Hi guys,

I don't find here any answer for my problem, so I'm posting request here, if it's possible, pls help me.

I'm creating user authentication system in PHP based on sessions.
When user log in, it's adding a row to MySQL database's table with his SID and Timeout ( actually time + time out constant ). At the head of each script is a row, which has to delete all records from table, where timeout is lower than actualy time. Everythink is working well until user click to back button and refresh the site. I though, there is no records in table, so he cann't see the protected page, but it doesn't work.

here is the code, pls advice what wrong ... thx, JuroH

<?
Header("Pragma: No-cache");
Header("Cache-Control: No-cache, Must-revalidate");
Header("Expires: ".GMDate("D, d M Y H:i:s")." GMT");


include 'conn.php';

$timeout = time()+$t_out;
MySQL_Query("DELETE FROM autorizace WHERE time < time()");

If ((IsSet($login)) AND (IsSet($password))):
$p = MD5($password);
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p')");

If (MySQL_Num_Rows($MSQ) <> 1):
unset($login);
unset($password);
header("location: index.php?login_error=1");

Exit;

Else:
$SN = "authentication";
Session_name("$SN");
Session_start();
$sid = Session_id();

$MSQ = MySQL_Query("SELECT * FROM autorizace WHERE (id = '$sid') AND (time < '$timeout')");

If ((MySQL_Num_Rows($MSQ) <> 1) and ($send <> "true")):
echo "Neautorizovaný přístuttp ";
echo $send;
Exit;
Else:
$MSQ = MySQL_Query("INSERT INTO autorizace VALUES ('$sid', time()");
Endif;

Endif;
$send="false";
?>