Ive been trying to get a login with php working for a very long time now with no luck. Ive been trying to use sessions because i have heard that they are much better than cookies. My login auth works but every time i leave the page (not close the browser), then return the login is gone. Any ideas? Here is what i have so far for the sessions:


<?
session_start();
$_SESSION["user"] = $auth_user;
$_SESSION["pass"] = $auth_pass;
?>


this is just the sessions part of my code.. as i said the auth section is working perfectly. Any ideas would be greatly appreciated.

Hi

Check your php.ini file for the life_time of a session. Sorry, don't remember the exact name of the variable which governs session's life :(

AFAIK, sessions have a life_time and must die after that life_time. Thats, IMHO, whats happenning in your case

hth
theN

Well, it looks like you have assigned the variables. Are they truely assigned? Try to print out the session variables to the page (just to make sure that they are datafilled and the handof from the vcariable to the session was complete and accurate).

Also, if you have the login on one page and it sends the info to another for verification / session variable assignments, the original page would also have to look at the Session variables and decide if you are already logged in.
In ASP, I would make this a single file that is included in all of my pages for authentication.

Like when you hit the back button, there would be something like

If sessionuser not equal to anything, user not logged in (dont' display the page / reroute to login script or just print the login boxes (if logged in, no need to display them).

If sessionuser is equal to someone in my database of users, then they can see the page. The variables may be getting assigned, but you may not be using them on any of your pages.

Sessions are MUCH better than cookies IMHO. I think the default timeout shold be OK and would start at the time that these variables are assigned. As long as you are active, they shouldn't timeout on you but that is something to take a look at.

Also, I'm not sure you need to keep the Session Password in the servers memory..
Why not have a simple script that checks if the user is authenticated and then just assign the name of the person. Once authentication is complete, we don't need the password. We just need the name and any other info for that user (Like a security level, etc). I would venture to say that if you don't need the name and really want to make it simple, just assign one variable to the session. sessionlogged = yes or no.

If yes, logged in
if no, not logged in

I don't know what your setup is and there are literally hundreds of ways to do this. I don't know, just babbling.... :)