Here's some interesting reading for ya:

[webmasterworld.com...]

just create a login check script that you can include on every page, prefereably no db hit.

you can store your session_start() in there too since it will be the first thing called on every page. I would also suggest ip checking so you don't have to worry about hijcking of active sessions. I would also add last access time to the session.

add something like this to the login

$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['lastaccess'] = mktime();

then here's a rough example of the check script

session_start();
$auth = true;
if ($_SESSION['Logged_In_Eng']=="Yes" &&!empty($_SESSION['EID']) &&!empty($_SESSION['SHID']) &&!empty($_SESSION['SHOWNAME'])) {
$newtime = mktime();
$tdiff = $newtime - $_SESSION['lastaccess'];
if ($tdiff > 300) $auth = false;
else $_SESSION['lastaccess'] = $newtime;

$newip = $_SERVER['REMOTE_ADDR'];
$ipcheck = strcmp($newip,$_SESSION['ip']);
if ($ipcheck!= 0) $auth = false;
}
if(!$auth) header("Location:login.php?mode=invalid");

so first check for the existence of key session vars and that they are set. I used what was in the login but it doesn't necessarily need to be all of them. You also may want to check whether they are the proper type etc. Then check the present ip against what is stored in the session. The last thing is to check the time since last access. I used 300 which is 5 minutes.

Thanks for the response Jatar_k :o)

Just want to make sure what I've done is correct.

In the login script, I've used this code.

<?
session_start();
$_SESSION['ip']=$_SERVER['REMOTE_ADDR'];
$_SESSION['lastaccess']= mktime();
// Then the form code which then goes to a file called auth_user.php
?>

In auth_user.php file...

// PRODUCTION LOGIN
if ($etid==2)
{
$result_eng=mysql_query("select fieldname from tablename1,tablename2
where email_address='$email'
AND password=password('$pass')
AND tablename1.etid=tablename2.etid
AND tablename1.etid=$etid");
list($fieldname)=mysql_fetch_row($result_eng);

$result=mysql_query("select fieldname2,fieldname3
from tablename3
where current=1");
list($DBshid,$DBshowname)=mysql_fetch_row($result);

$num=mysql_num_rows($result_eng);

if ($num!= 0)
{
$_SESSION['Logged_In_Eng']="Yes";
$_SESSION['EID']=$engineernum;
$_SESSION['SHID']=$DBshid;
$_SESSION['SHOWNAME']=$DBshowname;

$newtime=mktime();
$tdiff=$newtime - $_SESSION['lastaccess'];
if ($tdiff > 300)
{
header("Location:login.php?mode=timeout");
exit;
}
else
{
$_SESSION['lastaccess']=$newtime;
}

$newip=$_SERVER['REMOTE_ADDR'];
$ipcheck=strcmp($newip,$_SESSION['ip']);

header("Location: file1.php");
exit;
}
else
{
header("Location:login.php?mode=invalid");
exit;
}
}

Is there any code I need to use in file1.php, so that it knows the actual length of the session? Or thats just it?

Many Thanks

Woldie

this is the timeout stuff here

$newtime=mktime();
$tdiff=$newtime - $_SESSION['lastaccess'];
if ($tdiff > 300)
{
header("Location:login.php?mode=timeout");
exit;
}

the 300 is 300 seconds which amounts to 5 minutes, if you want it longer then just increase that number. The mktime function is a unix timestamp, therefore it is in seconds.

Is that all login stuff? The time comparison should be in some kind of logged in checking script which shouldn't really have any db stuff unless you want to test the user_id or some other session var against the db values.

Just keep in mind that there is a serverwide var in php.ini

session.gc_maxlifetime

which afaik defaults to 1440 secs making it 24 minutes. You can read your setting with php_info(). After this period of user inactivity PHP assumes the session finished and the appropriate data as garbage and will delete it sooner or later.

So your timeout value must be smaller than the current session.gc_maxlifetime on your installation to make any sense.

Regards
Markus

Welcome to WebmasterWorld, baertyp.

Yes, you are right. Follow the link by Birdman to read even more interesting information about session max lifetime and garbage collection.

Thanks Guys for the input, I didn't think of using the php.ini file.

I'm still trying to figure it out here and there (busy at the moment!), but it is something I need to know. So I'll be posting more probs in the near future.

Woldie.