login once, session expires, cannot login again

[webguync]

here is my situation, I have a login which authenticates against username/password in MySQL DB. The user logs in and gets to a protected page and is logged out after 90 secs. So far so good. If they try and login they cannot b/c session expired, however they can close browser and open up link again and get in. I don't want this. I do have a field set up which sets a timestamp when the first login is made. I am thinking I just need to set up a check to see if the timestamp is there and if it is echo a response "you have already logged in once, no more login for you!" or something like that. I need a little help with that. My code so far.

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

<link href="report.css" rel="stylesheet" type="text/css" />
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta http-equiv="refresh" content="90;URL=StudentLogin.php"> 
</head>
<?php
//ini_set("display_errors","1");
//ERROR_REPORTING(E_ALL);
       session_start();

       if(!session_is_registered("session_count")) {
             $session_count = 0;
             $session_start = time();
             $_SESSION['session_count']=$session_count;
             $_SESSION['session_start']=$session_start;
       } else {
             $session_count++;
       }

       $session_timeout = 90; // expires after 30 seconds

       $session_duration = time() - $session_start;
       if ($session_duration > $session_timeout) {
           session_unset();
           session_destroy();
           $_SESSION = array();
               header("Location: StudentLogin.php");  // Redirect to Login Page
       } else {
           $session_start = time();
           $_SESSION['session_start']=$session_start;
       }
   

$con = mysql_connect("localhost","username","pw") or die('Could not connect: ' . mysql_error());

mysql_select_db("DBName") or die(mysql_error());




// Same checking stuff all over again.
if(isset($_POST['submit'])) {
   if(empty($_POST['username']) || empty($_POST['pwid']) ) {
     echo "<h2 class='fail'>Please fill in both your username and password to access your exam results.<br /><br >You will be redirected back to the login screen in five seconds.</h2>";



  echo "<meta http-equiv='refresh' content='5; url=StudentLogin.php'>";
                exit;
   }
   // Create the variables again.
   
   $username = mysql_real_escape_string($_POST['username']);
   $pwid = $_POST['pwid'];

   // Encrypt the password again with the md5 hash. 
   // This way the password is now the same as the password inside the database.
   //$pwid = md5($pwid);

   // Store the SQL query inside a variable. 
   // ONLY the username you have filled in is retrieved from the database.
   $query = "SELECT username,pwid,name
           FROM   roster_March2010
           WHERE
           pwid = '$pwid'
           AND
           username='$username'";

   $result = mysql_query($query) or die(mysql_error());
   if(mysql_num_rows($result) == 0) { 
      // Gives an error if the username/pw given does not exist.
      // or if something else is wrong.
     echo "<h2 class='fail'>You have entered a username or password that does not match our database records. please try again.<br><br>You will be redirected back to the login screen in five seconds.</h2> " . mysql_error();
echo "<meta http-equiv='refresh' content='5; url=StudentLogin.php'>";
exit();
/*
this would benefit from a redirect to a page giving better information to
the user and maybe logging some errors.
*/
   } else {
      // Now create an object from the data you've retrieved.
      $row = mysql_fetch_object($result);
      // You've now created an object containing the data.
      // You can call data by using -> after $row.
      // For example now the password is checked if they're equal.

      // By storing data inside the $_SESSION superglobal,
      // you stay logged in until you close your browser.



   $_SESSION['name'] = $row->name;
     $_SESSION['username'] = $username;
      $_SESSION['sid'] = session_id(); 
      // Make it more secure by storing the user's IP address.
      $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
      // Now give the success message.
      // $_SESSION['username'] should print out your username.

//move this to after your redirect further below..
//Update record with current time IF the account has never logged in before





$dat = time() + 3600;
$query = "UPDATE roster_March2010
          SET login_timestamp = DATE_ADD(NOW(), INTERVAL 3 HOUR)
          WHERE username = '$username'
           AND pwid = '$pwid' ";
//echo $query; //for debugging test 
$result = mysql_query($query) or die(mysql_error()); 

//Check if query ran successfully     
   }
}

// Start a session. If not logged in will be redirected back to login screen.

if(!isset($_SESSION['username'])){
header("Location:StudentLogin.php");
exit;
}
echo "<table id='header'><tr><td align='middle'><div id='welcome'><h3>Welcome! You are now logged in " . $_SESSION['name'] . "</h3></td></tr></table>";



?>

 

[scvinodkumar]

Then in this case u need to use cookies. You can get more information about cookie here http://in2.php.net/manual/en/function.setcookie.php

[webguync]

would cookie take the place of a session or can you use COOKIE and SESSION?

[webguync]

aren't cookies automatically destroyed when the browser is closed also? In that case they would still be able to open up a new browser and login, right?