PHP Destroying Session Problem

[pseudo-nym]

Hi

I'm writing an application in PHP, which will be going live pretty soon.

A user currently logs in, views details etc and logs out.

When I new user signs up, he/she can see the previous person who logged-in's details.

And this only changes if the new user logs in and out.

The code below is in the controller:

Code:

<?php
//$this_file_name = 'authentication.php';
//start_trace($file_name);

//check config exists. If we come in from a cron job, the config file will be 2 dirs nack
// and already included
if(file_exists("../config.php"))
{
include_once("../config.php");
}
require_once(ROOT_DIRECTORY . 'models/authentications.php');

class Authentication_Controller extends Authentications_Model
{
function Authentication_Controller()
{
$fct_name = 'Authentication';
function_start($fct_name);

global $authentication;

$this->session_id = session_id();

$session_row = $this->get_session();
if($session_row)
{
debug("there is a session, lets get the user information and put it into a global array");
require_once(ROOT_DIRECTORY . 'models/users.php');
$user_object = new Users_Model;
$user_object->id = $session_row['user_id'];
$user_details = $user_object->get_details();

debug("got user details:");
debug_row($user_details);


$authentication = array();
foreach($user_details as $one_user_details_col=>$one_user_value)
{
$authentication[$one_user_details_col] = $one_user_value;
}

debug("we now have the user row in the global array. Now update the session row so that it has the new expiry time");
$this->update_session_time();
}
else
{
$authentication = false;
}

function_end($fct_name);
}
function Perform_Login($user_name = '', $password = '')
{
$fct_name = 'Perform_Login';
function_start($fct_name);

$attempt = $this->insert_login($user_name, $password);

if($attempt)
{
debug("login was successfull. Run the Authentication function to populate global");
}
else
{
debug("the login failed. Throw an exception");
throw new exception('FAILED AUTHENTICATION');
}

function_end($fct_name);
}
function Log_User_Out()
{
$fct_name = 'Log_User_Out';
function_start($fct_name);

$this->expire_login();

function_end($fct_name);
return true;
}
}
?>

And the following code is found in the models:

Code:

<?php
class Authentications_Model
{
function Authentications_Model()
{
$this->session_id = session_id();
}
function get_session()
{
$fct_name = 'get_session';
function_start($fct_name);

$time = time();

global $db;

$ins_session_id = $db->quote_null_or_var($this->session_id);
$ins_expiry_time= $db->quote_null_or_var($time);

$sql = " SELECT * FROM sessions ".
       " WHERE session_id = $ins_session_id ".
       " AND expires > $ins_expiry_time ";


$result = $db->db_query($sql);
$rows = $db->db_num_rows($result);
$rows?$row=$db->db_fetch($result):$row=false;


if(!$row)
{
debug("there is no session for this user. They are not logged in, returning false");
}
else
{
debug("The user is logged in. The row is:");
debug_row($row);
}
function_end($fct_name);
return $row;
}
function update_session_time()
{
$fct_name = 'update_session_time';
function_start($fct_name);

$expiry_time = time() + MAX_LOGIN_TIME;

global $db;
$res = $db->update_row( 'sessions',
array('expires'=> $expiry_time),
      array('session_id' => $this->session_id)
        );

function_end($fct_name);
return $res;
}
function insert_login($user_name, $password)
{
$fct_name = 'insert_login';
function_start($fct_name);
global $db;

$encrypted_password = encrypt_password($password);

$ins_user_name = $db->quote_null_or_var($user_name);
$ins_encrypted_password = $db->quote_null_or_var($encrypted_password);

$sql =  " SELECT * FROM users " .
" WHERE UPPER(user_name) = UPPER($ins_user_name) ".
" AND password = $ins_encrypted_password ".
" AND coach = '1' ";

$res = $db->db_query($sql);
$user_row = $db->db_fetch($res);

if($user_row)
{
global $authentication;
$authentication = $user_row;

debug("correct username and password so now insert a session");

$expires = time() + MAX_LOGIN_TIME;

$insert = $db->insert_row( 'sessions',
         array('session_id' => $this->session_id,
         'user_id' => $user_row['id'],
         'expires' => $expires,
         'ip_address' => $_SERVER["REMOTE_ADDR"]
        )
);
function_end($fct_name);
return true;
}
else
{
function_end($fct_name);
return false;
}
}
function expire_login()
{

$fct_name = 'expire_login';
function_start($fct_name);
global $db;
global $authentication;


session_destroy();
setcookie ("PHPSESSID", "", time()-60000);

$expires = time() - 60;
debug("set the logout time to be an hour ago [$expires]");

$insert = $db->delete(    'sessions',
   array('user_id' => $authentication['id'])
);

$authentication = false;
function_end($fct_name);
}
}
?>

Any help will be much appreciated

[JasonD]

What's with function_start/end? And do you have something against __FUNCTION__?

If what you say is happening you have three problems, the cookie is not set or deleted correctly, and the entry isn't being deleted from the database on log out. Or less likely your browser is doing funny things and caching what it shouldn't.

Firstly, you want

Code:

setcookie(session_name(), "", time()-60000, '/');

With the proper session name (can be changed) and the path, presumably no one sets the path other than / without knowing why. And your debug message is irrelevant but equally useless for being wrong. There are neither 60 nor 60000 seconds in an hour.

Can't help with the second part without knowing more about your database. It shouldn't have made much difference but why is this entire expire_login method not part of your session handler's destroy callback?

[pseudo-nym]

It shouldn't have made much difference but why is this entire expire_login method not part of your session handler's destroy callback?

Could you expand on this please?

[JasonD]

http://uk.php.net/session_set_save_handler