1

I have a side bar with a category "abc". On clicking a pop up div loads asking the user to login or register. Once the user logs in it loads the page "xyz.php". In order to prevent direct access to "xyz.php" I am creating a session variable on post and checking in the "xyz.php" if the session variable exists:

<?php
session_start();
if (!isset($_SESSION['logged_in']))
    header("Location: index.php");
?>

This works perfectly fine and I am able to block direct access to the above link. However, once the user logs in, the page can be accessed directly. In order to prevent this, I am releasing the session variable through:

<?php 
session_start(); 
session_unset('logged_in'); 
?>

However, I am calling this in the index file and only if the user visits the home page the session variable will be unset. How can I unset the session variable across the website once the user has logged in and the page has loaded? The page should load again only after the user has entered the login credentials again. There is no logout mechanism in place and is not desired.

Sarah
  • 1,895
  • 2
  • 21
  • 39
  • Just out of curiosity, why do you want to block direct access when the user is already logged in? That is typically very normal behavior. – Liftoff Dec 08 '14 at 07:58
  • you are asking about auto session clear ? – Harshana Dec 08 '14 at 08:07
  • @David the user might have close the website window, revisit at a later time/date and the session would still be available. The user should use the login option to view the particular page – Sarah Dec 08 '14 at 08:07
  • @Harshana yes clear the session once the page has loaded through the login option – Sarah Dec 08 '14 at 08:08
  • This situation is typically avoided by configuring a timeout in your session. – Liftoff Dec 08 '14 at 08:08
  • so didn't you see this ? checkout this http://stackoverflow.com/questions/21807025/how-to-destroy-session-automatically-after-5-minutes-of-inactivity-on-website-in – Harshana Dec 08 '14 at 08:09
  • @Harshana you mean call this on every page of the website?? That will be a lot,I was hoping to call it at one particular place to be effective through out the website – Sarah Dec 08 '14 at 08:12
  • @David where should the timeout be configured? On the same "xyz.php" page? How to configure the timeout? – Sarah Dec 08 '14 at 08:12
  • @Sarah I posted it as an answer. – Liftoff Dec 08 '14 at 08:14
  • if you use this on home page (xyz). Then session will be destroied the can't access other pages. Because session is destroied.After session is not set then can't access other pages its't it? – Harshana Dec 08 '14 at 08:16

2 Answers2

2

As per the comments above, I figured I would elaborate a bit, and this is not fit for comments, so here you go.

It is common practice to terminate a session due to inactivity by setting a timeout in your session variables.

Let's say that you want to terminate the session after 30 minutes of inactivity, whether that is because the user has not done anything on your website for 30 minutes or they have navigated away from it entirely.

You can manage this by creating a variable in your session (for this example, we'll call it last action) and storing the timestamp of the last user action in it. Update this on every page refresh and change and check if the time since the last action is greater than the timeout threshold. If so, kill the session.

Create a file named "updateSession.php":

<?php

    session_start();
    if((time() - $_SESSION["lastAction"]) > 1800) //1800 == 30 minutes
    {
        session_destroy();
        header("Location:/timeout");
        return;
    }

    $_SESSION["lastAction"] = time();

?>

Then just include this file in every page:

include "{$_SERVER["DOCUMENT_ROOT"]}/path/to/updateSession.php";
Community
  • 1
  • 1
Liftoff
  • 24,717
  • 13
  • 66
  • 119
0

You may use this code you have to get user id then check the condition that

 <?php
    session_start();
    if (!isset($_SESSION['logged_in'] && $_SESSION['user_id'] !== User_id ))
        header("Location: index.php");
    ?>
4302836
  • 387
  • 1
  • 6
  • 14
  • I have no issues reading the session variable and granting access to the page through login. Its clearing the session variable after page load that I want to work on – Sarah Dec 08 '14 at 08:09