This I hope will make sense. I've the following code which when a user logins in, creates a session:
if (isset($_POST['submitted'])) { // Check if the form has been submitted.
require_once ('mysql_connect.php'); // Connect to the database.
// Validate the email address. if (!empty($_POST['email'])) { $e = escape_data($_POST['email']); } else { echo '<p class="error">You forgot to enter your email address!</p>'; $e = FALSE; }
// Validate the password. if (!empty($_POST['pass'])) { $p = escape_data($_POST['pass']); } else { $p = FALSE; echo '<p class="error">You forgot to enter your password!</p>'; }
if ($e && $p) { // If everything's OK.
// Query the database. $query = "SELECT user_id, first_name, account_id FROM users WHERE (email='$e' AND pass=SHA('$p')) AND active IS NULL"; $result = mysql_query ($query) or trigger_error("Query: $queryn<br />MySQL Error: " . mysql_error());
if (@mysql_num_rows($result) == 1) { // A match was made.
// Register the values & redirect. $row = mysql_fetch_array ($result, MYSQL_NUM); mysql_free_result($result); mysql_close(); // Close the database connection. $_SESSION['user_id'] = $row[0]; $_SESSION['first_name'] = $row[1]; $_SESSION['account_id'] = $row[2];
// Start defining the URL. $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); // Check for a trailing slash. if ((substr($url, -1) == '/') OR (substr($url, -1) == '\') ) { $url = substr ($url, 0, -1); // Chop off the slash. }
// Add the page. $url .= '/index.php';
ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script.
} else { // No match was made. echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>'; }
} else { // If everything wasn't OK. echo '<p class="error">Please try again.</p>'; }
mysql_close(); // Close the database connection.
} // End of SUBMIT conditional. ?>
<h1>Login</h1> <p class="maintext">Your browser must allow cookies in order to log in.</p> <form action="login.php" method="post"> <fieldset> <p class="maintext"><b>Email Address:</b> <input type="text" name="email" size="20" maxlength="40" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /></p> <p class="maintext"><b>Password:</b> <input type="password" name="pass" size="20" maxlength="20" /></p> <div align="center"><input type="submit" name="submit" value="Login" /></div> <input type="hidden" name="submitted" value="TRUE" /> </fieldset> </form>
Each page I want protected then has this at the top
// If no first_name variable exists, redirect the user. if (!isset($_SESSION['first_name'])) {
// Start defining the URL. $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); // Check for a trailing slash. if ((substr($url, -1) == '/') OR (substr($url, -1) == '\') ) { $url = substr ($url, 0, -1); // Chop off the slash. } // Add the page. $url .= '/index.php';
ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script.
} else { ### page ### }
What I'd like to do is set the session to automatically expire after 2 hours and the users password to reset to something different to prevent login.
