0

I am creating the login for my application. It's working, but there's a problem. I log in, and then stay idle for some time automatically logs out the user session, but does not redirect to the login page. Besides not redirecting it still allows to make records in the database without the user being logged in.

I'm trying to resolve it this way, but it will not let me sign in:

session_start();
session_cache_limiter(1);
$limite=60;
session_start();
if(isset($_SESSION['tempolimite']) ){
if ( time() > $_SESSION['tempolimite']){ 
header("Location: sair.php");
}
}else{ // Primeira visita
$_SESSION['tempolimite']=time()+$limite;
}
    echo "<h4 style='float: right; margin-right: 3%;'>Seja bem-vindo, ". $_SESSION['usuarioNome']."</h4>";

I'm trying another way:

First I put this line in the page where I start the session:

$_SESSION['login_time'] = time();

Then on the page where I make the registration I put this code:

session_start();

if(time() - $_SESSION['login_time'] >= 25){
    session_destroy(); // destroy session.
    header("Location: sair.php");
    die(); // See https://thedailywtf.com/articles/WellIntentioned-Destruction
    //redirect if the page is inactive for 30 minutes
}
else {        
   $_SESSION['login_time'] = time();
   // update 'login_time' to the last time a page containing this code was accessed.
}

echo "<h4 style='float: right; margin-right: 3%;'>Seja bem-vindo, ". $_SESSION['usuarioNome']."</h4>";

It works, but I have to refresh the page manually, otherwise refresh keeps the page available and able to register. How can I do when to pass the time limit redirect automatically without having to refresh the page?

Lucas Hendren
  • 2,786
  • 2
  • 18
  • 33
Bruno
  • 801
  • 5
  • 11
  • "it still allows to make records in the database without the user being logged in" you never logged them out explicitly, so why should they be logged out? As for the redirect, try put that `echo` line inside the `else` statement. Also, be sure nothing else is printed before you send the header **including empty lines**. – Federico klez Culloca Apr 05 '19 at 14:21
  • @Federico klez Culloca What I meant is, to access the registration page I have to log in, because without the login I can not access. The problem is after logging in and the session expires is that it does not automatically redirect to the login page and does not redirect allows to make logs. – Bruno Apr 05 '19 at 14:35
  • The session expires just because you say so. There's nothing in your code that makes the session expire. You just check a value *you* defined and based on that you decide that the session expired. But that's not the case. You have to explicitly destroy whatever you created in session after the user logged in, otherwise the session will still contain whatever it previously contained. – Federico klez Culloca Apr 05 '19 at 14:40
  • See [here](https://stackoverflow.com/a/8311400/133203). The second part (Certainty in critical environments), in particular, is what you probably need to do in your case. – Federico klez Culloca Apr 05 '19 at 14:42
  • @Federico klez Culloca I edited the question with new code, can you help? – Bruno Apr 05 '19 at 15:40
  • "redirect automatically without having to refresh the page?"...PHP cannot run without a request to the server that you need to use some JavaScript in the browser - an Ajax request to the server to ensure the session is killed the then a window.location call to redirect. But is it really so important? If a user has the site open in the browser but isn't making requests to the server then what harm are they doing? It's surely enough to check the session next time they actually make contact with the server. – ADyson Apr 05 '19 at 16:57
  • @ADyson Yes, that's exactly what I need, when they are sending data to the database, checking if they are still logged in or if the session has expired and if it has expired, do not submit, how can I do it? – Bruno Apr 05 '19 at 17:09
  • Are you using Ajax to send the data? – ADyson Apr 05 '19 at 17:16
  • @ADyson yes, I am using in the communications between html and php sending by ajax – Bruno Apr 05 '19 at 17:18
  • Ok so when you receive the Ajax request at the server, your PHP can check the session time. If the session has expired then return an error response e.g. maybe 403 forbidden would be appropriate. When the Ajax request receives this type of response, then you write some JavaScript code to redirect the user to the login page. – ADyson Apr 05 '19 at 17:21
  • @ADyson Can not put an example? – Bruno Apr 05 '19 at 17:23
  • Which part of that don't you know how to do? You should be able to find out how to do all those steps by searching – ADyson Apr 05 '19 at 17:25

0 Answers0