Page 1 of 1

PHP keeping session alive after returning to index [SOLVED]

Posted: Mon Aug 13, 2007 12:21 pm
by nykoelle
I have my authentication included in the index page. At the top of the index page I have ob_start(); Then, after the beginning of my html I call my authentication script. here's a snippet from index.php on where that is called:

Code: Select all

<?
//authenticate correctly and get a session
include("includes/authentication.php");
if(isset($_SESSION['valid']))
{
  //diffuse site IDs - nothing to do with authentication
  include('includes/site_breakdown.php');
?>

<div style="margin: 15px 0px 15px 0px; background-color: #eee; border: 1px solid #ddd; padding: 5px;">
	<span style="float: left;">Welcome, <?=$styled_site;?>.</span>
this is authentication.php

Code: Select all

<?

if ($_POST['user']!=NULL)
{
	$user = md5($_POST['user']);
	$pass = md5($_POST['pass']);
	$result = mysql_query("select * from table where username = '" . $user . "' AND password = '". $pass ."'", $localhost);
	$row=mysql_fetch_assoc($result);
	if ($row['username']!=NULL && $row['site']!=NULL)
	{
		$val=1;
		session_start();
		$_SESSION['valid'] = 1;
		$_SESSION['site'] = $row['site'];
		ob_end_flush();
	}
	else if ($row['username']==NULL)
	{
		echo("<p>Invalid login, please try again.</p>");
	}
	else if ($row['site']=="" || $row['site']==NULL)
	{
		echo("<p>Your username is not associated with a site, please contact the system administrator or try again.</p>");
	}
	else
	{
		echo("<p>Invalid login, please try again.</p>");
	}
}
else
{
	if ($val!=1)
	{

?>

<form action="" method="POST">
<p>Please log into the ProCare Customer Portal.</p>
<p>Username: <input type="text" name="user" size="20" /></p>
<p>Password: <input type="password" name="pass" size="20" /></p>
<p><input type="Submit" /></p>
</form>

<?
	}
	else
	{
		echo("<p>Invalid login, please try again.</p>");
		$val=0;
	}
}
?>
And all of this works correctly and as per my requirements. After the user is authenticated and the session starts, the HTML loads and shows the related data.

Here is my problem:
I want the user to be able to navigate to other pages (as long as the session is valid) but if I come back to this original page, the user is prompted again to login. I have looked around this site some but cannot find a way to make sure the session stays alive through all the pages. Do I have to rewrite how the session is established or is there a value I can store in the session that will accomplish this?

This is the first real authentication I've written so I could be doing this all wrong. If there's a way I could do this better please also let me know, I am very much open to suggestion. I saw on this post viewtopic.php?t=24789 the use of session_set_cookie_params(0, '/', '.foo.com'); before the session is began, but I am unsure how to incorporate that into my script or if it is necessary to set any cookies.

Thank you in advance :)

Posted: Mon Aug 13, 2007 12:43 pm
by miro_igov
You can use session_destroy() on your authentication page so when user returns to it his session will be deleted and all protected pages accessed after this page will require login (if this is properly coded).

Posted: Mon Aug 13, 2007 2:39 pm
by nykoelle
yes, I have that separate for a logout page, however I want to keep the session alive when the user returns to this page. As it is now, when the user returns to index.php, he is prompted to login again. I want the session to be valid until the user closes the browser.

Posted: Mon Aug 13, 2007 3:53 pm
by superdezign
The problem is the conditional session_start(). session_start() MUST be called on every page that utilizes the session, unconditionally. Put it at the top of your document and you should be fine.

If you don't understand what session_start() does, it retrieves the session data for the current user and creates the $_SESSION array. You don't need to be logged in to have a running session.

Posted: Mon Aug 13, 2007 6:58 pm
by nykoelle
ok. So if I have something like:

Code: Select all

session_start();
if authenticated
{
 $_SESSION['valid']=1;
}


if(isset($_SESSION['valid']))  
{
html
on everypage, this will keep everyone logged in as they browse until they either log out or close the browser?

edit: tried that out for myself, had to move some code around but now works like a charm. Thanks for the help :)