Link to home
Start Free TrialLog in
Avatar of 1Cougar
1Cougar

asked on

PHP user login and automatic logout issues

Hello,

I have a login page in PHP.  This works in that users can login however the error checking (wrong password doesn't work correctly).  If the user enters an invalid password then I still get a response "good" and the page gets redirected when I should be getting "invalid username or password" and reload login page.  I don't understand why the code doesn't return "bad" for wrong password/login.  Here is a snippet:

$rs1=$conn->execute($query1);
If($rs1){
	$status= "good";
	$teacherID = strval($rs1['UserID']);
	$teacher = strval($rs1['Teacher']);
	$avatar = strval($rs1['Avatar']);
	//if( empty($mysession)){
	//	$micro = microtime();
	//	$micro = str_replace(" ", "",$micro);
	//	$micro = str_replace(". ", "",$micro);
	//	$mysession = "teacher" . $micro;
	//}
	//session_name($mysession)
	session_start();
	$_SESSION['teacher'] = $teacherID;

} else {
	$status= "bad";
}

Open in new window


Also, I don't know how to put in place an automatic logout for the user after say 15 minutes of inactivity.......any pointers would be much appreciated.

Cheers,
Avatar of Jagadishwor Dulal
Jagadishwor Dulal
Flag of Nepal image

Your if statement is wrong try using this one code:
if(mysql_num_rows($rs1)>0){
	$status= "good";
	$teacherID = strval($rs1['UserID']);
	$teacher = strval($rs1['Teacher']);
	$avatar = strval($rs1['Avatar']);
	session_start();
	$_SESSION['teacher'] = $teacherID;

} else {
	$status= "bad";
}
  

Open in new window

If the password checking doesn't work, then it's not really a 'login page', more of a 'pass-thru' page.  Here https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html is Ray's EE article on the subject.  Note that the default timeout for PHP sessions is 24 minutes but that is not a precise timeout.  It is rarely necessary to get any pickier than that.
Avatar of 1Cougar
1Cougar

ASKER

@ jagadishdulal :

I am not using mysql but sql server....I tried your code but it still executes the "successful" login when there are no records from the query with an invalid password.

??
Avatar of 1Cougar

ASKER

I have the login working now, but still need to understand the logout.....

On the php page to process login I have this code:
session_start();
	
	$_SESSION['loginTime'] = time();

Open in new window


and the user gets redirected to the site.  However, when I include this code the alert value is null....so I am guessing the session variable is not being saved:

var thistime = <?php echo "'".$_SESSION['loginTime']."'";?>;
	alert(thistime);

Open in new window


Does anyone know what I am doing wrong?

Many thanks again....
Avatar of 1Cougar

ASKER

Hello,

This is my current situation....the user logs in and is directed to the main site (php page).  I have this code at the top of the page:

session_start();
		$inactive = 60;
		if(isset($_SESSION['loginTime'])) {
			$session_life = time() - $_SESSION['loginTime'];
			if($session_life > $inactive)
				{
					session_destroy(); 
					header("Location: http://www.infocuseurope.com/trainer/pages/IFETeacherlogin.php");
				}
		}
		
		$_SESSION['loginTime']= time();

Open in new window


However, the user never gets redirected after 60 seconds.....can anyone see what might be wrong with my logic?
Avatar of 1Cougar

ASKER

I am looking for a solution for logout after inactivity....
ASKER CERTIFIED SOLUTION
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Glad you asked this question!  Here is the article that resulted from researching the answer.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html

Best to all, ~Ray
Avatar of 1Cougar

ASKER

@Ray_Paseur,

Thank you--this has been very helpful and I have have implemented much of what you suggested.

However, I am still not achieving what I really would like, which is a logout after 10-15 minutes and a redirect to the login page.  

The user logins to a main page.  On the main page are several tabs which load other pages, but via AJAX -so there is not another request sent for the main page.  So you would think that after 24 default minutes of inactivity at the most the page should be redirected to the login page if the user tries to come back and change data.  But, this is not what is occurring.  The main page always stays and looks to the user like they can enter data.

I have put this code in the main page:

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 120)) {
    // last request was more than 30 minutes ago
    session_unset();     // unset $_SESSION variable for the run-time 
    session_destroy();   // destroy session data in storage
	header("Location: http://www.mysite.com/trainer/pages/MyLogin.php");
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp

Open in new window


And if I hit "refresh" after 2 min (set for testing) then it does send me to login page.  But, if I don't refresh and instead just want to continue and enter data (you might recall I am doing a scheduling app) then it will allow me.  Except I am still experiencing some strange behavior with data getting deleted for some users when they "save" so I would like to force a log out to rule out the possibility that the data corruption/deletion is coming from expired data cache with a page that remains so the user thinks they can still perform operations.

Since I have "tabs" on the main page, maybe just having this script on the main page isn't good enough but I tried to add it to the php pages that get loaded in the tabs, it threw an error, and this also did not work in that I never got logged out and sent to the login screen automatically after 2 minutes of inactivity.

I hope I am making sense....any thoughts would be much appreciated.

Thanks again,
I think you're still swimming upstream on this problem.  To fully understand what is happening you need to delve into the behavior of the HTTP Client/Server protocol.  Please read this.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html

In the client-server protocol, there is no such thing as a server-initiated activity.  The concept that the client computer would "get redirected" to the login page seems like a nice idea but it can only happen after the client has made a request to the server and the server makes a response.

If the human client is doing nothing - just watching the screen - the server will not receive any communication and will not be able to make any response.  Unless (and this is a big unless) the non-human client (computer, handheld, phone, etc) is able to make an AJAX request to the server.  The AJAX request can be triggered by a number of things, including a timer running on the client computer.

If the human client is doing something like entering data into a plain old HTML form, the client machine is not making any requests to the server, so the appearance of events as seen by the session handler is the same as an idle client.  You might be able to get around this by having an onKeyUp event that signaled the server via an AJAX request.  The server could renew its timeout period each time the event was signaled.

You might also think about the overall design of the data entry process.  The central goal, it would seem to me, would be to avoid losing the data and forcing the client to start over.  This would suggest an onBlur event that sent each field to the server via an AJAX request as soon as the (human) client moved her attention away from the input control.
Ray is right.  The server just reacts to requests from the client.  Web sites like Facebook that appear to act differently are doing frequent AJAX requests to the server, the server is not initiating anything.
Avatar of 1Cougar

ASKER

My page uses AJAX not page reloads and I understand what you are saying.  I am adding some code to the AJAX requests to check for timeout.

Thanks a lot,
Thanks for the points - it's a really good question! ~Ray