Logout inactive user and if user in already login deny for login (PHP session)

What im trying to achieve two condition:

  1. if user is inactive for more then 10min then logout the user.
    2.if user is already login then deny the login for same user still the user logout.

For case-1 (inactive user auto logout) what i have done so far:

$user_id = $_SESSION['user_id'];
$username = $_SESSION['syner'];
$user_role = $_SESSION['user_role'];
$session_id = session_id();
$date = date('d-m-y');
$time = time();
$time_out_session = 600;
$time_out = $time - $time_out_session;

$query = "SELECT * FROM online_users WHERE session_id = '$session_id' AND user_id = '$user_id'";
$send_query = mysqli_query($connection, $query);

        die("Send Query Failed. " .mysqli_error($connection));
$count = mysqli_num_rows($send_query);

//if row count is null then insert the values in table
if($count == NULL){
    $session_insert = 
    "INSERT INTO online_users(user_id,username,user_role,session_id,time,date) 
             VALUES($user_id,'$username','$user_role','$session_id','$time',now() )";

    $my_query = mysqli_query($connection, $session_insert);

        die("Insert Query Failed. " .mysqli_error($connection));

//set status = ON                    
$st=mysqli_query($connection, "UPDATE online_users SET status='ON', time = '$time' WHERE session_id = '$session_id'  ");
    die("Set ON Query Failed. " .mysqli_errormysqli_error($connection));

//as i want to display admin and subscriber online number separately

//count the subscriber user online number
$qt=mysqli_query($connection, "SELECT user_id FROM online_users WHERE status = 'ON' AND time > '$time_out' AND user_role = 'subscriber' ");
$count_user = mysqli_num_rows($qt);

//count the admin user online number
$super=mysqli_query($connection, "SELECT user_id FROM online_users WHERE status = 'ON' AND time > '$time_out' AND user_role = 'admin' ");
$super_user = mysqli_num_rows($super);

//Now this the query im trying for inactive user for logout
$qtrp = mysqli_query($connection, "SELECT * FROM online_users WHERE session_id='$session_id'");
    while($role = mysqli_fetch_assoc($qtrp)){
    $db_id = $role['user_id'];
    $db_name = $role['username'];
    $db_role = $role['user_role'];
    $db_status = $role['status'];
    $db_time = $role['time'];

//but this section doest seems to be working
//$time = time();
//$time_out_session = 600;
//$time_out = $time - $time_out_session;

if($db_time < $time_out ){
    header("Location: ../admin/includes/logout.php");

For case-2 (deny user login if he is already login). now this may not me proper way but its worked for me.so what i did is, while login check for user status (status ON/OFF which set with user count session). so if user status is ON then sent user to logout page, it working fine

so,what im trying to do is, if user already login then prevent him from multiple login. and below submit button i want to display message like user already online please first logout to login the current user

as i have redirect to logout page if user in already login. and from logout page redirect to home page.(login is in sidebar in home-page)

Case-2 code what i have done so far:

$username = $_POST['username'];
$password = $_POST['password'];

$username = mysqli_real_escape_string($connection, $username);
$password = mysqli_real_escape_string($connection, $password);

$query = "SELECT * FROM users WHERE username = '{$username}'";
$select_user_query = mysqli_query($connection, $query);

	die("Query Failed. " . mysqli_error($connection));

$db_username = '';
$db_user_password  = '';

while($row = mysqli_fetch_assoc($select_user_query)){
	$db_user_id = $row['user_id'];
	$db_username = $row['username'];
	$db_user_password = $row['user_password'];
	$db_user_firstname = $row['user_firstname'];
	$db_user_lastname = $row['user_lastname'];
	$db_user_role = $row['user_role'];

$password = crypt($password, $db_user_password);

if ($username !== $db_username && $password !== $db_user_password) {

	header("Location: ../index.php");

}elseif ($username == $db_username && $password == $db_user_password) {

$_SESSION['user_id'] = $db_user_id;
$_SESSION['syner'] = $db_username;
$_SESSION['firstname'] = $db_user_firstname;
$_SESSION['lastname'] = $db_user_lastname;
$_SESSION['user_role'] = $db_user_role;

//this where im checking for user login status 
if status is ON im sending user to logout page	

$qt=mysqli_query($connection, "SELECT * FROM online_users WHERE username = '$username' ");
while($role = mysqli_fetch_assoc($qt)){

$db_status = $role['status'];


//if user status = ON sent him to logout page.
	if ($db_status == 'ON') {
		header("Location: ../admin/includes/logout.php");
			 header("Location: ../admin");

header("Location: ../index.php");


This section have been solved… :slightly_smiling_face: :kissing_smiling_eyes:

if(($time_out - $time) > 30 ){
 mysqli_query($connection, "UPDATE online_users SET status='OFF' WHERE session_id = '$session_id'  ");

Trying to Solve the Second case…??? :shushing_face: :yawning_face:

You have to be very careful about how you’re going to do this - what if your user has lost their connection and cannot reconnect to it? You’re blocking them from logging in again.

You should not be using home-made password encoding - use password_hash() to store passwords, and password_verify() to check them. While you’re at it, you should also switch to prepared statements instead of concatenating strings into your queries.

I don’t see a need for your while() loop when retrieving the user details, if there will only ever be one user of that name. Just use an if() to check that it finds anyone. You could probably check whether the user is logged in already before setting the session variables too, as I could see that causing confusion.

It seems to me that in section two you already have it checking whether the user is logged in. All you need to do is set a session variable with your message, and display that message when you get to the logout page, or wherever you redirect a user who is already logged in.

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.