Hello,
I have an issue with my login script. The issue is that when a user has been logged in for awhile, they get auto-logged out (The session gets removed/renewed) even though the lifetime of both the session and cookie is 7 days. (604800 seconds).
Here's the login code I'm using:
class session {
// Start the session
function sec_session_start() {
$session_name = 'nopedotjava'; // Set a custom session name
$secure = false; // Set to true if using https.
$httponly = true; // This stops javascript being able to access the session id.
ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies.
ini_set('session.cookie_lifetime', 60 * 60 * 24 * 7);
ini_set('session.gc_maxlifetime', 60 * 60 * 24 * 7);
ini_set('session.save_path', '/customers/7/7/e/*****.com/httpd.www/jobb/sessions');
$cookieParams = session_get_cookie_params(); // Gets current cookies params.
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
session_name($session_name); // Sets the session name to the one set above.
session_start(); // Start the php session
session_regenerate_id(true); // regenerated the session, delete the old one.
echo $cookieParams['lifetime'];
}
// Login Function
function login($username, $password, $mysqli) {
// Using prepared Statements means that SQL injection is not possible.
$stmt = $mysqli->stmt_init();
if ($stmt->prepare("SELECT id, password FROM workers WHERE username = ? LIMIT 1")) {
$stmt->bind_param('s', $username); // Bind "$username" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
$stmt->bind_result($uid, $db_password); // get variables from result.
$stmt->fetch();
$key = "*************************";
$newPassword = pass_decrypt($db_password, $key); // encode password
if($stmt->num_rows == 1) { // If the user exists
if($newPassword == $password) { // Check if the password in the database matches the password the user submitted.
// Password is correct!
$user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user.
$uid = preg_replace("/[^0-9]+/", "", $uid); // XSS protection as we might print this value
$_SESSION['uid'] = $uid;
$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); // XSS protection as we might print this value
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $db_password.$user_browser);
// Login successful.
return true;
}
else{
// Password is not correct
// We record this attempt in the database
return false;
}
}
}
else {
// User do not exist
return false;
}
}
// Check if a user is logged in or not.
function login_check($mysqli) {
// Check if all session variables are set
if(isset($_SESSION['uid'], $_SESSION['username'], $_SESSION['login_string'])) {
$uid = $_SESSION['uid'];
$login_string = $_SESSION['login_string'];
$username = $_SESSION['username'];
$user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user.
$stmt = $mysqli->stmt_init();
if ($stmt->prepare("SELECT password FROM workers WHERE id = ? LIMIT 1")) {
$stmt->bind_param('i', $uid); // Bind "$uid" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
if($stmt->num_rows == 1) { // If the user exists
$stmt->bind_result($password); // get variables from result.
$stmt->fetch();
$login_check = hash('sha512', $password.$user_browser);
if($login_check == $login_string) {
// Logged In!!!!
return true;
}
else{
// Not logged in
return false;
}
}
else{
// Not logged in
return false;
}
}
else{
// Not logged in
return false;
}
}
else{
// Not logged in
return false;
}
}
}
As you can see, the sessions gets saved into /sessions and the old sessions is still there but they doesn't get "regenerated" by the session_regenerate_id(true);
I also have another issue regarding iPhone Safari image uploads. When I try to upload an image using Safari from the iPhone the bar just loads forever. I've tested the upload code and it works for both PC (Tested on Windows using Google Chrome & Internet Explorer and on Android smartphones using Google Chrome).
Here's the upload code I'm using:
echo '<br><br>
<form action="index.php?page=jobb&action=view&jobbid='.$jobbid.'" method="POST" enctype="multipart/form-data">
Ladda upp foto(n): <input type="file" accept="image/*" capture="camera" name="pictures[]" required="" multiple> <input type="submit" name="upload" value="Ladda upp">
</form>';
if(isset($_FILES['pictures'], $_GET['jobbid'])) {
$extensions = array("jpeg", "jpg", "png");
$img_dir = "images/";
foreach($_FILES['pictures']['tmp_name'] as $key => $tmp_name) {
$file_name = $key.$_FILES['pictures']['name'][$key];
$file_tmp = $_FILES['pictures']['tmp_name'][$key];
$file_type = $_FILES['pictures']['type'][$key];
$file_ext = strtolower(end(explode(".", $_FILES['pictures']['name'][$key])));
if(in_array($file_ext, $extensions) === true) {
$path = $img_dir.generateRandomString().".".$file_ext;
move_uploaded_file($file_tmp, $path);
$stmt = $mysqli->stmt_init();
$stmt->prepare("INSERT INTO pictures VALUES (?,?)");
$stmt->bind_param("si", $path, $_GET['jobbid']);
$stmt->execute();
$stmt->close();
}
}
}
Thanks in advance!