Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I am creating sessions using the session_start() function.
I use sessions to for sign in process.

// auth.php
include_once 'common.php';
include_once 'db.php';
// start session

// convert username and password from _POST or _SESSION

// query for a user/pass match
$result=mysql_query("select * from users
   where username='" . $_SESSION['username'] . "' and password='" .
$_SESSION['password'] . "'");

// retrieve number of rows resulted

// print login form and exit if failed.
if($num < 1){

   echo "<center><BR><BR>You are not authenticated.  Please login.<br><br>
   <form method=POST action=main.php>
   username: <input type=text name=\"username\"> <BR>
   password: <input type=password name=\"password\"> <BR>
   <input value=login type=submit>

$Firstname = mysql_result($result,0,'FirstName');
$Lastname = mysql_result($result,0,'Lastname');
$phonenumber  = mysql_result($result,0,'phonenumber');


The problem is that when user logs in without login off (where the
session is killed) he can access the page even the second day.

How do I set the session to expire for some time of inactivity.



Quoted text here. Click to load it

When the user logs in successfully, set $_SESSION['login_time'] to
the current time.

When the user accesses a page, check whether $_SESSION['login_time']
is more recent than the current time minus the timeout interval.
If so, it's a valid session.  If not, he's no longer logged in
(session has expired), treat it as if there was no session and
redirect to the login page.

You may want to set $_SESSION['login_time'] to the current time on
EVERY page after determining that the user has a valid login.  That
way the user can stay logged indefinitely as long as he keeps
clicking, but if he stops for a while, the session expires.

Incidentally, there's nothing magic about the name 'login_time'.
You can use any name for it.

                        Gordon L. Burditt

Site Timeline