session destroy problems

I call session_start() in my auth.php.
The think is that if I use the browser first time, it works.
Also when I logoff (wchich destroys session and goes back to login screen) everything works fine.

The problem starts when I close the browser without login off.
Then I have to login to every page.
My logout script does this:

session_start();
session_destroy();
<META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\">

So what I though, is that if I put:
session_start();
session_destroy();
in this part of the code:

// print login form and exit if failed.
if($num < 1){
echo "<center><BR><BR>You are not authenticated.  Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

It shoud do the same what logout does.
Unfortunately it does not.

I thing that there is something that I dont know about sessions.
I don't like the thing that the user have to press logout.
It should automatically destroy the session, if the browser was closed.

Any ideas
I need help with sessions.
I created set of web site for nav with authorization.
First I go into main.php which looks like this:

>> <?php
>> //common functions
>> include_once '../login/common.php';
>> global $LOGINDIR;
>>
>> //nav- navigation
>> //auth- authorization
>> include ("$LOGINDIR/nav.htm");
>> include ("$LOGINDIR/auth.php");
>>
>> $menu = $_GET['menu'];
>> switch($menu)
>> {
>> case 1:
>> include "$LOGINDIR/menu1.php";
>> global $LOGINDIR;
>> break;
>>
>> case 2:
>> include "$LOGINDIR/menu2.php";
>> global $LOGINDIR;
>> break;
>>
>> case 3:
>> include "$LOGINDIR/menu3.php";
>> global $LOGINDIR;
>> break;
>>
>> case 4:
>> include "$LOGINDIR/menu4.php";
>> global $LOGINDIR;
>> break;
>>
>> case 5:
>> include "$LOGINDIR/menu5.php";
>> global $LOGINDIR;
>> break;
>>
>> default:
>> include "$LOGINDIR/menudef.htm";
>> break;
>> }
>>
>> include ("$LOGINDIR/footer.htm");
>> ?>
>>
>> </td>
>>  </tr>
>> </table>
>>
>>
>> </body>
>> </html>

Then it goes to main and does the authorization
My auth.php looks like this:

>> [root@lexon login]# cat auth.php
>> <?php
>> // auth.php
>> include_once 'common.php';
>> include_once 'db.php';
>> dbConnect("corporate");
>>
>> // start session
>> session_start();
>> echo $_SESSION['username'];
>> echo $_SESSION['password'];
>> // convert username and password from _POST or _SESSION
>>
>> if($_POST){
>> if (!$_SESSION['username'] && !$_SESSION['password']) {
>> $_SESSION['username']=$_POST["username"];
>> $_SESSION['password']=$_POST["password"];
>> }
>> }
>>
>> echo "before the query";
>> echo $_SESSION['username'];
>> echo $_SESSION['password'];
>>
>>
>> // query for a user/pass match
>> $result=mysql_query("select * from users
>> where username='" . $_SESSION['username'] . "' and password='" . $_SESSION['password'] . "'");
>>
>> if ($result) {
>>
>> // retrieve number of rows resulted
>> $num=mysql_num_rows($result);
>>
>> // print login form and exit if failed.
>> if($num < 1){
>>
>> echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
>> <form method=POST action=''>
>> username: <input type=text name=\"username\"> <BR><BR>
>> password: <input type=password name=\"password\"> <BR><BR><BR>
>> <input value=login type=submit>
>> </form></center>";
>> exit;
>> }
>>
>> $phonenumber = mysql_result($result,0,'phonenumber');
>> $username = mysql_result($result,0,'username');
>> $userlevel = mysql_result($result,0,'userlevel');
>>
>> //check the logon time, logoff after 5min idle
>> if (!$_SESSION['login_time']) {
>>
>> $_SESSION['login_time']=time();
>> };
>> $lg_time = intval($_SESSION['login_time']);
>>
>> // If the session start time is greater than the current time...
>> if ($lg_time > time() ||
>> // If they have been logged in for longer than 5 minutes...
>> (time() - $lg_time) > 60*5) {
>>
>> unset ($_SESSION['login_time']);
>> unset ($_SESSION['username']);
>> unset ($_SESSION['password']);
>>
>> include ("logoutexp.php");
>> exit;
>> }
>> $_SESSION['login_time']=time();
>> };
>> mysql_close();
>> ?>
>>
After the time out php goes to logoutexp.php which looks like this:

>> [root@lexon login]# cat logoutexp.php
>> <?
>> // Login & Session example by sde
>> // logout.php
>>
>> include "\login\common.php";
>> global $LOGINDIR;
>>
>> // you must start session before destroying it
>> session_start();
>> session_destroy();
>>
>> echo "<center>For security reasons your session has expired.
>>
>>
>> <br><br>
>> You will now be returned to the login page.
>>
>> </center>
>>
>> <META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\"> ";
>> exit;
>> ?>
>>
>>
It goes back to main.php and asks for auth.
The problem is if I try to navigate the page and I will go to for example to main.php?menu=4 I need to enter password again.
The only work around is to click logoutexp.php link and then everything is ok. I debug the script and I found out that the $_session['username'] and $_session['username'] is lost.

I call session_start() in my auth.php.
The think is that if I use the browser first time, it works.
Also when I logoff (wchich destroys session and goes back to login screen) everything works fine.

The problem starts when I close the browser without login off.
Then I have to login to every page.
My logout script does this:

session_start();
session_destroy();
<META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\">

So what I though, is that if I put:
session_start();
session_destroy();
in this part of the code:

// print login form and exit if failed.
if($num < 1){
echo "<center><BR><BR>You are not authenticated.  Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}

It shoud do the same what logout does.
Unfortunately it does not.

I thing that there is something that I dont know about sessions.
I don't like the thing that the user have to press logout.
It should automatically destroy the session, if the browser was closed.

Any ideas
.

Relevant Pages

  • Re: [PHP] Multiple session
    ... it stops sending pings either the browser is closed or the net connection is ... and then delete the user session and try to log it out. ... database and when a user tries to login again just check if there is an old ...
    (php.general)
  • Re: Force Relogin. IIS6, ASP.NET app, IE6+ browser
    ... now it appears you are suggesting I either write a custom authentication ... cookies/tokens involved; IIS has no idea what a session is; IIS does ... not prompt with a login dialog. ... The problem you face is that a browser will automatically attempt ...
    (microsoft.public.inetserver.iis.security)
  • Re: php sessions problem - wrong logic maybe
    ... Also when I logoff (wchich destroys session and goes back to login screen) everything works fine. ... The problem starts when I close the browser without login off. ... switch{case 1: include "$LOGINDIR/menu1.php"; global $LOGINDIR; ...
    (comp.lang.php)
  • Re: only one X11 application
    ... this should be a browser, ... the user should fall back to login. ... the X session will end too. ... It will start the X server and then run ...
    (comp.unix.solaris)
  • Re: Please! Doesnt anyone know a better way to do this?
    ... account, they need to automatically be directed to the page to enter data ... session variable on the Account page. ... I assume here that you're checking a database when the user attempts to ... When a new user attempts to login or clicks to register, ...
    (microsoft.public.dotnet.framework.aspnet)
Loading