i have downloaded easyphp on my PC and i am a bit noob with php mysql commands.
i have a problem making session work the problem that the session file in my server get deleted after leaving the page where the session was start for the first time.
the problem that the session can only be used within the creation page unless you leave it.
why?? i have no idea ... i have been looking around for three days now ..

thank in advance for any help. if you need more details let me know .

Joe.k

Well, before I try and figure out some server setting issue that I'm not very good at, I'll try the most obvious stuff first.

At the beginning of every page, you need to start a session. The best part about this function is that it starts a new session if one doesn't exist and retrieves the session information for one that does exist.


Then you have to get your session ID:



Finally, you usually want to use that id to retrieve information from the database.



Now, you should have set some type of timestamp when you first created the session I usually use the value from time() since it is the easiest to compare with.
You compare the stored value to the current value to determine whether or not you should expire the current session. If you don't expire the current session, then you need to update the timestamp in the database...
For that you UPDATE the database record...


Of course, this assumes that you have a session already! If you don't, then you have to add the record to the database.


You will need to start a completely new session if the one retrieved is expired. In some cases where you use user authentication, you'll need to redirect to a login page...

The system can be as complex or as simple as you wish. Remember if you don't want to use the database so much, you can store variables in the session...

Well, let me know if you need further assistance.
vujsa

thanks for replying .

i tried out what you posted 'make session in database' but even i put session at the begging of every page 'line 1' , i found out the my seesion id is always 15 in login page , but when redirect to homepage ... the session disappear (the seesion file too .? 'in tmp')

the home page contain session_start() at the first line but it doesn't start a new session as it was suppose to ..... iam confused ...

I think it might be helpful to us if you could show us your code. Trying to guess what your problem is without being able to see your code is extremely difficult.

~Viz

users.php >>> userlogin script page
ps: i edited yesterday and added ,a dbsession idid the script ... abit newbie


ck.php >> check session_db >> but still need borwser session


this is what i came out with after 5 hours of trying to make session work ... i even tried the samples at www.w3schools.com but it didnt work although i think it does still a weak code , what do you think .. ??

This post has been edited by joe.k: Nov 1 2007, 09:54 AM

Well, I'm not sure if I can help. You have a lot going on and most of the code looks okay but I don't understand why you are asking about sessions but not using them...

I see in users.php that you start your session as normal but then change the session id to "test". This would give everyone that accesses users.php the same session id! But, keep in mind that this isn't the actual session_id, it is a variable associated with that session named "id".

The session id should be something unique every time. Simply by starting a session, the server automatically creates a new one so it isn't necessary to set the id yourself. Then in the files shown here, you never use any session information. Instead, you rely on ip addresses as the key to your database which could have some real problems with it. For example, if you have a user log in many times from the same IP address, the database may have hundreds or even thousands of records using that IP. This could cause cause errors down the road if you aren't careful with how you check fro existing sessions. This is why most developers use the server generated session id as the database key.

Your timestamp issue I think is where you have the trouble.
First, the next two code bits do exactly the same thing:



which as of right now would give you this: 442007110100
The 44th week in 2007 on the 11th month and 1st day at 0 hours past midnight.

Not exactly a highly usable variable to use. And an MD5 hash of this looks like this: 30687663fc34e16d5c272ddf2f44fbc5 which is what $timd is set to.

Now for your variable $session after 2 hours would be explained as such:

Which is -2.

However, if you do change the $session variable to this:

it would b 2.

But even at that, once a new year starts, you'll have problems since the first part of your time value is the week of the year so January 1, 2008 would look like this:
12008010100
and then session could be set like this even if you switched $time and $tim:

Which is -429999100000.

If you don't switch $time and $tim:

Which is 429999100000.

See how this could be a serious problem... If I log into your site today and then somebody that has the same IP address goes to your site in January without me returning in between they will be logged in as me! This could happen with users of dial up internet access or dynamically assigned IP address broadband access. Which is still quite common. Just between December 31, 2007 and January 1, 2008 there would be issues and that could be less that an hour old session...

I think you would be better server using a Unix timestamp which will always get larger every second...
time() will return the current Unix timestamp which right now is 1193902752 and now is 1193902765 and now is 1193902771.

It increases by 1 every second and is a calculation of the number of seconds since January 1 1970 00:00:00 GMT.

This is easily formated into any date formate you want with the date function and is the figure used by default when you use date without the timestamp argument.
Since this number is extremely predictable, most developers use it.

Now for the next problem...
When you have a session greater than "5", you update the MD5 of the time value but you don't update the actual time value! Since your comparison is based on the time value $tim and not $timd, you would be better off to update session.time in the database instead of session.time_stamp. Since currently your session time in the database never gets updated, the comparison will not work correctly.

I don't understand the need for $timd. the MD5 hash of $tim doesn't seem to be necessary. You could just as easily drop that from your script and check to see if there is a value for session.time instead. Which if you use my suggestion to use a Unix timestamp instead of what you now use, you could check for a valid session with the database query. For example:


Now this would only return a result if the id was in the database already AND the session time in the database was not too old...

I would imagine that if it were too old, you would simply want to redirect the user to the login page. Otherwise, you have to UPDATE the timestamp in the database like so:

So that check to see if a result was returned and if the the field session_details has a value applied to it. If it does, update the timestamp otherwise redirect to the login page.

Now as I suggested at the beginning, I think you should use session_id() instead of $_SERVER['REMOTE_ADDR'] for your table key. This will reduce dynamic IP issues and is easier to deal with since it is generally a good idea to generate a new session id if the previous one is expired. You don't need to use $_SESSION for anything unless you prefer to use that instead of the database to store information about the user. For example, you could assign some details about the user like his name in the $_SESSION variable and use that instead of querying the database each time you want to say "Hello John Doe!".

Of course, if you do actually use the PHP session functions, you really should generate a new session id when a session expires and the user has to log in again.

I have given you a lot of information here. Between this and my previous reply, I'm sure you'll have many questions.

good luck,
vujsa

wow ... i didnt see it that way ... but now "my code" looks kinda 'silly' ,thatnks for clearing that.

well ... the code i posted was updated ... after i remover the original session code and start trying some tests on it ... to see if it work.
i added dbcode after 3 hours of trying .


i faced it the couple first entires and made the id >>ip unique in mysql_db , i ever thought about ip though.

hmmm .... iam completely out of words ..sry


well i know the MD5 seems useless and i know it is ... anyway you cant learn without making mistakes.
but i was kinda hopeless about how to make the dbsession end.


hmm ... well now i guess i dont really get what really session 'thing' is and how powerful it is...
but i guess dbsession thing would still be 'more secure' ... ??

i would try this out sometime later... thanks again .

Joe.k

I don't mean to discourage you, most of the code is quite promising. There are just a few problems with the organization.

I know I had a lot to say but I wanted to get you started in the right direction. If you can implement some of the suggestions I gave you , you should be able to get your project back on track.

vujsa