Re: php sessions problem - wrong logic maybe
- From: Bartosz Wegrzyn <btgs@xxxxxxxxxxxxx>
- Date: Thu, 05 May 2005 14:29:27 GMT
Alistair Baillie SS2002 wrote:
The session files on the server, will remain until the time has expired (And the web server deletes the old files, this only seems to work in linux, it doesnt work correctly in windows).
However, if u have closed the browser, the link to that session will no longer exist, so there is no way to re access the session. (Or its hghly unlikley the user would be able to guess the session id).
Make sure you only call session_start(); once per execution, if it appears multiple times, I would presume it would over write each other.
I have stuck a very simple example on my web site;
http://www.alistairbaillie.co.uk/tmp/ Will run it
http://www.alistairbaillie.co.uk/tmp/source.php Will show you the source code.
- Alistair
"Bartosz Wegrzyn" <btgs@xxxxxxxxxxxxx> wrote in message news:fsgee.1542$6E.440@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Alistair Baillie SS2002 wrote:
Thanks for your advices.Im not quite sure what you are meaning but;
PHP will automatically destroy a session after a set amount of time, the default varies dependant on your server settings, mine is set to 20 minutes, so there is no need for you to catch out of date sessions!
I would presume that this is where your problem lies, and you are incorrectly destroying a session when it hasnt actually expired.
Also, as session variables cant be modified without your script, you dont really need to confirm the username and password from the sesion, simply storing the username would be enough. (You can assume if the username was stored, the password was correct).
I suggest you have a look at the session documentation at http://uk.php.net/manual/en/function.session-start.php if you havnt already done so, as it does provide some examples.
If you are still having problems, if you reply telling me exactly what you are trying to achieve, (Step by step), ill try and knock some code up as an example for you.
- Alistair
"Bartosz Wegrzyn" <btgs@xxxxxxxxxxxxx> wrote in message news:tlXde.1667$Yg4.1012@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I call session_start() in my auth.php.
The think is that if I use the browser first time, it works.
Also when I logoff (wchich destroys session and goes back to login screen) everything works fine.
The problem starts when I close the browser without login off. Then I have to login to every page. My logout script does this:
session_start(); session_destroy(); <META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\">
So what I though, is that if I put: session_start(); session_destroy(); in this part of the code:
// print login form and exit if failed. if($num < 1){ echo "<center><BR><BR>You are not authenticated. Please login.<br><br> <form method=POST action=''> username: <input type=text name=\"username\"> <BR><BR> password: <input type=password name=\"password\"> <BR><BR><BR> <input value=login type=submit> </form></center>"; exit; }
It shoud do the same what logout does. Unfortunately it does not.
I thing that there is something that I dont know about sessions. I don't like the thing that the user have to press logout. It should automatically destroy the session, if the browser was closed.
Any ideas
Bart
Alistair Baillie SS2002 wrote:
If 'menu' is suppost to be ur session variable, then you need to do $_SESSION['menu'];
You also need to call session_start();
- Ali
"Bartosz Wegrzyn" <btgs@xxxxxxxxxxxxx> wrote in message news:thGde.463$wj2.357@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I need help with sessions. I createt set of web site for nav with authorization.
first I go into main.php which looks like this:
<?php //common functions include_once '../login/common.php'; global $LOGINDIR;
//nav- navigation //auth- authorization include ("$LOGINDIR/nav.htm"); include ("$LOGINDIR/auth.php");
$menu = $_GET['menu']; switch($menu) { case 1: include "$LOGINDIR/menu1.php"; global $LOGINDIR; break;
case 2: include "$LOGINDIR/menu2.php"; global $LOGINDIR; break;
case 3: include "$LOGINDIR/menu3.php"; global $LOGINDIR; break;
case 4: include "$LOGINDIR/menu4.php"; global $LOGINDIR; break;
case 5: include "$LOGINDIR/menu5.php"; global $LOGINDIR; break;
default: include "$LOGINDIR/menudef.htm"; break; }
include ("$LOGINDIR/footer.htm"); ?>
</td> </tr> </table>
</body> </html>
My auth.php looks like this:
[root@lexon login]# cat auth.php <?php // auth.php include_once 'common.php'; include_once 'db.php'; dbConnect("corporate");
// start session session_start(); echo $_SESSION['username']; echo $_SESSION['password']; // convert username and password from _POST or _SESSION
if($_POST){ if (!$_SESSION['username'] && !$_SESSION['password']) { $_SESSION['username']=$_POST["username"]; $_SESSION['password']=$_POST["password"]; } }
echo "before the query"; echo $_SESSION['username']; echo $_SESSION['password'];
// query for a user/pass match
$result=mysql_query("select * from users
where username='" . $_SESSION['username'] . "' and password='" . $_SESSION['password'] . "'");
if ($result) {
// retrieve number of rows resulted $num=mysql_num_rows($result);
// print login form and exit if failed. if($num < 1){
echo "<center><BR><BR>You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}
$phonenumber = mysql_result($result,0,'phonenumber'); $username = mysql_result($result,0,'username'); $userlevel = mysql_result($result,0,'userlevel');
//check the logon time, logoff after 5min idle if (!$_SESSION['login_time']) {
$_SESSION['login_time']=time(); }; $lg_time = intval($_SESSION['login_time']);
// If the session start time is greater than the current time... if ($lg_time > time() || // If they have been logged in for longer than 5 minutes... (time() - $lg_time) > 60*5) {
unset ($_SESSION['login_time']); unset ($_SESSION['username']); unset ($_SESSION['password']);
include ("logoutexp.php"); exit; } $_SESSION['login_time']=time(); }; mysql_close(); ?>
After the time out php goes to logoutexp.php which looks like this: [root@lexon login]# cat logoutexp.php <? // Login & Session example by sde // logout.php
include "\login\common.php"; global $LOGINDIR;
// you must start session before destroying it session_start(); session_destroy();
echo "<center>For security reasons your session has expired.
<br><br> You will now be returned to the login page.
</center>
<META HTTP-EQUIV=\"refresh\" content=\"5; URL=\login/main.php\"> "; exit; ?>
It goes back to main.php and asks for auth.
The problem is if I try to navigate the page and I will go to for example to main.php?menu=4 I need to enter password again.
The only org aroun is to click logoutexp.php link and then everything is ok. I debug the script and I found out that the $_session['username'] and password is lost.
and ideas what is wrong?
thanks
bart
I modified mu authorization script, so it will wail until the session is destroyed by closing the browser. This is the script:
<?php // auth.php error_reporting(E_ALL); include_once 'common.php'; include_once 'db.php'; dbConnect("corporate");
// start session session_start();
if ($_SESSION['authenticated']==1) {}
else {
// query for a user/pass match
$result=mysql_query("select * from users where username='" . $_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_num_rows($result);
// print login form and exit if failed.
if($num < 1){
echo "<center><BR> <BR> You are not authenticated. Please login.<br><br> <form method=POST action='main.php'> username: <input type=text name=\"username\"> <BR><BR> password: <input type=password name=\"password\"> <BR><BR><BR> <input value=login type=submit> </form></center>"; exit; }
//register sesssion authenticated else {$_SESSION['authenticated']=true;}
//register other values $_SESSION['phonenumber'] = mysql_result($result,0,'phonenumber'); $_SESSION['username'] = mysql_result($result,0,'username'); $_SESSION['userlevel'] = mysql_result($result,0,'userlevel');
};
};
//close connection to db mysql_close();
?>
Now, the php.ini is set with default values. On my website I have logout link which takes me to site which code is: <? // Login & Session example by sde // logout.php
include "\login\common.php"; global $LOGINDIR;
// you must start session before destroying it session_start(); session_destroy();
echo "<center>You have been successfully logged out.
<br><br> You will now be returned to the login page.
</center>
<META HTTP-EQUIV=\"refresh\" content=\"2; URL=\login/main.php\"> "; ?>
If I click the link the session is destroyed (on the server session id file becomes empty) and everything works fine if I want to log in again. The new session has the same ID as before.
But, when I close the browser without loggin off, the session file on the server is not empty. It still contains the session data.
I have to log in to every page in order to access data.
This causes to create a lot of session files on the server because every time the auth script starts it calls session_start().
Something is wrong, but what. Why the sessions are not destroyed if I close the browser?
Thanks
Thanks for explaining. I created this code and it works:
<?php
// auth.php
error_reporting(E_ALL);
include_once 'common.php';
include_once 'db.php';
dbConnect("corporate");// start session session_start();
if ($_SESSION['authenticated']==1) {}else {// query for a user/pass match
$result=mysql_query("select * from users where username='" . $_POST['username'] . "' and password='" . $_POST['password'] . "'");
if ($result) {
// retrieve number of rows resulted
$num=mysql_num_rows($result);
// print login form and exit if failed.
if($num < 1){
echo "<center><BR>
<BR>
You are not authenticated. Please login.<br><br>
<form method=POST action=''>
username: <input type=text name=\"username\"> <BR><BR>
password: <input type=password name=\"password\"> <BR><BR><BR>
<input value=login type=submit>
</form></center>";
exit;
}
//register sesssion authenticated
else {$_SESSION['authenticated']=true;}
//register other values
$_SESSION['phonenumber'] = mysql_result($result,0,'phonenumber');
$_SESSION['username'] = mysql_result($result,0,'username');
$_SESSION['userlevel'] = mysql_result($result,0,'userlevel');
header("Location: main.php?".Session_Name()."=".Session_ID());
exit(); };
};
header("Location: main.php?".Session_Name()."=".Session_ID());
//close connection to db
mysql_close();
?>
Now on every page I want to check the auth I simply do this: if ($_SESSION['authenticated']==1) {
}
else {
echo ("
<center>
<p>You are not authenticated!!!</p>
<p>Please go to login page <a href='auth.php'><login></a></p>
</center>
");
exit;
};One more question: is there any way to add include statements in the code? If I try to add something, the header (" ... is not working.
Thanks
.
- Follow-Ups:
- Re: php sessions problem - wrong logic maybe
- From: Alistair Baillie SS2002
- Re: php sessions problem - wrong logic maybe
- References:
- php sessions problem - wrong logic maybe
- From: Bartosz Wegrzyn
- Re: php sessions problem - wrong logic maybe
- From: Bartosz Wegrzyn
- Re: php sessions problem - wrong logic maybe
- From: Alistair Baillie SS2002
- Re: php sessions problem - wrong logic maybe
- From: Bartosz Wegrzyn
- Re: php sessions problem - wrong logic maybe
- From: Alistair Baillie SS2002
- php sessions problem - wrong logic maybe
- Prev by Date: how to protect clips files by php, apache, mysql, sessions
- Next by Date: Re: how to protect clips files by php, apache, mysql, sessions
- Previous by thread: Re: php sessions problem - wrong logic maybe
- Next by thread: Re: php sessions problem - wrong logic maybe
- Index(es):
Relevant Pages
|
Loading
