php session timeout all code in one page

Question

Regarding to How do I expire a PHP session after 30 minutes?, I copied some code from the 2nd answer Simple way of PHP session expiry in 30 minutes. I'd like to combine login and information to 1 page and another page is logout.php here is my code.

homepage.php

if(isset($_POST["submitform"])){

    $v1 = "admin";
    $v2 = "admin";
    $v3 = $_POST['username'];
    $v4 = $_POST['password'];

    if($v1 == $v3 && $v2 == $v4){
    session_start();
    $_SESSION['username'] = $v1;
    $_SESSION['start'] = time(); // taking now logged in time
    $_SESSION['expire'] = $_SESSION['start'] + (1* 30) ; // ending a session in 30 seconds

    if(!isset($_SESSION['username'])){
      echo "Please Login again <a href='logout.php'>Click Here to Login</a>";
    }else{
       $now = time(); // checking the time now when home page starts
        if($now > $_SESSION['expire']){
         session_destroy();
          echo "Your session has expire !  <a href='logout.php'>Click Here to Login</a>";
        }else{
        echo "This should be expired in 1 min <a href='logout.php'>Click Here to Login</a>";
        }
    }
    }else{
     echo '
    <form  method="post">
    <input type="text" name="username">
    <input type="password" name="password">
    <button type="submit" name="submitform">Sign in</button>
    </form>';
    echo  '<font color="red">wrong password</font>"';
    }       
 }else{
    echo '
    <form  method="post">
    <input type="text" name="username">
    <input type="password" name="password">
    <button type="submit" name="submitform">Sign in</button>
    </form>';
 }
?>

Logout.php

<?php
session_start();
session_destroy();
header('Location: homepage.php');
?>

I set session expire to 30 seconds, however I found the session doesn't expire as expected. The session never expire. I am wondering if i put session_start(); in a right place? Thanks

How do you mean never expires? Did you leave the page alone for over 30 minutes and come back to find yourself still logged in? — Phill Sparks, Apr 27 '13 at 19:41
@PhillSparks. 30 seconds not 30 mins, I shortened the expiry time. Yes, I still logged in. — olo, Apr 27 '13 at 19:42
simply check $_SESSION['expire'] against time, and destroy the session if time is bigger, I've never seen personally a cookie with time smaller than 5 minutes — Hawili, Apr 27 '13 at 19:56

Rick Burgess · Accepted Answer · 2013-04-27T20:14:55.057

You are only checking the status of the session on form post.

If you refresh the page it will resend the post, logging you in and extending the session.

Your logic needs to be:

if post, check password and extend session.

check if session has expired (this must happen if post there or not, makes no difference.)

based on the outcome of the session check display either a login form or the log out message.

if (isset($_POST["submitform"])) {

    $v1 = "admin";
    $v2 = "admin";
    $v3 = $_POST['username'];
    $v4 = $_POST['password'];

    if ($v1 == $v3 && $v2 == $v4) {
        session_start();
        $_SESSION['username'] = $v1;
        $_SESSION['start'] = time();
        // taking now logged in time
        $_SESSION['expire'] = $_SESSION['start'] + (1 * 30);
        // ending a session in 30 seconds

    } else {
        echo '
    <form  method="post">
    <input type="text" name="username">
    <input type="password" name="password">
    <button type="submit" name="submitform">Sign in</button>
    </form>';
        echo '<font color="red">wrong password</font>"';
     die();
    }

    if (!isset($_SESSION['username'])) {
        echo "Please Login";
        echo '
            <form  method="post">
            <input type="text" name="username">
            <input type="password" name="password">
            <button type="submit" name="submitform">Sign in</button>
            </form>';
    } else {
        $now = time();
        // checking the time now when home page starts
        if ($now > $_SESSION['expire']) {
            session_destroy();
            echo "Your session has expired !  <a href='logout.php'>Click Here to Login</a>";
        } else {
            echo "This should be expired in 1 min <a href='logout.php'>Click Here to Login</a>";
        }
    }

Yes, you are right, is that possible to have different sessions on the same page? or I have to separate pages? — olo, Apr 27 '13 at 20:07
I added a litte more detail to my answer, hopefully that helps — Rick Burgess, Apr 27 '13 at 20:08

score 0 · Answer 2 · answered Apr 27 '13 at 19:45

0

session_start() needs to be the first line of code.

In addition, you could set the cookie to expire.

answered Apr 27 '13 at 19:45

tpow

7,600
11
59
84

@tpow Thanks, I moved `session_start()` on the top of the page and the first line of the code. still the same, session doesn't expire after 30 seconds – olo Apr 27 '13 at 19:50

score 0 · Answer 3 · answered Apr 27 '13 at 20:10

0

is that possible to have different sessions on the same page?

YES

So use

One user, one session. Period.

http://us3.php.net/manual/en/ref.session.php

answered Apr 27 '13 at 20:10

underscore

6,495
6
39
78

php session timeout all code in one page

3 Answers3