1

I have a site with both public and private sections. To access the private areas, users have to log in, which sets session variables. The login script authenticates everything and then changes the header location to the private page:

//get info from database and if user is authorized, then redirect
session_start();
$_SESSION['authorized'] = $user;
$_SESSION['firstname'] = $first;
$_SESSION['lastname'] = $last;
$_SESSION['password'] = $pass;
$_SESSION['position'] = $position;
$_SESSION['email'] = $email;
header( "Location: index2.php" );

Then on the index2.php page, I have an authorization check at the top:

session_start();
if(!isset($_SESSION['authorized'])){
header( "Location: denied_unauth.php" );
die();
}else{
//rest of page

Everything works like a charm. EXCEPT...if there's no activity for 20 minutes, users have to log back in. Index2.php uses jQuery to load divs into it, so users never leave index2.php. If they click to retrieve a page on the private site after inactivity, instead of the div they requested, they get a "logged out" message and are presented with the login form again. It's the exact same script as the one listed above, setting the exact same session variables and redirecting them back to the exact same page (index2.php), which is the same page they're logging in from - basically, just reloading the page.

Whenever I test this, index2.php isn't recognizing the new session. It's sending users to "denied_unauth.php" every time. This tells me that the login script is working, it's recognizing the username and password and sending users to index2.php...but when the page reloads index2.php, the session isn't being recognized. I even tried adding a random number to the end of the URL "index2.php?somerandomnumber in case it was a caching problem, but it didn't help.

Any ideas?

EDIT: To be clear, I'm not asking for a way to STOP the user being logged out. I'm trying to figure out why, if new session variables are created during the log-back-in script, it's not recognizing them when reloading the page. The session variables ARE created the first time they log in, so I know that part of the script works. But when they go back to the page again after re-logging, it doesn't recognize the new $_SESSION['authorized'].

EDIT 2: Here's what is happening:

  1. From the page index.php, user logs in. The login form creates a session and redirects the header to index2.php
  2. Page index2.php checks whether session is set, if not it kicks the user out to a "denied access" page.
  3. User clicks links within index2.php page to load sections into the main div
  4. Each file that loads into the main div has a check on it to see if the session is set. If the session exists then the file loads, if the session is expired then instead of the file, it shows the user the login form and asks them to log back in. (all this works so far)
  5. When the user logs back in from this form, a new set of session variables is created. I have tried both setting a new session or session_regenerate_id() and neither seems to work.
  6. This new session is NOT being recognized by index2.php and it kicks them out every time. I have tried both redirecting straight to index2.php after login, or simply loading the div they'd requested in the first place, but both ways, index2.php doesn't see that the session is set and the user ends up on the "denied access" page.
NayDreams
  • 55
  • 1
  • 6
  • If this is a session lifetime problem (I'm not entirely sure I understand it completely), this should help: http://stackoverflow.com/questions/1173524/php-session-lifetime-problem – Pekka Apr 23 '11 at 13:40
  • @Pekka it should be a session life time problem, by the smell of the problem. – mauris Apr 23 '11 at 13:42

5 Answers5

0

Sessions have a timeout specified in the php.ini file:

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0

; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440

; Document expires after n minutes.
session.cache_expire = 180

If you cannot or do not want to change that globally on the server, try using an .htaccess file on Apache.

Francisc
  • 77,430
  • 63
  • 180
  • 276
  • The problem isn't that I don't want the session to expire...that's what I WANT it to do. I want users to be logged out after a period of inactivity. The problem is that when they submit the login form the second time, it should be creating a NEW session. And it's apparently not, because the page isn't recognizing it. Why would it create a session when the user first logs in, but then not create a new session after they are logged out and log back in? That's the question I need answered. – NayDreams Apr 23 '11 at 15:18
  • I'm still not sure what you mean, sorry. If you want a new session kill the current one with `session_destroy()` or just unset all variables with `session_unset()`. If you want to have 2 sessions at the same time, name them differently. – Francisc Apr 23 '11 at 17:52
  • I'm not logging them out, the server is automatically logging them out after an inactive period. I set the variables, check to see if they're set before pages load, and after about 20 minutes of no activity, the server n longer recognizes the session so they have to log back in. In the login script, I've tried both setting a new session or using session_regenerate_id(), but when it tries to reload the page, it doesn't recognize that a session is set. – NayDreams Apr 23 '11 at 18:16
  • If the sessions get unset after 20 mins, it's probably what I said in the above answer. I think it's an expire timeout setting. – Francisc Apr 27 '11 at 12:56
0

I'm not sure it will work, but if you don't have access to your php.ini or .htaccess file, you might wanna use this after your session_start():

session_regenerate_id(true);

You should also put this in the page your jquery is loading divs from.

T4u
  • 291
  • 2
  • 8
  • This sounds promising...Would this just "re-create" all the session variables that were in place before the user was logged out for inactivity? Where would I put it, in the login script, replacing the lines that (in the current script) are creating a new session? – NayDreams Apr 23 '11 at 15:21
  • @NayDreams - yes. It would create a new session, identical to the old session except one thing - its id. Not only it can help to fix your problem, but its also good for security - helps against session-hijacking (google it if you want). I would suggest putting it after "session_start();" , but try to play with it. – T4u Apr 23 '11 at 15:36
  • Okay, this didn't work... I replaced the code in the login-script that was recreating the session variables with: session_start(); session_regenerate_id(true); print $page; die(); ...and when the page loaded, it still threw me out as being unauthorized. – NayDreams Apr 23 '11 at 18:11
0

It's a session lifetime problem. you can solve this problem two way. here the description:

  1. change the php.ini file. increase the session.gc_maxlifetime, by default it is 1440 that means 24 mins. you can increase this by second.

  2. Here the second way without change the php.ini file. you can set session lifetime with php by using the following code :

    ini_set('session.gc_maxlifetime', 30*60);

    session_start();

Ariful Islam
  • 7,639
  • 7
  • 36
  • 54
0

One surefire way to deal with this is to create an ajax heartbeat script you load in the background every X minutes which only needs to "touch" the session. This expects all your users to have JavaScript enabled though.

code_burgar
  • 12,025
  • 4
  • 35
  • 53
0

I finally figured it out and got it to work. The login form was bound to a jQuery call on submit, I changed it so that the new login form actually performs the post call...and it started working.

NayDreams
  • 55
  • 1
  • 6