0

I'm sorry I can't ask a question on the already answered question because I've just registered.

My issue is session expiry.

It's working fine and logging out after time set.

My issue is when not logged in and I revisit the site it then redirects to the logged out page. I'm pretty sure that this is having a negative effect on my seo.

This is the code I've used.

// ********************************* //
// ************ SESSIONS *********** //

// stops javascript from getting the session id. phpacademy
ini_set('session.cookie_httponly', true);

// Start the session:
session_start();

// http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
    // last request was more than 60 minutes ago
    session_destroy();   // destroy session data in storage
    session_unset();     // unset $_SESSION variable for the runtime
    header('Location: logged-out.php');
    }

    $_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp

// http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes
if (!isset($_SESSION['CREATED'])) {
    $_SESSION['CREATED'] = time();
    } else if (time() - $_SESSION['CREATED'] > 1800) {
    // session started more than 30 minutes ago
    session_regenerate_id(true); // change session ID for the current session an invalidate old session ID
    $_SESSION['CREATED'] = time(); // update creation time
    }

// stops them using proxy servers and other ip addresses.
if (isset($_SESSION['last_ip']) === false);{
    $_SESSION['last_ip'] = $_SERVER['REMOTE_ADDR'];
    }

if ($_SESSION['last_ip'] !== $_SERVER['REMOTE_ADDR']){
    session_unset();
    session_destroy();
    }   

// ************ SESSIONS *********** //
// ********************************* //

What can I do to stop being redirected to logged out when I'm already logged out???

I can see this is happening for others using statcounter and their visit page is the logged out one?

Please advise.

user3191101
  • 1
  • 2
    So I would imagine it is your first conditional that is causing the problem. have you tried to `var_dump($_SESSION['LAST_ACTIVITY'])` to see what value it is giving that you are not expecting? I would imagine that the way you wrote your time comparison could be problematic if you have `$_SESSION['LAST_ACTIVITY']` as say an empty string value (as `time() - 0` would ALWAYS be > 1800) – Mike Brant Jan 13 '14 at 17:13
  • Automatically redirecting to a login page for protected content is a good idea, automatically redirecting to a logged out page is not; only direct to the logged out page after the visitor really logs out (pressed the button). – jeroen Jan 13 '14 at 17:19
  • @jeroen thanks, I have two logged out states both with login forms. It's just that one will display you have automatically been logged out and thanks you have been safely logged out. Both have login forms. Is it still a problem? – user3191101 Jan 13 '14 at 18:06
  • @MikeBrant cheers Mike, I've set it to 5 seconds and playing with it. At the the moment I've taken off the header Location to stop them getting redirected for now. – user3191101 Jan 13 '14 at 18:45

1 Answers1

0

As specified in the php documentation about sessions, there is more to do to clean up/destroy a session than simply calling session_unset and session_destroy. To permanently delete a session you have to destroy the session cookie as well. To do that see here

And btw, calling session_unset after session_destroy does nothing, session_unset should be called before calling session_destroy because once you've destroyed the session the data associated with the current session will no longer be accessible(though it is still stored on your server and can be accessed again via the session cookie).

elitechief21
  • 2,964
  • 1
  • 17
  • 15