main.php'>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] = mysql_result($result,0,'phonenumber');
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['userlevel'] = mysql_result($result,0,'userlevel');

};

};
//close connection to db
mysql_close();

?>
Now, the php.ini is set with default values.
On my website I have logout link which takes me to site which code is:
<?
// Login & Session example by sde
// logout.php

include "\login\common.php";
global $LOGINDIR;

// you must start session before destroying it
session_start();
session_destroy();

echo "<center>You have been successfully logged out.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh\" content=\"2; URL=\login/main.php\"> ";
?>

If I click the link the session is destroyed (on the server session id
file becomes empty) and everything works fine if I want to log in
again. The new session has the same ID as before.

But, when I close the browser without loggin off, the session file on
the server is not empty. It still contains the session data.

I have to log in to every page in order to access data.
This causes to create a lot of session files on the server because every
time the auth script starts it calls session_start().

Something is wrong, but what. Why the sessions are not destroyed if I
close the browser?
Thanks
Jul 17 '05 #5

P: n/a
Bartosz Wegrzyn wrote:
Alistair Baillie SS2002 wrote:
Im not quite sure what you are meaning but;

PHP will automatically destroy a session after a set amount of time,
the default varies dependant on your server settings, mine is set to
20 minutes, so there is no need for you to catch out of date sessions!

I would presume that this is where your problem lies, and you are
incorrectly destroying a session when it hasnt actually expired.

Also, as session variables cant be modified without your script, you
dont really need to confirm the username and password from the sesion,
simply storing the username would be enough. (You can assume if the
username was stored, the password was correct).

I suggest you have a look at the session documentation at
http://uk.php.net/manual/en/function.session-start.php if you havnt
already done so, as it does provide some examples.

If you are still having problems, if you reply telling me exactly what
you are trying to achieve, (Step by step), ill try and knock some code
up as an example for you.

- Alistair

"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:tl*****************@newssvr17.news.prodigy.co m...
I call session_start() in my auth.php.
The think is that if I use the browser first time, it works.
Also when I logoff (wchich destroys session and goes back to login
screen) everything works fine.

The problem starts when I close the browser without login off.
Then I have to login to every page.
My logout script does this:

session_start();
session_destroy();
<META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\">

So what I though, is that if I put:
session_start();
session_destroy();
in this part of the code:

// print login form and exit if failed.
if($num < 1){
echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

It shoud do the same what logout does.
Unfortunately it does not.

I thing that there is something that I dont know about sessions.
I don't like the thing that the user have to press logout.
It should automatically destroy the session, if the browser was closed.

Any ideas

Bart

Alistair Baillie SS2002 wrote:

If 'menu' is suppost to be ur session variable, then you need to do
$_SESSION['menu'];

You also need to call session_start();

- Ali

"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:th***************@newssvr31.news.prodigy.com. ..
> I need help with sessions.
> I createt set of web site for nav with authorization.
>
> first I go into main.php which looks like this:
>
> <?php
> //common functions
> include_once '../login/common.php';
> global $LOGINDIR;
>
> //nav- navigation
> //auth- authorization
> include ("$LOGINDIR/nav.htm");
> include ("$LOGINDIR/auth.php");
>
> $menu = $_GET['menu'];
> switch($menu)
> {
> case 1:
> include "$LOGINDIR/menu1.php";
> global $LOGINDIR;
> break;
>
> case 2:
> include "$LOGINDIR/menu2.php";
> global $LOGINDIR;
> break;
>
> case 3:
> include "$LOGINDIR/menu3.php";
> global $LOGINDIR;
> break;
>
> case 4:
> include "$LOGINDIR/menu4.php";
> global $LOGINDIR;
> break;
>
> case 5:
> include "$LOGINDIR/menu5.php";
> global $LOGINDIR;
> break;
>
> default:
> include "$LOGINDIR/menudef.htm";
> break;
> }
>
> include ("$LOGINDIR/footer.htm");
> ?>
>
> </td>
> </tr>
> </table>
>
>
> </body>
> </html>
>
> My auth.php looks like this:
>
> [root@lexon login]# cat auth.php
> <?php
> // auth.php
> include_once 'common.php';
> include_once 'db.php';
> dbConnect("corporate");
>
> // start session
> session_start();
> echo $_SESSION['username'];
> echo $_SESSION['password'];
> // convert username and password from _POST or _SESSION
>
> if($_POST){
> if (!$_SESSION['username'] && !$_SESSION['password']) {
> $_SESSION['username']=$_POST["username"];
> $_SESSION['password']=$_POST["password"];
> }
> }
>
> echo "before the query";
> echo $_SESSION['username'];
> echo $_SESSION['password'];
>
>
> // query for a user/pass match
> $result=mysql_query("select * from users
> where username='" . $_SESSION['username'] . "' and password='" .
> $_SESSION['password'] . "'");
>
> if ($result) {
>
> // retrieve number of rows resulted
> $num=mysql_num_rows($result);
>
> // print login form and exit if failed.
> if($num < 1){
>
> echo "<center><BR><BR>You are not authenticated. Please
> login.<br><br>
> <form method=POST action=''>
> username: <input type=text name=\"username\"> <BR><BR>
> password: <input type=password name=\"password\"> <BR><BR><BR>
> <input value=login type=submit>
> </form></center>";
> exit;
> }
>
> $phonenumber = mysql_result($result,0,'phonenumber');
> $username = mysql_result($result,0,'username');
> $userlevel = mysql_result($result,0,'userlevel');
>
> //check the logon time, logoff after 5min idle
> if (!$_SESSION['login_time']) {
>
> $_SESSION['login_time']=time();
> };
> $lg_time = intval($_SESSION['login_time']);
>
> // If the session start time is greater than the current time...
> if ($lg_time > time() ||
> // If they have been logged in for longer than 5 minutes...
> (time() - $lg_time) > 60*5) {
>
> unset ($_SESSION['login_time']);
> unset ($_SESSION['username']);
> unset ($_SESSION['password']);
>
> include ("logoutexp.php");
> exit;
> }
> $_SESSION['login_time']=time();
> };
> mysql_close();
> ?>
>
> After the time out php goes to logoutexp.php which looks like this:
> [root@lexon login]# cat logoutexp.php
> <?
> // Login & Session example by sde
> // logout.php
>
> include "\login\common.php";
> global $LOGINDIR;
>
> // you must start session before destroying it
> session_start();
> session_destroy();
>
> echo "<center>For security reasons your session has expired.
>
>
> <br><br>
> You will now be returned to the login page.
>
> </center>
>
> <META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\"> ";
> exit;
> ?>
>
>
> It goes back to main.php and asks for auth.
> The problem is if I try to navigate the page and I will go to for
> example to main.php?menu=4 I need to enter password again.
>
> The only org aroun is to click logoutexp.php link and then
> everything is ok. I debug the script and I found out that the
> $_session['username'] and password is lost.
>
> and ideas what is wrong?
>
> thanks
>
> bart


Thanks for your advices.
I modified mu authorization script, so it will wail until the session is
destroyed by closing the browser. This is the script:

<?php
// auth.php
error_reporting(E_ALL);
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");

// start session
session_start();

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysql_query("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_num_rows($result);
// print login form and exit if failed.
if($num < 1){

echo "<center><BR>
<BR>
You are not authenticated. Please
login.<br><br>
<form method=POST action='main.php'>
username: <input type=text
name=\"username\"> <BR><BR>
password: <input type=password
name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] =
mysql_result($result,0,'phonenumber');
$_SESSION['username'] =
mysql_result($result,0,'username');
$_SESSION['userlevel'] =
mysql_result($result,0,'userlevel');

};

};
//close connection to db
mysql_close();

?>
Now, the php.ini is set with default values.
On my website I have logout link which takes me to site which code is:
<?
// Login & Session example by sde
// logout.php

include "\login\common.php";
global $LOGINDIR;

// you must start session before destroying it
session_start();
session_destroy();

echo "<center>You have been successfully logged out.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh\" content=\"2; URL=\login/main.php\"> ";
?>

If I click the link the session is destroyed (on the server session id
file becomes empty) and everything works fine if I want to log in
again. The new session has the same ID as before.

But, when I close the browser without loggin off, the session file on
the server is not empty. It still contains the session data.

I have to log in to every page in order to access data.
This causes to create a lot of session files on the server because every
time the auth script starts it calls session_start().

Something is wrong, but what. Why the sessions are not destroyed if I
close the browser?
Thanks


I thing that this could be the problem.
THe file that starts everything looks like this:
<?php

require '../login/common.php';

//navigation
require ("$LOGINDIR/nav.htm");

//authorization
require ("$LOGINDIR/auth.php");

//switch menu
$menu = $_GET['menu'];
switch($menu)
{
case 1:
include "$LOGINDIR/menu1.php";
break;

case 2:
include "$LOGINDIR/menu2.php";
break;

case 3:
require "$LOGINDIR/menu3.php";
break;

case 4:
include "$LOGINDIR/menu4.php";
break;

case 5:
include "$LOGINDIR/menu5.php";
break;

default:
include "$LOGINDIR/menudef.htm";
break;
}
//footer
require ("$LOGINDIR/footer.htm");
?>

</td>
</tr>
</table>
</body>
</html>
Jul 17 '05 #6

P: n/a
The session files on the server, will remain until the time has expired (And
the web server deletes the old files, this only seems to work in linux, it
doesnt work correctly in windows).

However, if u have closed the browser, the link to that session will no
longer exist, so there is no way to re access the session. (Or its hghly
unlikley the user would be able to guess the session id).

Make sure you only call session_start(); once per execution, if it appears
multiple times, I would presume it would over write each other.
I have stuck a very simple example on my web site;

http://www.alistairbaillie.co.uk/tmp/ Will run it

http://www.alistairbaillie.co.uk/tmp/source.php Will show you the source
code.
- Alistair
"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:fs***************@newssvr33.news.prodigy.com. ..
Alistair Baillie SS2002 wrote:
Im not quite sure what you are meaning but;

PHP will automatically destroy a session after a set amount of time, the
default varies dependant on your server settings, mine is set to 20
minutes, so there is no need for you to catch out of date sessions!

I would presume that this is where your problem lies, and you are
incorrectly destroying a session when it hasnt actually expired.

Also, as session variables cant be modified without your script, you dont
really need to confirm the username and password from the sesion, simply
storing the username would be enough. (You can assume if the username was
stored, the password was correct).

I suggest you have a look at the session documentation at
http://uk.php.net/manual/en/function.session-start.php if you havnt
already done so, as it does provide some examples.

If you are still having problems, if you reply telling me exactly what
you are trying to achieve, (Step by step), ill try and knock some code up
as an example for you.

- Alistair

"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:tl*****************@newssvr17.news.prodigy.co m...
I call session_start() in my auth.php.
The think is that if I use the browser first time, it works.
Also when I logoff (wchich destroys session and goes back to login
screen) everything works fine.

The problem starts when I close the browser without login off.
Then I have to login to every page.
My logout script does this:

session_start();
session_destroy();
<META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\">

So what I though, is that if I put:
session_start();
session_destroy();
in this part of the code:

// print login form and exit if failed.
if($num < 1){
echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

It shoud do the same what logout does.
Unfortunately it does not.

I thing that there is something that I dont know about sessions.
I don't like the thing that the user have to press logout.
It should automatically destroy the session, if the browser was closed.

Any ideas

Bart

Alistair Baillie SS2002 wrote:

If 'menu' is suppost to be ur session variable, then you need to do
$_SESSION['menu'];

You also need to call session_start();

- Ali

"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:th***************@newssvr31.news.prodigy. com...
>I need help with sessions.
>I createt set of web site for nav with authorization.
>
>first I go into main.php which looks like this:
>
><?php
>//common functions
>include_once '../login/common.php';
>global $LOGINDIR;
>
>//nav- navigation
>//auth- authorization
>include ("$LOGINDIR/nav.htm");
>include ("$LOGINDIR/auth.php");
>
>$menu = $_GET['menu'];
>switch($menu)
>{
>case 1:
>include "$LOGINDIR/menu1.php";
>global $LOGINDIR;
>break;
>
>case 2:
>include "$LOGINDIR/menu2.php";
>global $LOGINDIR;
>break;
>
>case 3:
>include "$LOGINDIR/menu3.php";
>global $LOGINDIR;
>break;
>
>case 4:
>include "$LOGINDIR/menu4.php";
>global $LOGINDIR;
>break;
>
>case 5:
>include "$LOGINDIR/menu5.php";
>global $LOGINDIR;
>break;
>
>default:
>include "$LOGINDIR/menudef.htm";
>break;
>}
>
>include ("$LOGINDIR/footer.htm");
>?>
>
></td>
> </tr>
></table>
>
>
></body>
></html>
>
>My auth.php looks like this:
>
>[root@lexon login]# cat auth.php
><?php
>// auth.php
>include_once 'common.php';
>include_once 'db.php';
>dbConnect("corporate");
>
>// start session
>session_start();
>echo $_SESSION['username'];
>echo $_SESSION['password'];
>// convert username and password from _POST or _SESSION
>
>if($_POST){
>if (!$_SESSION['username'] && !$_SESSION['password']) {
>$_SESSION['username']=$_POST["username"];
>$_SESSION['password']=$_POST["password"];
>}
>}
>
>echo "before the query";
>echo $_SESSION['username'];
>echo $_SESSION['password'];
>
>
>// query for a user/pass match
>$result=mysql_query("select * from users
> where username='" . $_SESSION['username'] . "' and password='" .
> $_SESSION['password'] . "'");
>
>if ($result) {
>
>// retrieve number of rows resulted
>$num=mysql_num_rows($result);
>
>// print login form and exit if failed.
>if($num < 1){
>
> echo "<center><BR><BR>You are not authenticated. Please
> login.<br><br>
> <form method=POST action=''>
> username: <input type=text name=\"username\"> <BR><BR>
> password: <input type=password name=\"password\"> <BR><BR><BR>
> <input value=login type=submit>
> </form></center>";
>exit;
>}
>
>$phonenumber = mysql_result($result,0,'phonenumber');
>$username = mysql_result($result,0,'username');
>$userlevel = mysql_result($result,0,'userlevel');
>
>//check the logon time, logoff after 5min idle
>if (!$_SESSION['login_time']) {
>
>$_SESSION['login_time']=time();
>};
>$lg_time = intval($_SESSION['login_time']);
>
>// If the session start time is greater than the current time...
>if ($lg_time > time() ||
>// If they have been logged in for longer than 5 minutes...
> (time() - $lg_time) > 60*5) {
>
> unset ($_SESSION['login_time']);
> unset ($_SESSION['username']);
> unset ($_SESSION['password']);
>
> include ("logoutexp.php");
> exit;
>}
>$_SESSION['login_time']=time();
>};
>mysql_close();
>?>
>
>After the time out php goes to logoutexp.php which looks like this:
>[root@lexon login]# cat logoutexp.php
><?
>// Login & Session example by sde
>// logout.php
>
>include "\login\common.php";
>global $LOGINDIR;
>
>// you must start session before destroying it
>session_start();
>session_destroy();
>
>echo "<center>For security reasons your session has expired.
>
>
><br><br>
>You will now be returned to the login page.
>
></center>
>
><META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\"> ";
>exit;
>?>
>
>
>It goes back to main.php and asks for auth.
>The problem is if I try to navigate the page and I will go to for
>example to main.php?menu=4 I need to enter password again.
>
>The only org aroun is to click logoutexp.php link and then everything
>is ok. I debug the script and I found out that the
>$_session['username'] and password is lost.
>
>and ideas what is wrong?
>
>thanks
>
>bart


Thanks for your advices.
I modified mu authorization script, so it will wail until the session is
destroyed by closing the browser. This is the script:

<?php
// auth.php
error_reporting(E_ALL);
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");

// start session
session_start();

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysql_query("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_num_rows($result);
// print login form and exit if failed.
if($num < 1){

echo "<center><BR>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action='main.php'>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] = mysql_result($result,0,'phonenumber');
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['userlevel'] = mysql_result($result,0,'userlevel');

};

};
//close connection to db
mysql_close();

?>
Now, the php.ini is set with default values.
On my website I have logout link which takes me to site which code is:
<?
// Login & Session example by sde
// logout.php

include "\login\common.php";
global $LOGINDIR;

// you must start session before destroying it
session_start();
session_destroy();

echo "<center>You have been successfully logged out.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh\" content=\"2; URL=\login/main.php\"> ";
?>

If I click the link the session is destroyed (on the server session id
file becomes empty) and everything works fine if I want to log in again.
The new session has the same ID as before.

But, when I close the browser without loggin off, the session file on the
server is not empty. It still contains the session data.

I have to log in to every page in order to access data.
This causes to create a lot of session files on the server because every
time the auth script starts it calls session_start().

Something is wrong, but what. Why the sessions are not destroyed if I
close the browser?
Thanks

Jul 17 '05 #7

P: n/a
Alistair Baillie SS2002 wrote:
The session files on the server, will remain until the time has expired (And
the web server deletes the old files, this only seems to work in linux, it
doesnt work correctly in windows).

However, if u have closed the browser, the link to that session will no
longer exist, so there is no way to re access the session. (Or its hghly
unlikley the user would be able to guess the session id).

Make sure you only call session_start(); once per execution, if it appears
multiple times, I would presume it would over write each other.
I have stuck a very simple example on my web site;

http://www.alistairbaillie.co.uk/tmp/ Will run it

http://www.alistairbaillie.co.uk/tmp/source.php Will show you the source
code.
- Alistair
"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:fs***************@newssvr33.news.prodigy.com. ..
Alistair Baillie SS2002 wrote:
Im not quite sure what you are meaning but;

PHP will automatically destroy a session after a set amount of time, the
default varies dependant on your server settings, mine is set to 20
minutes, so there is no need for you to catch out of date sessions!

I would presume that this is where your problem lies, and you are
incorrectly destroying a session when it hasnt actually expired.

Also, as session variables cant be modified without your script, you dont
really need to confirm the username and password from the sesion, simply
storing the username would be enough. (You can assume if the username was
stored, the password was correct).

I suggest you have a look at the session documentation at
http://uk.php.net/manual/en/function.session-start.php if you havnt
already done so, as it does provide some examples.

If you are still having problems, if you reply telling me exactly what
you are trying to achieve, (Step by step), ill try and knock some code up
as an example for you.

- Alistair

"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:tl*****************@newssvr17.news.prodigy .com...
I call session_start() in my auth.php.
The think is that if I use the browser first time, it works.
Also when I logoff (wchich destroys session and goes back to login
screen) everything works fine.

The problem starts when I close the browser without login off.
Then I have to login to every page.
My logout script does this:

session_start();
session_destroy();
<META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\">

So what I though, is that if I put:
session_start();
session_destroy();
in this part of the code:

// print login form and exit if failed.
if($num < 1){
echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

It shoud do the same what logout does.
Unfortunately it does not.

I thing that there is something that I dont know about sessions.
I don't like the thing that the user have to press logout.
It should automatically destroy the session, if the browser was closed.

Any ideas

Bart

Alistair Baillie SS2002 wrote:
>If 'menu' is suppost to be ur session variable, then you need to do
>$_SESSION['menu'];
>
>You also need to call session_start();
>
>- Ali
>
>"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
>news:th***************@newssvr31.news.prodigy .com...
>
>
>
>>I need help with sessions.
>>I createt set of web site for nav with authorization.
>>
>>first I go into main.php which looks like this:
>>
>><?php
>>//common functions
>>include_once '../login/common.php';
>>global $LOGINDIR;
>>
>>//nav- navigation
>>//auth- authorization
>>include ("$LOGINDIR/nav.htm");
>>include ("$LOGINDIR/auth.php");
>>
>>$menu = $_GET['menu'];
>>switch($menu)
>>{
>>case 1:
>>include "$LOGINDIR/menu1.php";
>>global $LOGINDIR;
>>break;
>>
>>case 2:
>>include "$LOGINDIR/menu2.php";
>>global $LOGINDIR;
>>break;
>>
>>case 3:
>>include "$LOGINDIR/menu3.php";
>>global $LOGINDIR;
>>break;
>>
>>case 4:
>>include "$LOGINDIR/menu4.php";
>>global $LOGINDIR;
>>break;
>>
>>case 5:
>>include "$LOGINDIR/menu5.php";
>>global $LOGINDIR;
>>break;
>>
>>default:
>>include "$LOGINDIR/menudef.htm";
>>break;
>>}
>>
>>include ("$LOGINDIR/footer.htm");
>>?>
>>
>></td>
>></tr>
>></table>
>>
>>
>></body>
>></html>
>>
>>My auth.php looks like this:
>>
>>[root@lexon login]# cat auth.php
>><?php
>>// auth.php
>>include_once 'common.php';
>>include_once 'db.php';
>>dbConnect("corporate");
>>
>>// start session
>>session_start();
>>echo $_SESSION['username'];
>>echo $_SESSION['password'];
>>// convert username and password from _POST or _SESSION
>>
>>if($_POST){
>>if (!$_SESSION['username'] && !$_SESSION['password']) {
>>$_SESSION['username']=$_POST["username"];
>>$_SESSION['password']=$_POST["password"];
>>}
>>}
>>
>>echo "before the query";
>>echo $_SESSION['username'];
>>echo $_SESSION['password'];
>>
>>
>>// query for a user/pass match
>>$result=mysql_query("select * from users
>>where username='" . $_SESSION['username'] . "' and password='" .
>>$_SESSION['password'] . "'");
>>
>>if ($result) {
>>
>>// retrieve number of rows resulted
>>$num=mysql_num_rows($result);
>>
>>// print login form and exit if failed.
>>if($num < 1){
>>
>>echo "<center><BR><BR>You are not authenticated. Please
>>login.<br><br>
>><form method=POST action=''>
>>username: <input type=text name=\"username\"> <BR><BR>
>>password: <input type=password name=\"password\"> <BR><BR><BR>
>><input value=login type=submit>
>></form></center>";
>>exit;
>>}
>>
>>$phonenumber = mysql_result($result,0,'phonenumber');
>>$username = mysql_result($result,0,'username');
>>$userlevel = mysql_result($result,0,'userlevel');
>>
>>//check the logon time, logoff after 5min idle
>>if (!$_SESSION['login_time']) {
>>
>>$_SESSION['login_time']=time();
>>};
>>$lg_time = intval($_SESSION['login_time']);
>>
>>// If the session start time is greater than the current time...
>>if ($lg_time > time() ||
>>// If they have been logged in for longer than 5 minutes...
>> (time() - $lg_time) > 60*5) {
>>
>> unset ($_SESSION['login_time']);
>> unset ($_SESSION['username']);
>> unset ($_SESSION['password']);
>>
>> include ("logoutexp.php");
>> exit;
>>}
>>$_SESSION['login_time']=time();
>>};
>>mysql_close();
>>?>
>>
>>After the time out php goes to logoutexp.php which looks like this:
>>[root@lexon login]# cat logoutexp.php
>><?
>>// Login & Session example by sde
>>// logout.php
>>
>>include "\login\common.php";
>>global $LOGINDIR;
>>
>>// you must start session before destroying it
>>session_start();
>>session_destroy();
>>
>>echo "<center>For security reasons your session has expired.
>>
>>
>><br><br>
>>You will now be returned to the login page.
>>
>></center>
>>
>><META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\"> ";
>>exit;
>>?>
>>
>>
>>It goes back to main.php and asks for auth.
>>The problem is if I try to navigate the page and I will go to for
>>example to main.php?menu=4 I need to enter password again.
>>
>>The only org aroun is to click logoutexp.php link and then everything
>>is ok. I debug the script and I found out that the
>>$_session['username'] and password is lost.
>>
>>and ideas what is wrong?
>>
>>thanks
>>
>>bart
>
>

Thanks for your advices.
I modified mu authorization script, so it will wail until the session is
destroyed by closing the browser. This is the script:

<?php
// auth.php
error_reporting(E_ALL);
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");

// start session
session_start();

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysql_query("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_num_rows($result);
// print login form and exit if failed.
if($num < 1){

echo "<center><BR>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action='main.php'>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] = mysql_result($result,0,'phonenumber');
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['userlevel'] = mysql_result($result,0,'userlevel');

};

};
//close connection to db
mysql_close();

?>
Now, the php.ini is set with default values.
On my website I have logout link which takes me to site which code is:
<?
// Login & Session example by sde
// logout.php

include "\login\common.php";
global $LOGINDIR;

// you must start session before destroying it
session_start();
session_destroy();

echo "<center>You have been successfully logged out.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh\" content=\"2; URL=\login/main.php\"> ";
?>

If I click the link the session is destroyed (on the server session id
file becomes empty) and everything works fine if I want to log in again.
The new session has the same ID as before.

But, when I close the browser without loggin off, the session file on the
server is not empty. It still contains the session data.

I have to log in to every page in order to access data.
This causes to create a lot of session files on the server because every
time the auth script starts it calls session_start().

Something is wrong, but what. Why the sessions are not destroyed if I
close the browser?
Thanks


Thanks for explaining.
I created this code and it works:

<?php
// auth.php
error_reporting(E_ALL);
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");

// start session
session_start();

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysql_query("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_num_rows($result);
// print login form and exit if failed.
if($num < 1){

echo "<center><BR>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] = mysql_result($result,0,'phonenumber');
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['userlevel'] = mysql_result($result,0,'userlevel');
header("Location:
main.php?".Session_Name()."=".Session_ID());

exit();
};

};
header("Location: main.php?".Session_Name()."=".Session_ID());
//close connection to db
mysql_close();
?>
Now on every page I want to check the auth I simply do this:
if ($_SESSION['authenticated']==1) {

}
else {
echo ("
<center>
<p>You are not authenticated!!!</p>
<p>Please go to login page <a href='auth.php'>&lt;login&gt;</a></p>
</center>
");
exit;
};
One more question: is there any way to add include statements in the
code? If I try to add something, the header (" ... is not working.

Thanks

Jul 17 '05 #8

P: n/a
Header requests must occur before any output is sent to the browser.

(In my example the header() functions are simply redirecting the user to
another file, and dont serve any other use.)

- Ali

"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:b5****************@newssvr17.news.prodigy.com ...
Alistair Baillie SS2002 wrote:
The session files on the server, will remain until the time has expired
(And the web server deletes the old files, this only seems to work in
linux, it doesnt work correctly in windows).

However, if u have closed the browser, the link to that session will no
longer exist, so there is no way to re access the session. (Or its hghly
unlikley the user would be able to guess the session id).

Make sure you only call session_start(); once per execution, if it
appears multiple times, I would presume it would over write each other.
I have stuck a very simple example on my web site;

http://www.alistairbaillie.co.uk/tmp/ Will run it

http://www.alistairbaillie.co.uk/tmp/source.php Will show you the source
code.
- Alistair
"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:fs***************@newssvr33.news.prodigy.com. ..
Alistair Baillie SS2002 wrote:

Im not quite sure what you are meaning but;

PHP will automatically destroy a session after a set amount of time, the
default varies dependant on your server settings, mine is set to 20
minutes, so there is no need for you to catch out of date sessions!

I would presume that this is where your problem lies, and you are
incorrectly destroying a session when it hasnt actually expired.

Also, as session variables cant be modified without your script, you
dont really need to confirm the username and password from the sesion,
simply storing the username would be enough. (You can assume if the
username was stored, the password was correct).

I suggest you have a look at the session documentation at
http://uk.php.net/manual/en/function.session-start.php if you havnt
already done so, as it does provide some examples.

If you are still having problems, if you reply telling me exactly what
you are trying to achieve, (Step by step), ill try and knock some code
up as an example for you.

- Alistair

"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:tl*****************@newssvr17.news.prodig y.com...
>I call session_start() in my auth.php.
>The think is that if I use the browser first time, it works.
>Also when I logoff (wchich destroys session and goes back to login
>screen) everything works fine.
>
>The problem starts when I close the browser without login off.
>Then I have to login to every page.
>My logout script does this:
>
>session_start();
>session_destroy();
><META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\">
>
>So what I though, is that if I put:
>session_start();
>session_destroy();
>in this part of the code:
>
>// print login form and exit if failed.
>if($num < 1){
>echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
><form method=POST action=''>
>username: <input type=text name=\"username\"> <BR><BR>
>password: <input type=password name=\"password\"> <BR><BR><BR>
><input value=login type=submit>
></form></center>";
>exit;
>}
>
>It shoud do the same what logout does.
>Unfortunately it does not.
>
>I thing that there is something that I dont know about sessions.
>I don't like the thing that the user have to press logout.
>It should automatically destroy the session, if the browser was closed.
>
>Any ideas
>
>Bart
>
>Alistair Baillie SS2002 wrote:
>
>
>>If 'menu' is suppost to be ur session variable, then you need to do
>>$_SESSION['menu'];
>>
>>You also need to call session_start();
>>
>>- Ali
>>
>>"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
>>news:th***************@newssvr31.news.prodig y.com...
>>
>>
>>
>>>I need help with sessions.
>>>I createt set of web site for nav with authorization.
>>>
>>>first I go into main.php which looks like this:
>>>
>>><?php
>>>//common functions
>>>include_once '../login/common.php';
>>>global $LOGINDIR;
>>>
>>>//nav- navigation
>>>//auth- authorization
>>>include ("$LOGINDIR/nav.htm");
>>>include ("$LOGINDIR/auth.php");
>>>
>>>$menu = $_GET['menu'];
>>>switch($menu)
>>>{
>>>case 1:
>>>include "$LOGINDIR/menu1.php";
>>>global $LOGINDIR;
>>>break;
>>>
>>>case 2:
>>>include "$LOGINDIR/menu2.php";
>>>global $LOGINDIR;
>>>break;
>>>
>>>case 3:
>>>include "$LOGINDIR/menu3.php";
>>>global $LOGINDIR;
>>>break;
>>>
>>>case 4:
>>>include "$LOGINDIR/menu4.php";
>>>global $LOGINDIR;
>>>break;
>>>
>>>case 5:
>>>include "$LOGINDIR/menu5.php";
>>>global $LOGINDIR;
>>>break;
>>>
>>>default:
>>>include "$LOGINDIR/menudef.htm";
>>>break;
>>>}
>>>
>>>include ("$LOGINDIR/footer.htm");
>>>?>
>>>
>>></td>
>>></tr>
>>></table>
>>>
>>>
>>></body>
>>></html>
>>>
>>>My auth.php looks like this:
>>>
>>>[root@lexon login]# cat auth.php
>>><?php
>>>// auth.php
>>>include_once 'common.php';
>>>include_once 'db.php';
>>>dbConnect("corporate");
>>>
>>>// start session
>>>session_start();
>>>echo $_SESSION['username'];
>>>echo $_SESSION['password'];
>>>// convert username and password from _POST or _SESSION
>>>
>>>if($_POST){
>>>if (!$_SESSION['username'] && !$_SESSION['password']) {
>>>$_SESSION['username']=$_POST["username"];
>>>$_SESSION['password']=$_POST["password"];
>>>}
>>>}
>>>
>>>echo "before the query";
>>>echo $_SESSION['username'];
>>>echo $_SESSION['password'];
>>>
>>>
>>>// query for a user/pass match
>>>$result=mysql_query("select * from users
>>>where username='" . $_SESSION['username'] . "' and password='" .
>>>$_SESSION['password'] . "'");
>>>
>>>if ($result) {
>>>
>>>// retrieve number of rows resulted
>>>$num=mysql_num_rows($result);
>>>
>>>// print login form and exit if failed.
>>>if($num < 1){
>>>
>>>echo "<center><BR><BR>You are not authenticated. Please
>>>login.<br><br>
>>><form method=POST action=''>
>>>username: <input type=text name=\"username\"> <BR><BR>
>>>password: <input type=password name=\"password\"> <BR><BR><BR>
>>><input value=login type=submit>
>>></form></center>";
>>>exit;
>>>}
>>>
>>>$phonenumber = mysql_result($result,0,'phonenumber');
>>>$username = mysql_result($result,0,'username');
>>>$userlevel = mysql_result($result,0,'userlevel');
>>>
>>>//check the logon time, logoff after 5min idle
>>>if (!$_SESSION['login_time']) {
>>>
>>>$_SESSION['login_time']=time();
>>>};
>>>$lg_time = intval($_SESSION['login_time']);
>>>
>>>// If the session start time is greater than the current time...
>>>if ($lg_time > time() ||
>>>// If they have been logged in for longer than 5 minutes...
>>> (time() - $lg_time) > 60*5) {
>>>
>>> unset ($_SESSION['login_time']);
>>> unset ($_SESSION['username']);
>>> unset ($_SESSION['password']);
>>>
>>> include ("logoutexp.php");
>>> exit;
>>>}
>>>$_SESSION['login_time']=time();
>>>};
>>>mysql_close();
>>>?>
>>>
>>>After the time out php goes to logoutexp.php which looks like this:
>>>[root@lexon login]# cat logoutexp.php
>>><?
>>>// Login & Session example by sde
>>>// logout.php
>>>
>>>include "\login\common.php";
>>>global $LOGINDIR;
>>>
>>>// you must start session before destroying it
>>>session_start();
>>>session_destroy();
>>>
>>>echo "<center>For security reasons your session has expired.
>>>
>>>
>>><br><br>
>>>You will now be returned to the login page.
>>>
>>></center>
>>>
>>><META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\"> ";
>>>exit;
>>>?>
>>>
>>>
>>>It goes back to main.php and asks for auth.
>>>The problem is if I try to navigate the page and I will go to for
>>>example to main.php?menu=4 I need to enter password again.
>>>
>>>The only org aroun is to click logoutexp.php link and then everything
>>>is ok. I debug the script and I found out that the
>>>$_session['username'] and password is lost.
>>>
>>>and ideas what is wrong?
>>>
>>>thanks
>>>
>>>bart
>>
>>
Thanks for your advices.
I modified mu authorization script, so it will wail until the session is
destroyed by closing the browser. This is the script:

<?php
// auth.php
error_reporting(E_ALL);
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");

// start session
session_start();

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysql_query("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_num_rows($result);
// print login form and exit if failed.
if($num < 1){

echo "<center><BR>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action='main.php'>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] = mysql_result($result,0,'phonenumber');
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['userlevel'] = mysql_result($result,0,'userlevel');

};

};
//close connection to db
mysql_close();

?>
Now, the php.ini is set with default values.
On my website I have logout link which takes me to site which code is:
<?
// Login & Session example by sde
// logout.php

include "\login\common.php";
global $LOGINDIR;

// you must start session before destroying it
session_start();
session_destroy();

echo "<center>You have been successfully logged out.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh\" content=\"2; URL=\login/main.php\"> ";
?>

If I click the link the session is destroyed (on the server session id
file becomes empty) and everything works fine if I want to log in again.
The new session has the same ID as before.

But, when I close the browser without loggin off, the session file on the
server is not empty. It still contains the session data.

I have to log in to every page in order to access data.
This causes to create a lot of session files on the server because every
time the auth script starts it calls session_start().

Something is wrong, but what. Why the sessions are not destroyed if I
close the browser?
Thanks


Thanks for explaining.
I created this code and it works:

<?php
// auth.php
error_reporting(E_ALL);
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");

// start session
session_start();

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysql_query("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_num_rows($result);
// print login form and exit if failed.
if($num < 1){

echo "<center><BR>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] = mysql_result($result,0,'phonenumber');
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['userlevel'] = mysql_result($result,0,'userlevel');
header("Location: main.php?".Session_Name()."=".Session_ID());
exit();
};

};
header("Location: main.php?".Session_Name()."=".Session_ID()); //close
connection to db
mysql_close();
?>
Now on every page I want to check the auth I simply do this:
if ($_SESSION['authenticated']==1) {

}
else {
echo ("
<center>
<p>You are not authenticated!!!</p>
<p>Please go to login page <a href='auth.php'>&lt;login&gt;</a></p>
</center>
");
exit;
};
One more question: is there any way to add include statements in the code?
If I try to add something, the header (" ... is not working.

Thanks

Jul 17 '05 #9

P: n/a
Alistair Baillie SS2002 wrote:
Header requests must occur before any output is sent to the browser.

(In my example the header() functions are simply redirecting the user to
another file, and dont serve any other use.)

- Ali

"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:b5****************@newssvr17.news.prodigy.com ...
Alistair Baillie SS2002 wrote:
The session files on the server, will remain until the time has expired
(And the web server deletes the old files, this only seems to work in
linux, it doesnt work correctly in windows).

However, if u have closed the browser, the link to that session will no
longer exist, so there is no way to re access the session. (Or its hghly
unlikley the user would be able to guess the session id).

Make sure you only call session_start(); once per execution, if it
appears multiple times, I would presume it would over write each other.
I have stuck a very simple example on my web site;

http://www.alistairbaillie.co.uk/tmp/ Will run it

http://www.alistairbaillie.co.uk/tmp/source.php Will show you the source
code.
- Alistair
"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
news:fs***************@newssvr33.news.prodigy.c om...
Alistair Baillie SS2002 wrote:
>Im not quite sure what you are meaning but;
>
>PHP will automatically destroy a session after a set amount of time, the
>default varies dependant on your server settings, mine is set to 20
>minutes, so there is no need for you to catch out of date sessions!
>
>I would presume that this is where your problem lies, and you are
>incorrectly destroying a session when it hasnt actually expired.
>
>Also, as session variables cant be modified without your script, you
>dont really need to confirm the username and password from the sesion,
>simply storing the username would be enough. (You can assume if the
>username was stored, the password was correct).
>
>I suggest you have a look at the session documentation at
>http://uk.php.net/manual/en/function.session-start.php if you havnt
>already done so, as it does provide some examples.
>
>If you are still having problems, if you reply telling me exactly what
>you are trying to achieve, (Step by step), ill try and knock some code
>up as an example for you.
>
>- Alistair
>
>"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
>news:tl*****************@newssvr17.news.prodi gy.com...
>
>
>
>>I call session_start() in my auth.php.
>>The think is that if I use the browser first time, it works.
>>Also when I logoff (wchich destroys session and goes back to login
>>screen) everything works fine.
>>
>>The problem starts when I close the browser without login off.
>>Then I have to login to every page.
>>My logout script does this:
>>
>>session_start();
>>session_destroy();
>><META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\">
>>
>>So what I though, is that if I put:
>>session_start();
>>session_destroy();
>>in this part of the code:
>>
>>// print login form and exit if failed.
>>if($num < 1){
>>echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
>><form method=POST action=''>
>>username: <input type=text name=\"username\"> <BR><BR>
>>password: <input type=password name=\"password\"> <BR><BR><BR>
>><input value=login type=submit>
>></form></center>";
>>exit;
>>}
>>
>>It shoud do the same what logout does.
>>Unfortunately it does not.
>>
>>I thing that there is something that I dont know about sessions.
>>I don't like the thing that the user have to press logout.
>>It should automatically destroy the session, if the browser was closed.
>>
>>Any ideas
>>
>>Bart
>>
>>Alistair Baillie SS2002 wrote:
>>
>>
>>
>>>If 'menu' is suppost to be ur session variable, then you need to do
>>>$_SESSION['menu'];
>>>
>>>You also need to call session_start();
>>>
>>>- Ali
>>>
>>>"Bartosz Wegrzyn" <bt**@sbcglobal.net> wrote in message
>>>news:th***************@newssvr31.news.prodi gy.com...
>>>
>>>
>>>
>>>
>>>>I need help with sessions.
>>>>I createt set of web site for nav with authorization.
>>>>
>>>>first I go into main.php which looks like this:
>>>>
>>>><?php
>>>>//common functions
>>>>include_once '../login/common.php';
>>>>global $LOGINDIR;
>>>>
>>>>//nav- navigation
>>>>//auth- authorization
>>>>include ("$LOGINDIR/nav.htm");
>>>>include ("$LOGINDIR/auth.php");
>>>>
>>>>$menu = $_GET['menu'];
>>>>switch($menu)
>>>>{
>>>>case 1:
>>>>include "$LOGINDIR/menu1.php";
>>>>global $LOGINDIR;
>>>>break;
>>>>
>>>>case 2:
>>>>include "$LOGINDIR/menu2.php";
>>>>global $LOGINDIR;
>>>>break;
>>>>
>>>>case 3:
>>>>include "$LOGINDIR/menu3.php";
>>>>global $LOGINDIR;
>>>>break;
>>>>
>>>>case 4:
>>>>include "$LOGINDIR/menu4.php";
>>>>global $LOGINDIR;
>>>>break;
>>>>
>>>>case 5:
>>>>include "$LOGINDIR/menu5.php";
>>>>global $LOGINDIR;
>>>>break;
>>>>
>>>>default:
>>>>include "$LOGINDIR/menudef.htm";
>>>>break;
>>>>}
>>>>
>>>>include ("$LOGINDIR/footer.htm");
>>>>?>
>>>>
>>>></td>
>>>></tr>
>>>></table>
>>>>
>>>>
>>>></body>
>>>></html>
>>>>
>>>>My auth.php looks like this:
>>>>
>>>>[root@lexon login]# cat auth.php
>>>><?php
>>>>// auth.php
>>>>include_once 'common.php';
>>>>include_once 'db.php';
>>>>dbConnect("corporate");
>>>>
>>>>// start session
>>>>session_start();
>>>>echo $_SESSION['username'];
>>>>echo $_SESSION['password'];
>>>>// convert username and password from _POST or _SESSION
>>>>
>>>>if($_POST){
>>>>if (!$_SESSION['username'] && !$_SESSION['password']) {
>>>>$_SESSION['username']=$_POST["username"];
>>>>$_SESSION['password']=$_POST["password"];
>>>>}
>>>>}
>>>>
>>>>echo "before the query";
>>>>echo $_SESSION['username'];
>>>>echo $_SESSION['password'];
>>>>
>>>>
>>>>// query for a user/pass match
>>>>$result=mysql_query("select * from users
>>>>where username='" . $_SESSION['username'] . "' and password='" .
>>>>$_SESSION['password'] . "'");
>>>>
>>>>if ($result) {
>>>>
>>>>// retrieve number of rows resulted
>>>>$num=mysql_num_rows($result);
>>>>
>>>>// print login form and exit if failed.
>>>>if($num < 1){
>>>>
>>>>echo "<center><BR><BR>You are not authenticated. Please
>>>>login.<br><br>
>>>><form method=POST action=''>
>>>>username: <input type=text name=\"username\"> <BR><BR>
>>>>password: <input type=password name=\"password\"> <BR><BR><BR>
>>>><input value=login type=submit>
>>>></form></center>";
>>>>exit;
>>>>}
>>>>
>>>>$phonenumber = mysql_result($result,0,'phonenumber');
>>>>$username = mysql_result($result,0,'username');
>>>>$userlevel = mysql_result($result,0,'userlevel');
>>>>
>>>>//check the logon time, logoff after 5min idle
>>>>if (!$_SESSION['login_time']) {
>>>>
>>>>$_SESSION['login_time']=time();
>>>>};
>>>>$lg_time = intval($_SESSION['login_time']);
>>>>
>>>>// If the session start time is greater than the current time...
>>>>if ($lg_time > time() ||
>>>>// If they have been logged in for longer than 5 minutes...
>>>>(time() - $lg_time) > 60*5) {
>>>>
>>>> unset ($_SESSION['login_time']);
>>>> unset ($_SESSION['username']);
>>>> unset ($_SESSION['password']);
>>>>
>>>> include ("logoutexp.php");
>>>> exit;
>>>>}
>>>>$_SESSION['login_time']=time();
>>>>};
>>>>mysql_close();
>>>>?>
>>>>
>>>>After the time out php goes to logoutexp.php which looks like this:
>>>>[root@lexon login]# cat logoutexp.php
>>>><?
>>>>// Login & Session example by sde
>>>>// logout.php
>>>>
>>>>include "\login\common.php";
>>>>global $LOGINDIR;
>>>>
>>>>// you must start session before destroying it
>>>>session_start();
>>>>session_destroy();
>>>>
>>>>echo "<center>For security reasons your session has expired.
>>>>
>>>>
>>>><br><br>
>>>>You will now be returned to the login page.
>>>>
>>>></center>
>>>>
>>>><META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\"> ";
>>>>exit;
>>>>?>
>>>>
>>>>
>>>>It goes back to main.php and asks for auth.
>>>>The problem is if I try to navigate the page and I will go to for
>>>>example to main.php?menu=4 I need to enter password again.
>>>>
>>>>The only org aroun is to click logoutexp.php link and then everything
>>>>is ok. I debug the script and I found out that the
>>>>$_session['username'] and password is lost.
>>>>
>>>>and ideas what is wrong?
>>>>
>>>>thanks
>>>>
>>>>bart
>>>
>>>
Thanks for your advices.
I modified mu authorization script, so it will wail until the session is
destroyed by closing the browser. This is the script:

<?php
// auth.php
error_reporting(E_ALL);
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");

// start session
session_start();

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysql_query("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_num_rows($result);
// print login form and exit if failed.
if($num < 1){

echo "<center><BR>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action='main.php'>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] = mysql_result($result,0,'phonenumber');
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['userlevel'] = mysql_result($result,0,'userlevel');

};

};
//close connection to db
mysql_close();

?>
Now, the php.ini is set with default values.
On my website I have logout link which takes me to site which code is:
<?
// Login & Session example by sde
// logout.php

include "\login\common.php";
global $LOGINDIR;

// you must start session before destroying it
session_start();
session_destroy();

echo "<center>You have been successfully logged out.
<br><br>
You will now be returned to the login page.

</center>

<META HTTP-EQUIV=\"refresh\" content=\"2; URL=\login/main.php\"> ";
?>

If I click the link the session is destroyed (on the server session id
file becomes empty) and everything works fine if I want to log in again.
The new session has the same ID as before.

But, when I close the browser without loggin off, the session file on the
server is not empty. It still contains the session data.

I have to log in to every page in order to access data.
This causes to create a lot of session files on the server because every
time the auth script starts it calls session_start().

Something is wrong, but what. Why the sessions are not destroyed if I
close the browser?
Thanks

Thanks for explaining.
I created this code and it works:

<?php
// auth.php
error_reporting(E_ALL);
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");

// start session
session_start();

if ($_SESSION['authenticated']==1) {}

else {

// query for a user/pass match
$result=mysql_query("select * from users where username='" .
$_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_num_rows($result);
// print login form and exit if failed.
if($num < 1){

echo "<center><BR>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

//register sesssion authenticated
else {$_SESSION['authenticated']=true;}

//register other values
$_SESSION['phonenumber'] = mysql_result($result,0,'phonenumber');
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['userlevel'] = mysql_result($result,0,'userlevel');
header("Location: main.php?".Session_Name()."=".Session_ID());
exit();
};

};
header("Location: main.php?".Session_Name()."=".Session_ID()); //close
connection to db
mysql_close();
?>
Now on every page I want to check the auth I simply do this:
if ($_SESSION['authenticated']==1) {

}
else {
echo ("
<center>
<p>You are not authenticated!!!</p>
<p>Please go to login page <a href='auth.php'>&lt;login&gt;</a></p>
</center>
");
exit;
};
One more question: is there any way to add include statements in the code?
If I try to add something, the header (" ... is not working.

Thanks



Is there any way to add include statements into my scrpit.
I simply want to make the webpage look nicer.
Jul 17 '05 #10

This discussion thread is closed

Replies have been disabled for this discussion.