Session gets auto-removed/renewed & iPhone Safari image upload doesn't work

[Svenskunganka]

Hello,

 

I have an issue with my login script. The issue is that when a user has been logged in for awhile, they get auto-logged out (The session gets removed/renewed) even though the lifetime of both the session and cookie is 7 days. (604800 seconds).

 

Here's the login code I'm using:

class session {
	
	// Start the session
	function sec_session_start() {
			$session_name = 'nopedotjava'; // Set a custom session name
			$secure = false; // Set to true if using https.
			$httponly = true; // This stops javascript being able to access the session id. 
			ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies. 
			ini_set('session.cookie_lifetime', 60 * 60 * 24 * 7);
			ini_set('session.gc_maxlifetime', 60 * 60 * 24 * 7);
			ini_set('session.save_path', '/customers/7/7/e/*****.com/httpd.www/jobb/sessions');
			$cookieParams = session_get_cookie_params(); // Gets current cookies params.
			session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); 
			session_name($session_name); // Sets the session name to the one set above.
			session_start(); // Start the php session
			session_regenerate_id(true); // regenerated the session, delete the old one.     
			echo $cookieParams['lifetime'];
	}
	
	// Login Function
	function login($username, $password, $mysqli) {
		// Using prepared Statements means that SQL injection is not possible.
		$stmt = $mysqli->stmt_init();
		if ($stmt->prepare("SELECT id, password FROM workers WHERE username = ? LIMIT 1")) { 
			$stmt->bind_param('s', $username); // Bind "$username" to parameter.
			$stmt->execute(); // Execute the prepared query.
			$stmt->store_result();
			$stmt->bind_result($uid, $db_password); // get variables from result.
			$stmt->fetch();
			$key = "*************************";
			$newPassword = pass_decrypt($db_password, $key); // encode password
	 
			if($stmt->num_rows == 1) { // If the user exists
				if($newPassword == $password) { // Check if the password in the database matches the password the user submitted. 
					// Password is correct!
					$user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user.
					$uid = preg_replace("/[^0-9]+/", "", $uid); // XSS protection as we might print this value
					$_SESSION['uid'] = $uid; 
					$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); // XSS protection as we might print this value
					$_SESSION['username'] = $username;
					$_SESSION['login_string'] = hash('sha512', $db_password.$user_browser);
					// Login successful.
					return true;    
				}
				else{
					// Password is not correct
					// We record this attempt in the database
					return false;
				}
			}
		}
		else {
			// User do not exist
			return false;
		}
	}
	
	// Check if a user is logged in or not.
	function login_check($mysqli) {
		// Check if all session variables are set
		if(isset($_SESSION['uid'], $_SESSION['username'], $_SESSION['login_string'])) {
			$uid = $_SESSION['uid'];
			$login_string = $_SESSION['login_string'];
			$username = $_SESSION['username'];
			$user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user.
			$stmt = $mysqli->stmt_init();
			if ($stmt->prepare("SELECT password FROM workers WHERE id = ? LIMIT 1")) { 
				$stmt->bind_param('i', $uid); // Bind "$uid" to parameter.
				$stmt->execute(); // Execute the prepared query.
				$stmt->store_result();
				if($stmt->num_rows == 1) { // If the user exists
					$stmt->bind_result($password); // get variables from result.
					$stmt->fetch();
					$login_check = hash('sha512', $password.$user_browser);
					if($login_check == $login_string) {
						// Logged In!!!!
						return true;
					} 
					else{
						// Not logged in
						return false;
					}
				}
				else{
					// Not logged in
					return false;
				}
			} 
			else{
				// Not logged in
				return false;
			}
		}
		else{
			// Not logged in
			return false;
		}
	}
}

As you can see, the sessions gets saved into /sessions and the old sessions is still there but they doesn't get "regenerated" by the session_regenerate_id(true);

 

I also have another issue regarding iPhone Safari image uploads. When I try to upload an image using Safari from the iPhone the bar just loads forever. I've tested the upload code and it works for both PC (Tested on Windows using Google Chrome & Internet Explorer and on Android smartphones using Google Chrome).

Here's the upload code I'm using:

echo '<br><br>
	<form action="index.php?page=jobb&action=view&jobbid='.$jobbid.'" method="POST" enctype="multipart/form-data">
	Ladda upp foto(n): <input type="file" accept="image/*" capture="camera" name="pictures[]" required="" multiple> <input type="submit" name="upload" value="Ladda upp">
	</form>';
	if(isset($_FILES['pictures'], $_GET['jobbid'])) {
		$extensions = array("jpeg", "jpg", "png");
		$img_dir = "images/";
	    foreach($_FILES['pictures']['tmp_name'] as $key => $tmp_name) {
	    	$file_name = $key.$_FILES['pictures']['name'][$key];
	    	$file_tmp = $_FILES['pictures']['tmp_name'][$key];
	    	$file_type = $_FILES['pictures']['type'][$key];
	    	$file_ext = strtolower(end(explode(".", $_FILES['pictures']['name'][$key])));
	    	if(in_array($file_ext, $extensions) === true) {
	    		$path = $img_dir.generateRandomString().".".$file_ext;
	    		move_uploaded_file($file_tmp, $path);
	    		$stmt = $mysqli->stmt_init();
	    		$stmt->prepare("INSERT INTO pictures VALUES (?,?)");
	    		$stmt->bind_param("si", $path, $_GET['jobbid']);
	    		$stmt->execute();
	    		$stmt->close();
	    	}
	    }
	}

Thanks in advance!

[Svenskunganka]

Anyone?

[Svenskunganka]

Bumping this to get it up in the list. I really need some help with this.

Regards, Sven.

[Svenskunganka]

Bumping for the same reason as above.

[Svenskunganka]

Last bump now, if no reply, thread will die. *crossing my fingers*