Shadowing

I found a flaw in this if ($_SESSION['login_time'] < strtotime('now - 15 minutes')) { // logs user out after 15 minutes and redirects to login and ends session header("Location: signup.php"); exit(); session_destroy(); anyone who doesnt have a session login time "people who dont have accounts" will beable to view pages. if they had the direct links. The session_destroy after the exit like that wont destroy the session. and if it did destroy the session then the script doesnt work at all. Cant figure out how to fix this I was going to put this before it if(!isset($_SESSION['login_time'])){ header("Location: signup.php"); exit(); but that doesnt work

yah! i figured out why its doing what its doing. For starters the double click thing wasnt triping anything. The auto log out script just wasnt working. cause i double clicked slowly and it still did it haha and its because I removed exit(); from the script. So that problem is solved. So I log in wait 1 minute and click on a page and it logs me out like it should. Then I run this script on log out <?php include_once("connect.php"); echo $_SESSION['user_id']; echo $_SESSION['login_time']; ?> and it displays both sessions. meaning its not destroying the session but if i put exit(); after session_destroy it destroys the session. if I leave exit all together it doesnt destroy the session. also i noticed that if I delete or move the exit after session_destroy command it lets me view the page and once it lets me view the page and i stay on that page and put exit(); back before session_destroy command it makes the auto log out page not work anymore unless I log in. Anyways one thing i know for sure is this that right now this script is 100 percent for sure not destroying my session. if ($_SESSION['login_time'] < strtotime('now - 1 minutes')) { header("Location: signup.php"); exit(); session_destroy(); so I have figured out why its doing all this. if there is no session then if ($_SESSION['login_time'] < strtotime('now - 1 minutes')) doesnt work at all which allows me to view pages. and the reason my auto log out has been working is because with the exit before the session destroy command the session doesnt get destroyed. and the reason this command doesnt log me out exit(); session_destroy(); is because its deleting the session. So im saying my auto log out needs to have a active session in order to work. which is bad cause anyone with out a session can log in. so that is why its not working. Cant believe took me this long to figure this out. so the problem is with my auto log out script. If it has no session to compare the time to then it wont work. If I use this as my log out script and put a exit before the session_destroy exit(); session_destroy(); it wont destroy the session and if one minute hasnt pass it will let me view the page. if I only use session_destroy(); on the log out script then it will destory the session allowing my auto log out script not to work. so i need to figure out how to tell my auto log out script to log people out that dont have a session login_time if(!isset($_SESSION['login_time'])){ header("Location: signup.php"); exit(); that didnt work

so I added this line if(empty($_SESSION['login_time'])){ if ($_SESSION['login_time'] < strtotime('-1 minutes')) { // logs user out after 15 minutes and redirects to login and ends session header("Location: signup.php"); session_destroy() i hit a page and it lets me in after its been triped from double clicking. and i hit log out and no session is being displayed so this should work since no session exists. Also i should mention when i do that fast double click and it lets me in. If I wait one minute it doesnt sign me out. So that script stops working. So having no login time session its still reading it as less than the time

I dont know what i was thinking. Last night I was right about what I said. lets break this down and just look at this code. Lets say my session is not being deleted in this script. If it wasnt then the condition would still remain true. So what keeps me loged out is the condition is still true not that my session is destroyed cause when i log in again it just updates the session which makes this condition false again for one minute. <?php if ($_SESSION['login_time'] < strtotime('-1 minutes')) { header("Location: signup.php"); exit(); session_destroy(); echo "You have been loged out."; } ?> so I did this. I deleted the session_destroy on the script above and the script still works. then I went to log out file which now reads <?php include_once("connect.php"); echo $_SESSION['user_id']; echo $_SESSION['login_time']; ?> and it displayed the user id and login time. so then I added the destory session back to the auto log out script. loged in and waited for one minute to go by and then hit log out and it didnt display any session. So now we know it does create and destroy the session. and we know that the session existing or not has no affect on the script that keeps me loged in. Also I just notice something. when I wait 1 minute and it auto logs me out if I double click on a page really fast that i need to be loged in to view it messes up and lets me view it. The first click sends me to the log in page but the 2nd click lets me view it. i see it flip the page real fast before letting me in so that means that my auto log out script isnt really sucessful

k i tried and still not working <?php include_once("connect.php"); if ($_SESSION['login_time'] < strtotime('now - 60 minutes')) { session_destroy(); header("Location: signup.php"); exit(); } ?> here is my login script with the session login beign created. Restarted my computer just for the heck of it too. <? include_once("connect.php"); ?> <?php if(isset($_POST['Login'])) { if(!preg_match('/^[A-Za-z0-9]{5,20}$/',$_POST['loginusername'])) { // checks username format. echo "Invalid Username. Usernames can only be letters or numbers"; } else { $querys = "SELECT password,id,login_ip FROM users WHERE name='".mysql_real_escape_string($_POST['loginusername'])."'"; $results = mysql_query($querys) or die(mysql_error()); $roe = mysql_fetch_array($results); // Search the database and get the password, id, and login ip that belongs to the name in the username field. if(empty($roe['id'])){ // check if the id exist and it isn't blank. echo "Account doesn't exist."; } else { if(md5($_POST['loginpassword']) != $roe['password']){ // if the account exist this is matching the password with the password typed in the password field. echo "Your password is incorrect."; } else { if(empty($roe['login_ip'])){ // checks to see if the login ip has an ip already $roe['login_ip'] = $_SERVER['REMOTE_ADDR']; } $ip_information = explode("-", $roe['login_ip']); // if the ip is different from the ip that is on the database it will store it if (in_array($_SERVER['REMOTE_ADDR'], $ip_information)) { $roe['login_ip'] = $roe['login_ip']; } else { $roe['login_ip'] = $roe['login_ip']."-".$_SERVER['REMOTE_ADDR']; } $_SESSION['user_id'] = $roe['id'];// stores the id of the user $_SESSION['login_time'] = time(); // stores the log in time of the user $results = mysql_query("UPDATE users SET userip='".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."',login_ip='".mysql_real_escape_string($roe['login_ip'])."' WHERE id='".mysql_real_escape_string($_SESSION['user_id'])."'") or die(mysql_error()); // to test that the session saves well we are using the sessions id update the database with the ip information we have received. header("Location: dominion.php"); // redirects me to main.php } } } } ?> so I reset my minutes to -1 minute and sure enough it keeps me loged out as usual. hmmm. going to test to make sure my session is being deleted again on hitting log out. <?php include_once("connect.php"); if(isset($_SESSION['user_id'])) { // checks for id in session $sql = "UPDATE users SET lastactive = NOW() WHERE id='".mysql_real_escape_string($_SESSION['user_id'])."'"; mysql_query($sql); // updates the last activity of user if ($_SESSION['login_time'] < strtotime('-1 minutes')) { // logs user out after 15 minutes and redirects to login and ends session header("Location: signup.php"); exit(); session_destroy(); echo "You have been loged out."; } } ?>

Thanks for joining the conversation Drummin i dont know what i was thinking. that theory is down the hole lol. of course destroying the session is making a impact on keeping me loged off since when the timer runs out it destroys session and keeps me loged off. i did a test and put start session on every page lol with no affect. what baffles me the most is the auto log out works fine. I just tested it again works perfectly. this is driving me crazy lol

ok did some tests im using this as my log out code now <?php include_once("connect.php");?> <?php if(isset($_SESSION['login_time'])) { session_unset(); session_destroy(); header("Location: signup.php"); } ?> what I learn was and I almost didnt notice this but when I ran this code it didnt redirect me to the header. meaning the if statment turned up false. So that means the session was destroyed cause when I go and log in and log out it redirected me to the header. then if i go to a page inside and log out again it doesnt redirect me. so im thinking this. when the login_time session is blank its still reading it as less than which is making it true and allowing me to access pages. if ($_SESSION['login_time'] < strtotime('-60 minutes'))

I was thinking maybe when I auto log out after 60 minutes its not really destroying the session at that time either and the reason it works is cause the session still matches the codition. if ($_SESSION['login_time'] < strtotime('-60 minutes')) { header("Location: signup.php"); exit(); session_destroy(); so the problem has to be the session isnt being destroyed. I also typed a simple if command that has to be true and it still didnt work. Which narrows this down to the session isnt being destroyed.

i never had a log out script. this is the first. the auto log out still works just fine. If i wait how ever long i set it for it logs out and i cant access any pages with out logging back in again. I went ahead and by passed the menu page so now all we have is the log out page <?php include_once("connect.php"); header("Location: signup.php"); session_destroy(); ?> the page im connecting back with after i hit log out <? require("Safe.php"); ?> <html> <head> <link rel="stylesheet" type="text/css" href="sitestyle.css" /> </head> <body> Under Construction </body> </html> then the safe page which is the staying loged in page <?php include_once("connect.php"); if(isset($_SESSION['user_id'])) { // checks for id in session $sql = "UPDATE users SET lastactive = NOW() WHERE id='".mysql_real_escape_string($_SESSION['user_id'])."'"; mysql_query($sql); // updates the last activity of user if ($_SESSION['login_time'] < strtotime('-60 minutes')) { // logs user out after 15 minutes and redirects to login and ends session header("Location: signup.php"); exit(); session_destroy(); } } ?>

well that cancels that idea just ran a test still isnt working. crazy

my inner webpages goes to <? require("menu.php"); ?> // which is a menu i have load on every webpage. and its menu.php that has the <? include_once("Safe.php"); ?> which is the file that keeps you loged in could daisy chaining that effect anything?

if my log out timer works fine with no problems then the problem has to be in my session not getting destroyed. so the problem must some how be in the way im staying loged in I dont see how though since that entire page is reading from sessions

Thanks for the reply meltingpoint I tried that still isnt working. this is one wierd issue. here is my full code and my connect.php file has this <?php session_start(); ob_start(); what is the deal with the ob_start. I added that a long time ago cause someone else had it. <?php include_once("connect.php"); if(isset($_SESSION['user_id'])) { // checks for id in session $sql = "UPDATE users SET lastactive = NOW() WHERE id='".mysql_real_escape_string($_SESSION['user_id'])."'"; mysql_query($sql); // updates the last activity of user if ($_SESSION['login_time'] < strtotime('-60 minutes')) { // logs user out after 15 minutes and redirects to login and ends session header("Location: signup.php"); exit(); session_destroy(); echo "You have been loged out.";

I cant figure out why my log out script doesnt work all you need is session_start(); session_destroy(); right? here is my script to keep people loged in which works fine. if ($_SESSION['login_time'] < strtotime('-60 minutes')) { header("Location: signup.php"); exit(); session_destroy();

Thanks alot! cheers

I just realize another problem now since im adding folders If I have a header going to folderA/folderB/file.php and while im reading that file if i have any php include files in the script it wont read it from folder B guess there is no way around that?

i mean like Joomla or word press but builds a forum instead

Anyone know if there is any php forum set ups out there. If so any best ones?

thats wierd it works now lol. last night i was trying to load a background image and it didnt work but it works now. I must of misspelled the folder name or file.

im trying to get headers in my php scripts to go to htdocs/game/map/*******.php if thats a better way of putting it

Im using XAMPP at the moment and my applicatin im making is in a folder in the htdocs folder where all my files are read from. I notice when im php scripting if I put any files into another folder with in my main folder it wont load the page. so when I want to load a .php file from a script do i need to add more then just go to this .php file? I tried adding folder/*****.php but that didnt work I want to use multiple folders so its more organized hope someone can help me out with this

is this correct every time $row is excuted it reads this line $results = mysql_query("UPDATE users SET userip='".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."',login_ip='".mysql_real_escape_string($roe['login_ip'])."' WHERE id='".mysql_real_escape_string($_SESSION['user_id'])."'") or die(mysql_error()); I did some process of elimination. one thing i really do not understand is that if I delete below if(empty($roe['login_ip'])){ // checks to see if the login ip has an ip already $roe['login_ip'] = $_SERVER['REMOTE_ADDR']; } the ip address does not get recorded

Thanks for the reply awjudd ya thats exactly how I understand what the line does. thats why it doesnt make any sense if I remove it the ip doesnt update its the wierdest thing. the code right above it should be updating my ip. The only thing i can think of is the ip code above just doesnt work and its that 2nd $result line that is actually updating it. I'll run a test and remove the ip code above it and see what happends

If you do a select query do you always need to do a update query to of everything you selected? otherwise it leaves the value blank? Reason I ask is cause im confused on this one spot of my login script my confusion is it having two $result = in the script. If i remove the second $result my login ip wont be recorded. I just cant make sense of why. Can someone please help me understand how its affecting my log in script i would really appreciate it cause I understand everything out 100 percent accept that. <? include_once("connect.php"); ?> <html> <body> <?php if(isset($_POST['Login'])) { if(!preg_match('/^[A-Za-z0-9]{5,20}$/',$_POST['Username'])) { // checks username format. echo "Invalid Username."; } else { $query = "SELECT password,id,login_ip FROM users WHERE name='".mysql_real_escape_string($_POST['Username'])."'"; $result = mysql_query($query) or die(mysql_error()); $row = mysql_fetch_array($result); // Search the database and get the password, id, and login ip that belongs to the name in the username field. if(empty($row['id'])){ // check if the id exist and it isn't blank. echo "Account doesn't exist."; } else { if(md5($_POST['password']) != $row['password']){ // if the account exist this is matching the password with the password typed in the password field. echo "Your password is incorrect."; } else { if(empty($row['login_ip'])){ // checks to see if the login ip has an ip already $row['login_ip'] = $_SERVER['REMOTE_ADDR']; } $ip_information = explode("-", $row['login_ip']); // if the ip is different from the ip that is on the database it will store it if (in_array($_SERVER['REMOTE_ADDR'], $ip_information)) { $row['login_ip'] = $row['login_ip']; } else { $row['login_ip'] = $row['login_ip']."-".$_SERVER['REMOTE_ADDR']; } $_SESSION['user_id'] = $row['id'];// stores the id of the user $_SESSION['login_time'] = time(); // stores the log in time of the user $result = mysql_query("UPDATE users SET userip='".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."',login_ip='".mysql_real_escape_string($row['login_ip'])."' WHERE id='".mysql_real_escape_string($_SESSION['user_id'])."'") or die(mysql_error()); // to test that the session saves well we are using the sessions id update the database with the ip information we have received. header("Location: main.php"); // redirects me to main.php } } } } ?> <form id="form1" name="form1" method="post" action=""><center> GAME LOGIN <br /> <br /> Username: <input type="text" name="Username" id="Username" /> <br /> <br /> Password: <input type="password" name="password" id="password" /> <br /> <br /> <input type="submit" name="Login" id="Login" value="Login" /> </center> </form> </body> </html>

I wanted to do it for organize reasons I guess im making a web browser game the only table I have right now is users so wanted to create another table so game stuff isnt mixed in with non game related stuff. So the only column i wanted to share was user id between the two tables. but i guess there is other ways of doing this. when someoen registers have it create a id for the other table that equals the same id on the other table guess that would work