0

I have a php login with two users. Everything seems to work fine but I am randomly getting booted and required to log back in. I My thoughts are that my session is timing out? Sometimes there are two people using the same login at the same time. Any thoughts

<?php //login code
session_start();

if(isset($_POST['user']))
{
    $password = $_POST['pass'];
    $user = $_POST['user'];
        if ( $password == "pass" && $user == "user") {
             $_SESSION['phplogin'] = true;
             header('Location: index.php');
             exit;
    } else {

    if(isset($_POST['user']))
{
    $password = $_POST['pass'];
    $user = $_POST['user'];
        if ( $password == "pass2" && $user == "user2") {
             $_SESSION['phplogin'] = true;
             header('Location: index2.php');
             exit;
 }
}                


?>

// ===

<?php // approval code

session_start();
if (!isset($_SESSION['phplogin'])
    || $_SESSION['phplogin'] !== true) {
    header('Location: login.php'); //Replace that if login.php is somewhere else
}

    <?php // index code
include('approve.php');
include('connect.php');

?>
Jacco
  • 23,534
  • 17
  • 88
  • 105
pixelJockey
  • 321
  • 1
  • 5
  • 18
  • 1
    If the session was timing out, you'd see a different session ID show up in the session cookie as a new one's created. – Marc B Mar 28 '11 at 21:10
  • 1
    Marc B could you tell me where/how I could see the see the cookie id? New to backend development thanks. – pixelJockey Mar 28 '11 at 21:14
  • 1
    Check your browser's cookie management section. On Firefox, you can use Firebug to view/manipulate cookies. – Marc B Mar 28 '11 at 21:15
  • 1
    Are you sure you don't have any output before the session_start or the include('approve.php'). E.g. if you have those spaces before opening your php tag, it will be too late to start the session. – Nabab Mar 28 '11 at 21:17
  • 1
    @Nabab --- that is always a good warning, but could that result in an intermittent problem like this one? – Smandoli Mar 28 '11 at 21:20
  • @Smandoli - If it is really random, and not after a period of inactivity, I'd say it's more a problem of losing the session in the script than on the server. – Nabab Mar 28 '11 at 21:24
  • I am still getting bumped off. It does seem to happen after a short time of inactivity. Used to Firebug to see the session id and that doesn't seem to change. Removed all the additional spaces before my start_session. Could it be two people are using the same password at the same time? – pixelJockey Mar 28 '11 at 21:46
  • Also my files are located in a sub folder don't know if that would cause any issues? – pixelJockey Mar 28 '11 at 21:47

2 Answers2

2

You could try the PHP functions for getting/setting the session id. You are also able to set the cookie params as you wish: session_set_cookie_params(31536000, '/', 'your.cookiedomain'); (more information: http://www.php.net/manual/en/function.session-set-cookie-params.php)

bstpierre
  • 30,042
  • 15
  • 70
  • 103
Rick Pastoor
  • 3,625
  • 1
  • 21
  • 24
0

Firstly your code is a little buggy so ill help you get that sorted, if your doing hard coded credentials then it would be best to keep the user / pass in an array so you do not have to rewrite your code for each user.

create a file called accounts.php and paste the following snippet

<?php

return array(
     "username" => "password"
     /*.. More Below ..*/
);

?>

then your login code:

<?php
session_start();

if(!empty($_POST['user']) || !empty($_POST['pass']))
{
    $users = require('accounts.php');

    $pass = $_POST['pass'];
    $user = $_POST['user'];

    //loop the accounts.
    foreach($users as $_username => $_password)
    {
        if(strcmp($user,$_username) === 0 && strcomp($pass,$_password) === 0)
        {
            //Valid Account
            $_SESSION['phplogin'] = true;
            header('Location: index.php');
            exit;
        }
    }
?>

this should be sufficient,

the issues regarding the logout it may be due to inactivity for the expiration period, if a request has not come into the server from the client the session garbage collector will remove the session as it has expired.

you can rad more at the link below including how it works and how to change the values:

How do I expire a PHP session after 30 minutes?

if you wanted to set custom conditions for each member such as static profile data, routing information this requires you to increase the array by 1 dimension as well as a small restructure, so your accounts page would look like so:

<?php

return array(
     array(
         "username" => "the_username",
         "password" => "the_password",
         "after_login" => "home.html"
     )
     /* More Below */
);

?>

and your login code would then be slighty changed to fit accordingly.

<?php
session_start();

if(!empty($_POST['user']) || !empty($_POST['pass']))
{
    $accounts = require('accounts.php');

    $pass = $_POST['pass'];
    $user = $_POST['user'];

    //loop the accounts.
    foreach($accounts as $account)
    {
        if(strcmp($user,$account['username']) === 0 && strcomp($pass,$account['password']) === 0)
        {
            //Valid Account
            $_SESSION['phplogin'] = true;
            header('Location: ' . $account['after_login']);
            exit;
        }
    }
?>

if your not sure what i mean by dimensions here's a quick example:

  $array[0][1][10]['username']
  /*     |  |  |       |
         |  |  |       |
         1  2  3       4    > dimension
  */

this allows the values of the 3rd dimension to always be bound to 2, and to then gets bound to 1

Hope this helps.

Community
  • 1
  • 1
RobertPitt
  • 56,863
  • 21
  • 114
  • 161
  • That looks great. In my code had two users going to separate index pages based on login. How would I do that with an array? Thanks for your help. – pixelJockey Mar 28 '11 at 22:23
  • see my update, it just requires a an increase of depth within the array to keep the users information together and some modifications to the login process. – RobertPitt Mar 28 '11 at 22:29
  • One last time! I am getting this error... Fatal error: Call to undefined function strcomp() in /nfs/c03/h01/mnt/49823/domains/domain.com/html/pm/login.php on line 14 – pixelJockey Mar 28 '11 at 22:40
  • my mistake, i have been working on other languages too much, omit the **o** so it becomes **strcmp** – RobertPitt Mar 28 '11 at 23:31
  • Robert success. Login is working. fine what would you place in an approve script? I have something like this..... ` ` – pixelJockey Mar 28 '11 at 23:52
  • why are you using `session_set_cookie_params`? and whewn your checking if a session exists you can just use the empty function which performs an isset as well as checking if a value exists! so `if(!empty($_SESSION['phplogin'])){/*all good*/}` would suffice – RobertPitt Mar 29 '11 at 00:05
  • @RobertPitt it seems that if I use and empty session I doesn't require a login? It bypassed the login and takes me to the index page. – pixelJockey Mar 29 '11 at 21:41
  • then just use an explicit `=== true` check, should suffice – RobertPitt Mar 29 '11 at 22:13
  • Okay so I have tried all the options from above but am still getting the boot randomly and asked to log back in. I am sure it is something wrong with my approve script. The "if(!empty)" and "=== true" bypass my login and you can access private page content. Here is my current code which does work (but I am getting booted) ` ` – pixelJockey Mar 29 '11 at 23:41