Destroying Session

Gainax

I have a slight problem with a script I'm writing.
When a user logs in, they see his/her information etc
When a new user signs up, he/she is logged in, but can see the previous users information as the session doesn't seem to be getting destroyed.

The code I'm using is:

This code is situated in the 'controllers'

<?php
//$this_file_name = 'authentication.php';
//start_trace($file_name);

//check config exists. If we come in from a cron job, the config file will be 2 dirs nack
// and already included
if(file_exists("../config.php"))
{
	include_once("../config.php");
}
require_once(ROOT_DIRECTORY . 'models/authentications.php');

class Authentication_Controller extends Authentications_Model
{
	function Authentication_Controller()
	{
		$fct_name = 'Authentication';
		function_start($fct_name);

	global $authentication;

	$this->session_id = session_id();

	$session_row = $this->get_session();
	if($session_row)
	{
		debug("there is a session, lets get the user information and put it into a global array");
		require_once(ROOT_DIRECTORY . 'models/users.php');
		$user_object = new Users_Model;
		$user_object->id = $session_row['user_id'];
		$user_details = $user_object->get_details();

		debug("got user details:");
		debug_row($user_details);


		$authentication = array();
		foreach($user_details as $one_user_details_col=>$one_user_value)
		{
			$authentication[$one_user_details_col] = $one_user_value;
		}

		debug("we now have the user row in the global array. Now update the session row so that it has the new expiry time");
		$this->update_session_time();
	}
	else
	{
		$authentication = false;
	}

	function_end($fct_name);
}
function Perform_Login($user_name = '', $password = '')
{
	$fct_name = 'Perform_Login';
	function_start($fct_name);

	$attempt = $this->insert_login($user_name, $password);

	if($attempt)
	{
		debug("login was successfull. Run the Authentication function to populate global");
	}
	else
	{
		debug("the login failed. Throw an exception");
		throw new exception('FAILED AUTHENTICATION');
	}

	function_end($fct_name);
}
function Log_User_Out()
{
	$fct_name = 'Log_User_Out';
	function_start($fct_name);

	$this->expire_login();

	function_end($fct_name);
	return true;
}



}
?>

and the below code is situated in the 'models'

<?php
class Authentications_Model
{
	function Authentications_Model()
	{
		$this->session_id = session_id();
	}
	function get_session()
	{
		$fct_name = 'get_session';
		function_start($fct_name);

	$time = time();

	global $db;

	$ins_session_id = $db->quote_null_or_var($this->session_id);
	$ins_expiry_time= $db->quote_null_or_var($time);

	$sql = " SELECT * FROM sessions ".
	       " WHERE session_id = $ins_session_id ".
	       " AND expires > $ins_expiry_time ";


	$result = $db->db_query($sql);
	$rows = $db->db_num_rows($result);
	$rows?$row=$db->db_fetch($result):$row=false;


	if(!$row)
	{
		debug("there is no session for this user. They are not logged in, returning false");
	}
	else
	{
		debug("The user is logged in. The row is:");
		debug_row($row);
	}
	function_end($fct_name);
	return $row;
}
function update_session_time()
{
	$fct_name = 'update_session_time';
	function_start($fct_name);

	$expiry_time = time() + MAX_LOGIN_TIME;

	global $db;
	$res = $db->update_row( 'sessions',
							array('expires'=> $expiry_time),
			     			array('session_id' => $this->session_id)
				 	      );

	function_end($fct_name);
	return $res;
}
function insert_login($user_name, $password)
{
	$fct_name = 'insert_login';
	function_start($fct_name);
	global $db;

	$encrypted_password = encrypt_password($password);

	$ins_user_name = $db->quote_null_or_var($user_name);
	$ins_encrypted_password = $db->quote_null_or_var($encrypted_password);

	$sql =  " SELECT * FROM users " .
			" WHERE UPPER(user_name) = UPPER($ins_user_name) ".
			" AND password = $ins_encrypted_password ".
			" AND coach = '1' ";

	$res = $db->db_query($sql);
	$user_row = $db->db_fetch($res);

	if($user_row)
	{
		global $authentication;
		$authentication = $user_row;

		debug("correct username and password so now insert a session");

		$expires = time() + MAX_LOGIN_TIME;

		$insert = $db->insert_row( 'sessions',
						     	   array('session_id' => $this->session_id,
						     	   'user_id' => $user_row['id'],
						     	   'expires' => $expires,
						     	   'ip_address' => $_SERVER["REMOTE_ADDR"]
						     	  )
							);
		function_end($fct_name);
		return true;
	}
	else
	{
		function_end($fct_name);
		return false;
	}
}
function expire_login()
{

	$fct_name = 'expire_login';
	function_start($fct_name);
	global $db;
	global $authentication;


	session_destroy();
	setcookie ("PHPSESSID", "", time()-60000);

	$expires = time() - 60;
	debug("set the logout time to be an hour ago [$expires]");

	$insert = $db->delete(    'sessions',
							   array('user_id' => $authentication['id'])
						);

	$authentication = false;
	function_end($fct_name);
}
}
?>

Can anyone see why the session isn't being destroyed properly?

tron00

Have you tried calling session_destroy(); where you need it to be destroyed in your code?

Weedpacket

One thing I note is that you never clear the $_SESSION array. Also it's not clear when the session is started.

You only appear to call session_destroy() from expire_login(), and that only from Log_User_Out(). When is Log_User_Out() called?

Incidentally, your $fct_name function isn't necessary; METHOD contains the name of the current method. And 60,000 seconds is longer than one hour 🙂