Jump to content

Session expires too soon


jords

Recommended Posts

I found a simple PHP login script online & i amended it slightly.  I'll admit i'm no expert, but there are 2 main problems here.

1.  Users get logged out after about 1 hour, which gets very annoying several times per day. 
2.  When a user logs out, it doesn't delete the session correctly because if a different user logs in right away, it remembers the old session variables.  

<?php  

// logout?
$logout = $_GET["logout"];
if($logout == "1") {

		// Initialize the session.
		// If you are using session_name("something"), don't forget it now!
		session_start();
		session_destroy();
		// Unset all of the session variables.
		$_SESSION = array();

		// If it's desired to kill the session, also delete the session cookie.
		// Note: This will destroy the session, and not just the session data!
		if (ini_get("session.use_cookies")) {
    	$params = session_get_cookie_params();
    	setcookie(session_name(), '', time() - 3600,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
   		 );
		}
		$_SESSION['id'] = "";
		$_SESSION['username'] = "";
		$_SESSION['password'] = "";
		$_SESSION['first'] = "";
		$_SESSION['last'] = "";
		$_SESSION['email'] = "";
		$_SESSION['email2'] = "";
		$_SESSION['type'] = "";
		$_SESSION['links'] = "";
		$_SESSION['links2'] = "";
		$_SESSION['abbreviation'] = "";

		// Finally, destroy the session.
		session_start();
		session_destroy();

}


//Start the Session

 require('connect.php');
 session_start();
//3. If the form is submitted or not.
//3.1 If the form is submitted
if (isset($_POST['username']) and isset($_POST['password'])){



 
//3.1.1 Assigning posted values to variables.
$username = $_POST['username'];
$password = $_POST['password'];
//3.1.2 Checking the values are existing in the database or not
$query = "SELECT * FROM `user` WHERE username='$username' and password='$password'";

 
$result = mysql_query($query) or die(mysql_error());
$count = mysql_num_rows($result);

while($row = mysql_fetch_array($result))
{

	$id = $row['id'];
    $first = $row['first'];
    $last = $row['last'];
    $email = $row['email'];
    $email2 = $row['email2'];
    $type = $row['type'];
    $links = $row['links'];
    $links2 = $row['links2'];
    $abbreviation = $row['abbreviation'];
    $abbreviation2 = $row['abbreviation2'];
    
}

date_default_timezone_set('America/Los_Angeles');
$timestamp = date('m/d/Y h:i:s', time());
$ip = $_SERVER["REMOTE_ADDR"];
$query2 = "UPDATE user SET lastlogin='$timestamp', ip='$ip' WHERE username='$username' and password='$password'";


 
$result2 = mysql_query($query2) or die(mysql_error());

//3.1.2 If the posted values are equal to the database values, then session will be created for the user.
if ($count == 1){
$_SESSION['id'] = "$id";
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
$_SESSION['first'] = $first;
$_SESSION['last'] = $last;
$_SESSION['email'] = $email;
$_SESSION['email2'] = $email2;
$_SESSION['type'] = $type;
$_SESSION['links'] = $links;
$_SESSION['links2'] = $links2;
$_SESSION['abbreviation'] = $abbreviation;
$_SESSION['abbreviation2'] = $abbreviation2;

}else{
//3.1.3 If the login credentials doesn't match, he will be shown with an error message.

$error = "<br/><center><font color='red'>Your username or password is incorrect.  </font></center>";
}
}
//3.1.4 if the user is logged in Greets the user with message
if (isset($_SESSION['username'])){


header('Location: http://www.thrulinela.com/intranet/index.php');
 
}else{
//3.2 Display login form.  
?>
Link to comment
Share on other sites

So much to say, but a bit short on time at the moment. The biggest thing is that you are using obsolete MySQL code. You need to use Pdo with prepared statements. Your database structure could use improvement as well.

 

You are also storing the timestamp data incorrectly. MySQL has a time stamp data type. You should be using that.

 

Your code is also vulnerable to SQL injection. You never ever send user-supplied data directly to the database.

Edited by benanamen
Link to comment
Share on other sites

This code is malware. I don't know if the original author was actually evil-minded or just incompetent, but the result is the same: If you upload this to any server, it will take 5 minutes until the first script kiddie breaks in.

 

So throw this crap away and stop copy-pasting stuff you found “somewhere on the Internet”. I mean, you wouldn't run executables you found “somewhere on the Internet”, right?

 

Learn PHP, learn the basics of security and then write your own code. It's not that hard, and I'm sure we can help you with it. But I don't think anybody is willing to resurrect some garbage script from the 90s. Let it rest in peace.

Link to comment
Share on other sites

And here i was thinking this was somewhere I could reach out to get help.  I didn't write this, I just tried to make use of it.  If you think it's not good enough to use, then do you have somewhere you can direct me to find something better, or learn how to code something similar myself.  

Link to comment
Share on other sites

See the two links above. ;)

 

I'd do this step-by-step: Start with the basics, then move on to databases, and finally learn the specifics of authentication (password hashing, session management etc.). Like I said, we can definitely help you if you have any questions.

 

Unfortunately, there's no shortcut. Sure, there's free PHP code all over the place, but pretty much all of it is crap and won't get you anywhere. You'll only learn wrong practices and maybe even damage your server. Sure, there are complete authentication systems, but they're very complex and not something you can just copy and adjust.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.