开发者

$_SESSION not recognized when logging back in after timeout

I have a site with both public and private sections. To access the private areas, users have to log in, which sets session variables. The login script authenticates everything and then changes the header location to the private page:

//get info from database and if user is authorized, then redirect
sessi开发者_如何学编程on_start();
$_SESSION['authorized'] = $user;
$_SESSION['firstname'] = $first;
$_SESSION['lastname'] = $last;
$_SESSION['password'] = $pass;
$_SESSION['position'] = $position;
$_SESSION['email'] = $email;
header( "Location: index2.php" );

Then on the index2.php page, I have an authorization check at the top:

session_start();
if(!isset($_SESSION['authorized'])){
header( "Location: denied_unauth.php" );
die();
}else{
//rest of page

Everything works like a charm. EXCEPT...if there's no activity for 20 minutes, users have to log back in. Index2.php uses jQuery to load divs into it, so users never leave index2.php. If they click to retrieve a page on the private site after inactivity, instead of the div they requested, they get a "logged out" message and are presented with the login form again. It's the exact same script as the one listed above, setting the exact same session variables and redirecting them back to the exact same page (index2.php), which is the same page they're logging in from - basically, just reloading the page.

Whenever I test this, index2.php isn't recognizing the new session. It's sending users to "denied_unauth.php" every time. This tells me that the login script is working, it's recognizing the username and password and sending users to index2.php...but when the page reloads index2.php, the session isn't being recognized. I even tried adding a random number to the end of the URL "index2.php?somerandomnumber in case it was a caching problem, but it didn't help.

Any ideas?

EDIT: To be clear, I'm not asking for a way to STOP the user being logged out. I'm trying to figure out why, if new session variables are created during the log-back-in script, it's not recognizing them when reloading the page. The session variables ARE created the first time they log in, so I know that part of the script works. But when they go back to the page again after re-logging, it doesn't recognize the new $_SESSION['authorized'].

EDIT 2: Here's what is happening:

  1. From the page index.php, user logs in. The login form creates a session and redirects the header to index2.php
  2. Page index2.php checks whether session is set, if not it kicks the user out to a "denied access" page.
  3. User clicks links within index2.php page to load sections into the main div
  4. Each file that loads into the main div has a check on it to see if the session is set. If the session exists then the file loads, if the session is expired then instead of the file, it shows the user the login form and asks them to log back in. (all this works so far)
  5. When the user logs back in from this form, a new set of session variables is created. I have tried both setting a new session or session_regenerate_id() and neither seems to work.
  6. This new session is NOT being recognized by index2.php and it kicks them out every time. I have tried both redirecting straight to index2.php after login, or simply loading the div they'd requested in the first place, but both ways, index2.php doesn't see that the session is set and the user ends up on the "denied access" page.


Sessions have a timeout specified in the php.ini file:

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0

; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440

; Document expires after n minutes.
session.cache_expire = 180

If you cannot or do not want to change that globally on the server, try using an .htaccess file on Apache.


I'm not sure it will work, but if you don't have access to your php.ini or .htaccess file, you might wanna use this after your session_start():

session_regenerate_id(true);

You should also put this in the page your jquery is loading divs from.


One surefire way to deal with this is to create an ajax heartbeat script you load in the background every X minutes which only needs to "touch" the session. This expects all your users to have JavaScript enabled though.


It's a session lifetime problem. you can solve this problem two way. here the description:

  1. change the php.ini file. increase the session.gc_maxlifetime, by default it is 1440 that means 24 mins. you can increase this by second.
  2. Here the second way without change the php.ini file. you can set session lifetime with php by using the following code :

    ini_set('session.gc_maxlifetime', 30*60);

    session_start();


I finally figured it out and got it to work. The login form was bound to a jQuery call on submit, I changed it so that the new login form actually performs the post call...and it started working.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜