Help improve login, session getting lost on android device

[lovephp]

hey all, what am i doing wrong here that on android device when i try to upload a file the session gets lost while browsing through files on the phone. on PC and on latest android devices it seems ok but on some im facing this issue.

 

 

how could i keep the session active for a month if the user does not logout?

 

my login.php codes are

 

 
session_start();
function get_client_ip() {
     $ipaddress = '';
     if ($_SERVER['HTTP_CLIENT_IP'])
         $ipaddress = $_SERVER['HTTP_CLIENT_IP'];
     else if($_SERVER['HTTP_X_FORWARDED_FOR'])
         $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
     else if($_SERVER['HTTP_X_FORWARDED'])
         $ipaddress = $_SERVER['HTTP_X_FORWARDED'];
     else if($_SERVER['HTTP_FORWARDED_FOR'])
         $ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
     else if($_SERVER['HTTP_FORWARDED'])
         $ipaddress = $_SERVER['HTTP_FORWARDED'];
     else if($_SERVER['REMOTE_ADDR'])
         $ipaddress = $_SERVER['REMOTE_ADDR'];
     else
         $ipaddress = 'UNKNOWN';

     return $ipaddress;
}
if(isset($_SESSION['LOGGED_IN']) && trim($_SESSION['LOGGED_IN']) == true)
{
    header("Location: index.php");
}
if(isset($_POST["submit"]))
{
$email = mysql_real_escape_string(trim(strip_tags($_POST['email'])));
$password = mysql_real_escape_string(trim(strip_tags($_POST['password'])));

$rs = mysql_query("select userID from users where user_email='$email'");
$duplicates = mysql_num_rows($rs);

$rs1 = mysql_query("select userID,user_email,user_password from users where user_email='$email' AND user_password='".sha1($password)."'");
$maychpass = mysql_num_rows($rs1);

$error = '';

    if($email == "")
    {
        $error = 'E-mail address is required.';
    }elseif(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)){
        $error = 'E-mail address is invalid.';
    }elseif ($duplicates < 1){
        $error = 'E-mail address not found.';
    }
    elseif($password == "")
    {
        $error = 'Password is required.';
    }elseif(strlen($password) < 6){
        $error = 'Password is too short.<small>(Min 6 Chars)</small>';
    }elseif ($maychpass < 1){
        $error = 'Wrong password.';
    }
    else{    
    
   $qry="select userID,user_full_name,user_email,user_password from users where user_email='$email' AND user_password='".sha1($password)."'";
    $result=mysql_query($qry);
    
    //Check whether the query was successful or not
    if($result) {
        if(mysql_num_rows($result) == 1) {
            //Login Successful
            session_regenerate_id();
            $user = mysql_fetch_assoc($result);
            $_SESSION['LOGGED_IN'] = true;
            $_SESSION['MAT_USER_ID'] = $user['userID'];
            $_SESSION['MAT_USER_FULL_NAME'] = $user['user_full_name'];
            $_SESSION['MAT_USER_EMAIL'] = $user['user_email'];
            $_SESSION['MAT_USER_IP'] = get_client_ip();
            setcookie("matLogged", "".$_SESSION['MAT_USER_EMAIL']."");
            setcookie("matLogged", "".$_SESSION['MAT_USER_EMAIL']."", time()+43200);
            $ip = get_client_ip();
            session_write_close();
            echo("<p align='center'><font color='green' size='5'>Success:</font> Login successful, redirecting to members page.<br/><img src='img/loader.gif' alt='Loader'></p>");    
            mysql_query("UPDATE users SET ip = '".$ip."' WHERE userID = '".$user['userID']."'");
            echo ('<meta http-equiv="refresh" content="5;url=index.php">');    
            exit();
        }else {
            //Login failed
            echo("<p align='center'><font color='red' size='5'>Error:</font> Something went wrong, redirecting to login page.<br/><img src='img/loader.gif' alt='Loader'></p>");    
    echo ('<meta http-equiv="refresh" content="5;url=login.php">');    
            exit();
        }
    
    }
}    
}

 

would really appreciate your help and time

[fastsol]

Sessions only last until the browser is closed or the server says the current session vars are too old and no longer valid.  If you want to keep users logged in beyond that time frame you need to use cookies.

[lovephp]

A little help please on adding cookies in secure way to my login code above.

[cloudll]

The first example here is a nice starter into cookies.

 

http://www.phpnerds.com/article/using-cookies-in-php/2

[scootstah]

The first example here is a nice starter into cookies.

 

http://www.phpnerds.com/article/using-cookies-in-php/2

Absolutely do not use anything from that article. That's like 12 year old code and is very unsafe. You should never store passwords in a cookie (or any other sensitive information), and you should never use MD5() to store passwords.

 

If I have to implement autologin myself (which, really, you shouldn't have to - use libraries), I will generate a random token and store it in the database, and a cookie. When a user visits the site and does not have an active session, the token from the cookie will look up the user it belongs to and they will be logged in. You can optionally add some additional checks like comparing browsers and IP to attempt to mitigate cookie theft. Make sure to also use HTTP only cookies, and always use HTTPS. You can also add a TTL to the tokens, and/or limit how many tokens can be active for a single user at one time. There's lots of variations here.