Bugged by a session problem

I thought I had somewhat of a mastery of sessions, until I encountered this problem. Basically, I’m trying to built a session expired code which is a little bit deviated from your everyday session expired codes. I want the user of a website to be logged out automatically after the session expires, and redirected to the login page. But I also need that, if any other user tried to access that same website without having previously been logged on, he should be redirected not to the login page but the signup page. So basically, the same page (index.php) should redirect the user to login.php if he was logged in and his session expired after 1 minute, or signup.php if he wasn’t logged in and tried to access home.php.

So what I tried to do to accomplish this was

• Declare two session variables $_SESSION[‘id’] = “some value from database” and $_SESSION[‘logged_in’] = TRUE everytime the user succesfully logs in.

-At the top of index.php, right after session_start(), check to see if 1 minute has elapsed since last activity and if so, unset $_SESSION[‘logged_in’] without destroying the session. So presumably, all other session variables including $_SESSION[‘id’] and the session itself remain intact.

-Right below that, check if $_SESSION[‘id’] is set. If not(meaning the session is not active and hence no user was logged in), redirect to signup.php. If it is set, then check if $_SESSION[‘logged_in’] is set and if not, redirect to login.php

Now to the code itself

<?php


//address error handling

ini_set ('display_errors', 1);
error_reporting (E_ALL & ~E_NOTICE);


//Check if max login cookie is set


//Check if max allowable time has elapsed

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 60)) {

    // last request was more than 1 minute ago
 
    unset($_SESSION['logged_in']);     // unset logged_in session variable for the runtime


}

$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp



        //Get the current page url to pass on to the session expired page.
	$url=urlencode("http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);

	
	//Check whether the session variable id is present or not

	if(!isset($_SESSION['id']) || (trim($_SESSION['id']) == '')) {

		 session_destroy();

		 header("location: signup.php");

		exit();

	}else{//If session id is set meaning the session is alive and hasn't been destroyed


		if(!isset($_SESSION['logged_in'])){//If this variable is not set, then session must have expired because this is the variable we unset upon sesssion expire. The session is still alive though and we must destroy it

		//Redirect to login.php and pass on the page url

		$msg = "Your Session Expired Due to Inactivity. Login Below";

		session_destroy();
		

		header("location: login.php?url=$url&msg=$msg");


		}//End of if logged in is not set


	}//End of if session id is set




?>

Well the code works just as i want it to, except for this scenario. If I login with some user’s credentials, and open a new page, by typing in url.com in a new window, this new page doesn’t redirect to url.com/signup.php but stays on url.com/index.php and all the session variables are available on this new page just like on the old page that was accessed by actually loging in. Well that’s expected. The problem is, when the session expires on this page, it gets redirected to url.com/signup.php and not url.com/login.php as expected(note that with the old page that was accessed by actually login in, we do get redirected to url.com/login.php) Now this bothers me because the website is supposed to be redirected to signup.php only if the user started a fresh session without having been logged in as the logic from the code above shows. So, the $_SESSION[‘id’] variable actually exists(and I actually tested it by echoing it)but yet, the code behaves as if it doesn’t with every new page. What could possibly be going on here? I have tried using session_regenerate_id(), but that just keeps the session going without ever expiring. I tried to use the actual session_id()itself in the place of $_SESSION[‘id’] but in that scenario, the page always gets redirected to url.com/login.php regardless of whether a user was previously logged in or not.

PS: I dont think this has anything to do with the problem but worth noting that the url of a page opened after a user logs in is url.com/index.php but that of a page opened after a user is already logged in is simply url.com

Well, there are a lot of questions this could bring up. First, what is the default time out in your server set up. If that is set high, then you might be having an issue with the session not be actually destroyed when you unset them.

I found an interesting thread about this type of issue. The user who posted it mentions a nice way to save the user sessions in case they log back in. I like the way he serializes the session variables and saves them for a certain time in a database. When the user logs back in, he returns the saved values so the user does not loose anything. But, the actual session is fully closed and destroyed. This way should be very secure.
(Never tested that procedure, but, sounds like a great way to handle it!)

Well, doubt these comments helped, but, maybe this link might:
http://bytes.com/topic/php/answers/795054-php-ini-session-timeout Good luck!

@ernie, well i’m not sure the fact that the max defualt time could be the issue here as i’m testing out my code with expire times as low as 30 seconds. And what seems to be the problem here is not that the session seems to be persisting, but that one session variable $_SESSION[‘id’] seems to be unset when it is not supposed to be, yet at the same time, it still gets printed out when echoed. I will check out your link nevertheless.

Well, you did not show a lot of code. If that is all you have, make sure that you verify that your IF clauses are accurate. At the top of the code, just before this line:
//Check whether the session variable id is present or not

Add a list of variables that are used in your IF clauses…

$_SESSION[‘id’]=“SomeName”;
$_SESSION[‘loggin_in’]=“yes”;

Then, use the four possible settings of these variables, id=“xyz”, id="", loggin_in=“xyz”, loggin_in=""…
And, see what the results are for each. I am guessing that the logic of the IF clauses are not removing the session correctly. Also, after you UNSET the session, you can DESTROY the session so it is removed from memory. That would clear up any problems where some user just backs up the page and uses the cached versions… Not sure if this will help, but, try it…

@Ernie, thanks for all the insights. I’ll have to examine them one at the time. I think I just may go with storing the variables in the database. Can you explain a lil more how you thought one could go about that?

Well, Drayarms, I would keep what you have as it almost works for you. I would just add some code to protect against going to an outside page. This can be done very easily in PHP. At the top of each page, check for the page you came from. If it is NOT in your domain, drop the session like a hot potato…

To do this, you use this code: $frompage=$_SERVER[‘HTTP_REFERER’];

What it does is get the page that got you to this one. But, it is actually a URL, so you will have to play with it a little to see if it is from your site. You could search the string for your domain name and if there, then it is okay. Also, do not put this in the actual login page as you don’t care if you go there from another site.

Did that make sense? Hope so. Let us know…