blast Posted March 9, 2007 Share Posted March 9, 2007 HI all, I've created a login script with cookie and SID enabled which I though was working fine, untill I sent a link to someone in a different country who was automatically logged into my account! I've made the login code as basic as I can now, and I'm doing some debugging. Each time a page is requested, the checkLogin() method is called, which should check if a session is currently running. As a debug, I've got the page to mail me each time a check is made with the session ID's. Strangely, I've found that if I log in. then log out, then log back in again, the session ID stays the same. Should the logout not destroy the session and so when I log in again a new one is created? The following is the checkLogin code: <?php $loggedIn = false; $ses_id; $ses_user; $ses_email; checkLogin(); function checkLogin(){ session_start(); if ((!isset($_SESSION['id'])) || (!isset($_SESSION['auth'])) || (!isset($_SESSION['user'])) || (!isset($_SESSION['email']))){ global $loggedIn; //echo "not set"; $loggedIn = false; } else{ if ($_SESSION['auth'] == "yes"){ global $ses_id, $ses_user, $ses_email, $loggedIn; $ses_id = $_SESSION['id']; $ses_email = $_SESSION['email']; $ses_user = $_SESSION['user']; $loggedIn = true; \\debug code: $text = "session id: " . session_id() . "\nSID: " . SID . "\n\n ses_id: " . $ses_id . "\nses_email: " . $ses_email . "\nses_user " . $ses_user . "\nauth: " . $_SESSION['auth'] . "\nFROM: " . $_SERVER['REMOTE_ADDR']; mail("[email protected]", "Login Occurred",$text,"From: noreply@x"); } else{ $loggedIn = false; } } }?> The code which is executed when a user logs in is: <?php if ($number > 0 && ($row['confirm'] == 'yes')){ session_start(); $_SESSION['auth'] = "yes"; $_SESSION['id'] = $row["user_num"]; $_SESSION['user'] = $postUsername; $_SESSION['email'] = $row["email"]; header ('Location: x.php'); }?> with the logout script as follows: <?php require 'functions.php'; session_start(); session_destroy(); header('Location: login.php'); ?> So, two questions really: 1) Does this code only rely on cookies being set now, or can it be used with the SID URL param? 2) Should the session ID be changing when a user logs out then logs in again? Thanks in advance Regards Stu Link to comment https://forums.phpfreaks.com/topic/41989-help-with-login-script/ Share on other sites More sharing options...
per1os Posted March 9, 2007 Share Posted March 9, 2007 Hey, Sessions are really intriguing. I am still trying to figure out the ins and outs. What seems to be happening is your session is staying in the cookie. Here is a snippet I pulled from http://us2.php.net/manual/en/function.session-destroy.php <?php // Initialize the session. // If you are using session_name("something"), don't forget it now! session_start(); // Unset all of the session variables. $_SESSION = array(); // If it's desired to kill the session, also delete the session cookie. // Note: This will destroy the session, and not just the session data! if (isset($_COOKIE[session_name()])) { setcookie(session_name(), '', time()-42000, '/'); } // Finally, destroy the session. session_destroy(); ?> They key here is the $_COOKIE part to kill the session cookie. Once that happens the session should be destroyed completely. Best of Luck --FrosT Link to comment https://forums.phpfreaks.com/topic/41989-help-with-login-script/#findComment-203601 Share on other sites More sharing options...
blast Posted March 9, 2007 Author Share Posted March 9, 2007 excellent, I'll try that in a bit. thanks You don't happen to know what happens when the session times out on the server do you? That bit is intriguing me! A user closes his/her browser window, but the server doesn't know that, so there must be a timeout. If that's the case, is the session data removed? And how is the cookie altered then? Cheers Regards Stu Link to comment https://forums.phpfreaks.com/topic/41989-help-with-login-script/#findComment-203647 Share on other sites More sharing options...
redarrow Posted March 9, 2007 Share Posted March 9, 2007 If you want to destroy a session then you realy need to unset() the varable or session first, Even theo meny users dont but with all that i do and read the best code pratice is to unset() then session_destroy() ok mate. Link to comment https://forums.phpfreaks.com/topic/41989-help-with-login-script/#findComment-203657 Share on other sites More sharing options...
blast Posted March 9, 2007 Author Share Posted March 9, 2007 If you want to destroy a session then you realy need to unset() the varable or session first, Even theo meny users dont but with all that i do and read the best code pratice is to unset() then session_destroy() ok mate. is there any benefit of using unset() over $_SESSION = array();? Also, what does the server do at timeout? Thanks again Regards Stu Link to comment https://forums.phpfreaks.com/topic/41989-help-with-login-script/#findComment-203696 Share on other sites More sharing options...
blast Posted March 10, 2007 Author Share Posted March 10, 2007 Sorry to bump this thread up guys, but was wondering if anyone could explain to me what happens when a session times out? Cheers Regards Stu Link to comment https://forums.phpfreaks.com/topic/41989-help-with-login-script/#findComment-204187 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.