Jump to content

Help with login script!

blast

By blast
in PHP Coding Help

 Share

Recommended Posts

blast Newbie

blast

Posted
Posted

HI all,

I've created a login script with cookie and SID enabled which I though was working fine, untill I sent a link to someone in a different country who was automatically logged into my account!

 

I've made the login code as basic as I can now, and I'm doing some debugging.  Each time a page is requested, the checkLogin() method is called, which should check if a session is currently running.  As a debug, I've got the page to mail me each time a check is made with the session ID's.  Strangely, I've found that if I log in. then log out, then log back in again, the session ID stays the same.  Should the logout not destroy the session and so when I log in again a new one is created?

 

The following is the checkLogin code:

 

<?php
$loggedIn = false;
$ses_id;
$ses_user;
$ses_email;

checkLogin();

    function checkLogin(){ 

        session_start();
        
        if ((!isset($_SESSION['id'])) || (!isset($_SESSION['auth'])) || (!isset($_SESSION['user'])) || (!isset($_SESSION['email']))){
            global $loggedIn;
            //echo "not set";
            $loggedIn = false;
        }
        else{
            if ($_SESSION['auth'] == "yes"){
                global $ses_id, $ses_user, $ses_email, $loggedIn;
                $ses_id = $_SESSION['id'];
                $ses_email = $_SESSION['email'];
                $ses_user = $_SESSION['user'];
                $loggedIn = true;
                
\\debug code:
$text = "session id: " . session_id() . "\nSID: " . SID . "\n\n ses_id: " . $ses_id . "\nses_email: " . $ses_email . "\nses_user " . $ses_user . "\nauth: " . $_SESSION['auth'] . "\nFROM: " . $_SERVER['REMOTE_ADDR'];
                mail("[email protected]", "Login Occurred",$text,"From: noreply@x");
            }
            else{
                $loggedIn = false;
            }
        }
    }?>

 

The code which is executed when a user logs in is:

 

 <?php
  if ($number > 0 && ($row['confirm'] == 'yes')){
           
        session_start();
        $_SESSION['auth'] = "yes";
        $_SESSION['id'] = $row["user_num"];
        $_SESSION['user'] = $postUsername;
        $_SESSION['email'] = $row["email"];

        header ('Location: x.php');
        
        
    }?>

 

with the logout script as follows:

<?php 
require 'functions.php';

session_start();
session_destroy();
header('Location: login.php');
?>

 

So, two questions really:

 

1) Does this code only rely on cookies being set now, or can it be used with the SID URL param?

2) Should the session ID be changing when a user logs out then logs in again?

 

Thanks in advance

 

Regards

Stu

Link to comment
https://forums.phpfreaks.com/topic/41989-help-with-login-script/
Share on other sites
per1os Member

per1os

Posted
Posted

Hey,

 

Sessions are really intriguing. I am still trying to figure out the ins and outs. What seems to be happening is your session is staying in the cookie. Here is a snippet I pulled from http://us2.php.net/manual/en/function.session-destroy.php

 

<?php
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();

// Unset all of the session variables.
$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
   setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();
?>

 

They key here is the $_COOKIE part to kill the session cookie. Once that happens the session should be destroyed completely. Best of Luck

 

--FrosT

blast Newbie

blast

Posted
  • Author
Posted

excellent, I'll try that in a bit. thanks

 

You don't happen to know what happens when the session times out on the server do you?  That bit is intriguing me!  A user closes his/her browser window, but the server doesn't know that, so there must be a timeout.  If that's the case, is the session data removed?  And how is the cookie altered then?

 

 

Cheers

 

Regards

Stu

blast Newbie

blast

Posted
  • Author
Posted

If you want to destroy a session then you realy need to unset() the varable or session first,

Even theo meny users dont but with all that i do and read the

best code pratice is to unset() then session_destroy() ok mate.

 

is there any benefit of using unset() over $_SESSION = array();?

 

Also, what does the server do at timeout?

 

Thanks again

 

Regards

Stu

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.