I have a site with both public and private sections. To access the private areas, users have to log in, which sets session variables. The login script authenticates everything and then changes the header location to the private page:
//get info from database and if user is authorized, then redirect
session_start();
$_SESSION['authorized'] = $user;
$_SESSION['firstname'] = $first;
$_SESSION['lastname'] = $last;
$_SESSION['password'] = $pass;
$_SESSION['position'] = $position;
$_SESSION['email'] = $email;
header( "Location: index2.php" );
Then on the index2.php page, I have an authorization check at the top:
session_start();
if(!isset($_SESSION['authorized'])){
header( "Location: denied_unauth.php" );
die();
}else{
//rest of page
Everything works like a charm. EXCEPT...if there's no activity for 20 minutes, users have to log back in. Index2.php uses jQuery to load divs into it, so users never leave index2.php. If they click to retrieve a page on the private site after inactivity, instead of the div they requested, they get a "logged out" message and are presented with the login form again. It's the exact same script as the one listed above, setting the exact same session variables and redirecting them back to the exact same page (index2.php), which is the same page they're logging in from - basically, just reloading the page.
Whenever I test this, index2.php isn't recognizing the new session. It's sending users to "denied_unauth.php" every time. This tells me that the login script is working, it's recognizing the username and password and sending users to index2.php...but when the page reloads index2.php, the session isn't being recognized. I even tried adding a random number to the end of the URL "index2.php?somerandomnumber in case it was a caching problem, but it didn't help.
Any ideas?
EDIT: To be clear, I'm not asking for a way to STOP the user being logged out. I'm trying to figure out why, if new session variables are created during the log-back-in script, it's not recognizing them when reloading the page. The session variables ARE created the first time they log in, so I know that part of the script works. But when they go back to the page again after re-logging, it doesn't recognize the new $_SESSION['authorized'].
EDIT 2: Here's what is happening:
- From the page index.php, user logs in. The login form creates a session and redirects the header to index2.php
- Page index2.php checks whether session is set, if not it kicks the user out to a "denied access" page.
- User clicks links within index2.php page to load sections into the main div
- Each file that loads into the main div has a check on it to see if the session is set. If the session exists then the file loads, if the session is expired then instead of the file, it shows the user the login form and asks them to log back in. (all this works so far)
- When the user logs back in from this form, a new set of session variables is created. I have tried both setting a new session or session_regenerate_id() and neither seems to work.
- This new session is NOT being recognized by index2.php and it kicks them out every time. I have tried both redirecting straight to index2.php after login, or simply loading the div they'd requested in the first place, but both ways, index2.php doesn't see that the session is set and the user ends up on the "denied access" page.
