timeout session promblem for a newbie

[Benluke]

Hi ,

i have a problem which i cant seem to fix.

basically ive been working from a sessions timeout tutorial.

ive been testing it and this is whats happening.

i logg in and wait for 60 seconds (set to 60sec for testing) so that it times out.

I then try and move to the next page and it redirects me to the log in page - so the time out has worked!

accept if i click the back button im taken back to the page i logged into and the timeout is reset and i can continue browsing around - This is obviously not good.

does anybody know why this is happening???????

i cant work it out???????

thanks

Ben

heres the code im using:

timeout.php

<?php 
//SECTION #1 
$refresh_time = 1; 
$c_hour = date("H");    //Current Hour 
$c_min = date("i");    //Current Minute 
$c_sec = date("s");    //Current Second 
$c_mon = date("m");    //Current Month 
$c_day = date("d");    //Current Day 
$c_year = date("Y");    //Current Year 

//SECTION #2 
$c_timestamp = mktime($c_hour,$c_min,$c_sec,$c_mon,$c_day,$c_year); 

//SECTION #3 
$t_timestamp = trim($_GET['stamp']); 
    if (!$t_timestamp) { 
        $t_timestamp = trim($_POST['stamp']); 
    } 

//SECTION #4 
if (!$new_login) { 
    if (!$t_timestamp) { 
        $message = urlencode("<b>ERROR:</b> Inactive monitor unable to establish time. Please login again."); 
        header("Location: login.php?PHPSESSID=$sess_id&message=$message&logout=1"); 
        exit; 
    } 
    elseif ($t_timestamp < $c_timestamp) { 
        $message = urlencode("<b>ERROR:</b> Your account has been inactive for $refresh_time minutes. Please login again."); 
        header("Location: login_form.html?PHPSESSID=$sess_id&message=$message&logout=1"); 
        exit; 
    } 
} 

//SECTION #5 
$t_timestamp = mktime($c_hour,$c_min+$refresh_time,$c_sec,$c_mon,$c_day,$c_year); 
?>

login script:

<?
/* Check User Script */
session_start();  // Start Session

include 'db.php';
// Conver to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

if((!$username) || (!$password)){
	echo "Please enter ALL of the information! <br />";
	include 'login_form.html';
	exit();
}

// Convert password to md5 hash
$password = md5($password);

// check if the user info validates the db
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
	while($row = mysql_fetch_array($sql)){
	foreach( $row AS $key => $val ){
		$$key = stripslashes( $val );
	}
		// Register some session variables!
		$_SESSION['first_name'] = $first_name;
		$_SESSION['last_name'] = $last_name;
		$_SESSION['email_address'] = $email_address;
		$_SESSION['user_level'] = $user_level;
		
		mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");
		
		header("Location: login_success_test.php?PHPSESSID=$sess_id&new_login=1");
	}
} else {
	echo "You could not be logged in! Either the username and password do not match or you have not validated your membership!<br />
	Please try again!<br />";
	include 'login_form.html';
}
?>

login_success.php

<?
session_start();

include 'timeout.php';
include 'db.php';

// checks that user is logged in

if ((!isset($_SESSION['first_name'])) || (!isset($_SESSION['last_name']))) { 
echo "<p>You need to be logged in to access this page. 
Please log in below.</p>"; 
include 'login_form.html';
exit();
} else {}


echo "Welcome ". $_SESSION['first_name'] ." ". $_SESSION['last_name'] ."! You have made it to the members area!<br /><br />";

echo "Your user level is ". $_SESSION['user_level']." which enables you access to the following areas: <br />";

if($_SESSION['user_level'] == 0){
echo "- Forums<br />- Chat Room<br />";
}
if($_SESSION['user_level'] == 1){
echo "- Forums<br />- Chat Room<br />- Moderator Area<br />";
}

echo "<br /><a href=logout.php>Logout</a>";
echo '<br /><a href="index1.php?stamp=', $t_timestamp, '">Click Me</a>';


?>

 

[Olavxxx]

I wont bother to read all your code, as I'm going to bed.

but:
I think you have to wrap your code that makes the session variable, inside:

if (!($_SESSION['thesession'])) {
// all your code that sets the session
}

why?

if not, it will reset the session and therefore extend the limit of 60 seconds.

if you run this though, it will only set the session, if session is not set.

Good luck!

I'll look back at the code tomorrow.

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[Bastien]

is the page expriing in the browser? You may want to try specifically expiring the page to prevent the user from going back to that page

Bastien

Cat, the other other white meat