webguync Posted March 17, 2010 Share Posted March 17, 2010 here is my situation, I have a login which authenticates against username/password in MySQL DB. The user logs in and gets to a protected page and is logged out after 90 secs. So far so good. If they try and login they cannot b/c session expired, however they can close browser and open up link again and get in. I don't want this. I do have a field set up which sets a timestamp when the first login is made. I am thinking I just need to set up a check to see if the timestamp is there and if it is echo a response "you have already logged in once, no more login for you!" or something like that. I need a little help with that. My code so far. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <link href="report.css" rel="stylesheet" type="text/css" /> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <meta http-equiv="refresh" content="90;URL=StudentLogin.php"> </head> <?php //ini_set("display_errors","1"); //ERROR_REPORTING(E_ALL); session_start(); if(!session_is_registered("session_count")) { $session_count = 0; $session_start = time(); $_SESSION['session_count']=$session_count; $_SESSION['session_start']=$session_start; } else { $session_count++; } $session_timeout = 90; // expires after 30 seconds $session_duration = time() - $session_start; if ($session_duration > $session_timeout) { session_unset(); session_destroy(); $_SESSION = array(); header("Location: StudentLogin.php"); // Redirect to Login Page } else { $session_start = time(); $_SESSION['session_start']=$session_start; } $con = mysql_connect("localhost","username","pw") or die('Could not connect: ' . mysql_error()); mysql_select_db("DBName") or die(mysql_error()); // Same checking stuff all over again. if(isset($_POST['submit'])) { if(empty($_POST['username']) || empty($_POST['pwid']) ) { echo "<h2 class='fail'>Please fill in both your username and password to access your exam results.<br /><br >You will be redirected back to the login screen in five seconds.</h2>"; echo "<meta http-equiv='refresh' content='5; url=StudentLogin.php'>"; exit; } // Create the variables again. $username = mysql_real_escape_string($_POST['username']); $pwid = $_POST['pwid']; // Encrypt the password again with the md5 hash. // This way the password is now the same as the password inside the database. //$pwid = md5($pwid); // Store the SQL query inside a variable. // ONLY the username you have filled in is retrieved from the database. $query = "SELECT username,pwid,name FROM roster_March2010 WHERE pwid = '$pwid' AND username='$username'"; $result = mysql_query($query) or die(mysql_error()); if(mysql_num_rows($result) == 0) { // Gives an error if the username/pw given does not exist. // or if something else is wrong. echo "<h2 class='fail'>You have entered a username or password that does not match our database records. please try again.<br><br>You will be redirected back to the login screen in five seconds.</h2> " . mysql_error(); echo "<meta http-equiv='refresh' content='5; url=StudentLogin.php'>"; exit(); /* this would benefit from a redirect to a page giving better information to the user and maybe logging some errors. */ } else { // Now create an object from the data you've retrieved. $row = mysql_fetch_object($result); // You've now created an object containing the data. // You can call data by using -> after $row. // For example now the password is checked if they're equal. // By storing data inside the $_SESSION superglobal, // you stay logged in until you close your browser. $_SESSION['name'] = $row->name; $_SESSION['username'] = $username; $_SESSION['sid'] = session_id(); // Make it more secure by storing the user's IP address. $_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; // Now give the success message. // $_SESSION['username'] should print out your username. //move this to after your redirect further below.. //Update record with current time IF the account has never logged in before $dat = time() + 3600; $query = "UPDATE roster_March2010 SET login_timestamp = DATE_ADD(NOW(), INTERVAL 3 HOUR) WHERE username = '$username' AND pwid = '$pwid' "; //echo $query; //for debugging test $result = mysql_query($query) or die(mysql_error()); //Check if query ran successfully } } // Start a session. If not logged in will be redirected back to login screen. if(!isset($_SESSION['username'])){ header("Location:StudentLogin.php"); exit; } echo "<table id='header'><tr><td align='middle'><div id='welcome'><h3>Welcome! You are now logged in " . $_SESSION['name'] . "</h3></td></tr></table>"; ?> Quote Link to comment Share on other sites More sharing options...
scvinodkumar Posted March 17, 2010 Share Posted March 17, 2010 Then in this case u need to use cookies. You can get more information about cookie here http://in2.php.net/manual/en/function.setcookie.php Quote Link to comment Share on other sites More sharing options...
webguync Posted March 17, 2010 Author Share Posted March 17, 2010 would cookie take the place of a session or can you use COOKIE and SESSION? Quote Link to comment Share on other sites More sharing options...
webguync Posted March 17, 2010 Author Share Posted March 17, 2010 aren't cookies automatically destroyed when the browser is closed also? In that case they would still be able to open up a new browser and login, right? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.