For login im using a session_start(), for desktop its works fine, but on mobile, it doesnt work. When I make a session_id() with variable, for example, session_id('login') its works on mobile, but break other sessions on other computers. But when session_id() is generated automatically, it doesn't work on mobile. What should I do?
My session_start code on index.php
session_start();
if (isset($_SESSION['username'])){
session_id();
}
Whole code for login.php file
<?php
require('config.php');
$usernameOK = false; $passwordOK = false;
if (isset($_POST['username']) and isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];
$UserQuery = "SELECT username FROM `members` WHERE username='$username'";
$userTestResult = mysqli_query($connection, $UserQuery);
$usernameTEST = mysqli_num_rows($userTestResult);
if($usernameTEST == 1){$usernameOK = true;}
$PasswordQuery = "SELECT password FROM `members` WHERE username='$username'";
$result = mysqli_query($connection,$PasswordQuery);
$row = mysqli_fetch_row($result);
if (password_verify($password, $row[0])){$passwordOK = true;}
if($usernameOK == true && $passwordOK == true){
$_SESSION['username'] = $username;
}else{
$error_message = "Incorrect login data";
}
}
if (isset($_SESSION['username'])){
header("Location: ../");
exit;
}else{?>
<form class="login-form" method="POST">
<?php if(isset($error_message)){ ?><div class="mini-mes error"> <?php echo $error_message; ?> </div><?php } ?>
<span class="placeholder">username</span>
<input type="text" name="username" placeholder="username" required>
<span class="placeholder">password</span>
<input type="password" name="password" id="inputPassword" placeholder="password" required>
<button type="submit">Login</button>
<a class="form-link" href="register.php">Register</a>
</form>
<?php } ?>
Not really sure what your code does, because I dont see anything regarding setting the username or anything of that sort. What your code does is, it starts the session and checks if username variable in session is set, and if YES, it calls session_id.
Can you use this to check if the session is created properly?
session_start();
if (session_status() !== PHP_SESSION_NONE)
{
echo session_id();
}
Starts a session and shows you the session ID if the session_status is not PHP_SESSION_NONE
You don't need to do a session_id() to start a session, session_start() is enough.
I've tested the following on Safari on iPhone 6 (just add the db query part back if you want):
testa.php
<?php
//require('config.php');
session_start();
echo "Session ID: ".session_id()." <br>\n";
$usernameOK = false;
$passwordOK = false;
if (isset($_POST['username']) and isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$usernameOK = true;
$passwordOK = true;
if ($usernameOK == true && $passwordOK == true) {
$_SESSION['username'] = $username;
} else {
$error_message = "Incorrect login data";
}
}
if (isset($_SESSION['username'])) {
header("Location: ../");
exit;
} else {
?>
<form class="login-form" method="POST">
<?php if (isset($error_message)) { ?>
<div class="mini-mes error"> <?php echo $error_message; ?> </div><?php } ?>
<span class="placeholder">username</span>
<input type="text" name="username" placeholder="username" required>
<span class="placeholder">password</span>
<input type="password" name="password" id="inputPassword" placeholder="password" required>
<button type="submit">Login</button>
<a class="form-link" href="register.php">Register</a>
</form>
<?php } ?>
testb.php
<?php
session_start();
echo "Session ID: ".session_id()." <br>\n";
echo "Data stored in session: {$_SESSION['username']}<br>\n";
Clear data/cookies on your mobile browser (or just go into incognito mode). This will make sure you "start from scratch".
Open testa.php on your mobile browser. Take note of the session id shown. Enter your login details and tap Submit. The next page may show blank.
Open testb.php. Again, take note of the session id shown. It should be equal to the session id shown in test1.php. If they are different then it is possible your mobile browser is configured not to accept cookies.
I've personally tested this on Safari on iPhone 6 and I was able to get the username data from session.
PS. A friendly reminder: don't forget to escape the data you use in queries (i.e. $username and $password). Use mysqli_real_escape_string, or use prepared statements. For security.
Maybe you are experiencing some conflict issues:
My session_start code
if (isset($_SESSION['username'])){
session_id();
} else if (!isset($_SESSION)){
session_start();
}
Whole code for login.php file
<?php
require('config.php');
$usernameOK = false; $passwordOK = false;
if (isset($_POST['username']) and isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];
$UserQuery = "SELECT username FROM `members` WHERE username='$username'";
$userTestResult = mysqli_query($connection, $UserQuery);
$usernameTEST = mysqli_num_rows($userTestResult);
if($usernameTEST == 1){$usernameOK = true;}
$PasswordQuery = "SELECT password FROM `members` WHERE username='$username'";
$result = mysqli_query($connection,$PasswordQuery);
$row = mysqli_fetch_row($result);
if($usernameOK == true && password_verify($password, $row[0])){
if (isset($_SESSION)){
$_SESSION['username'] = $username;
} else{
session_start();
$_SESSION['username'] = $username;
}
}else{
$error_message = "Incorrect login data";
}
}
if (isset($_SESSION['username'])){
header("Location: ../");
exit;
}else{?>
<form class="login-form" method="POST">
<?php if(isset($error_message)){ ?><div class="mini-mes error"> <?php echo $error_message; ?> </div><?php } ?>
<span class="placeholder">username</span>
<input type="text" name="username" placeholder="username" required>
<span class="placeholder">password</span>
<input type="password" name="password" id="inputPassword" placeholder="password" required>
<button type="submit">Login</button>
<a class="form-link" href="register.php">Register</a>
</form>
<?php } ?>
In the index.php on the first line I have -> REMOVE THAT, PUT FIRST ROUTINE OF SESSION CHECKING
if (!isset($_SESSION)){
session_start();
}
EDIT: I noted that you're using header function to redirect to the index page. It's important avoid such redirects unless you're sending user out of your system, because some environments doesn't work well with them. I suggest to change your routine to user POST/GET http routines instead:
Inside validateSession.php
outside validateSession, NOTHING about sessions rules, concentrate everything there
index.php/head.php/some code that always starting in every page start only that:
<?php
include_once('validateSessions.php');
?>
Your form:
<form class="login-form" action="index.php" method="POST">
<?php if(isset($error_message)){ ?><div class="mini-mes error"> <?php echo $error_message; ?> </div><?php } ?>
<span class="placeholder">username</span>
<input type="text" name="username" placeholder="username" required>
<span class="placeholder">password</span>
<input type="password" name="password" id="inputPassword" placeholder="password" required>
<button type="submit">Login</button>
<a class="form-link" href="register.php">Register</a>
</form>
EDIT: I reviewed your routine, pay attention on validateSessions.php, I was forgetting to load session_start() in every routine that called the file. Put validateSessions inside your include directory.
UPDATE: Even my code helping the OP, the main problem was the SESSION configuration into php.ini file with session.save_path, causing issues about session routines. The php.ini fix solved the problem, the code I expect that helped OP to think about some routines towards Session stuff.
Probably your session is not set. Depending on the PHP version you use, check your session.
For versions of PHP >= 5.4.0
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
For versions of PHP < 5.4.0
if(session_id() == '') {
session_start();
}
Cookies definitely work on mobile browsers.
I have simplified the code and the session is started when all checks are passed.
<?php
require('config.php');
if (isset($_POST['username']) and isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];
$UserQuery = "SELECT password FROM `members` WHERE username='$username'";
$result = mysqli_query($connection, $UserQuery);
$usernameTEST = mysqli_num_rows($result);
if($usernameTEST == 1){
$row = mysqli_fetch_row($result);
if(password_verify($password, $row[0])) {
session_start();
$_SESSION['username'] = $username;
header("Location: ../");
exit();
}
}
$error_message = "Incorrect login data";
}
<form class="login-form" method="POST">
<?php if(isset($error_message)){ ?><div class="mini-mes error"> <?php echo $error_message; ?> </div><?php } ?>
<span class="placeholder">username</span>
<input type="text" name="username" placeholder="username" required>
<span class="placeholder">password</span>
<input type="password" name="password" id="inputPassword" placeholder="password" required>
<button type="submit">Login</button>
<a class="form-link" href="register.php">Register</a>
</form>
Simplified the code to make it easier to understand.Ignoring checks for username and password etc. You're basically trying to set a session variable. That happens in login.php. Code for that is.
<?php
$username = "Umesh";
if (isset($_SESSION))
{
$_SESSION['username'] = $username;
}
else
{
session_start();
$_SESSION['username'] = $username;
}
print_r($_SESSION);
?>
In index.php you're trying to check the session status. The code is below.
if (isset($_SESSION['username'])){
session_id();
} else if (!isset($_SESSION)){
session_start();
}
print_r($_SESSION);
The above works for me on every browser and device. I even tested chrome on iphone. It seems to work fine. Please check this and see if it works. If not, we will have to check your webserver to see, what the issue is, with session objects on that system.
I verified that print_r ($_SESSION) was same in both cases.
Why you use session_id(). session I am always use this login system. I have no problem Desktop or Mobile session.
PHP code
<?php
session_start();
include 'connect.php';
if(isset($_POST['submit']))
{
$username = htmlspecialchars($_POST["uname"], ENT_QUOTES, "ISO-8859-1");
$username = stripslashes($username);
$password = htmlspecialchars($_POST["pass"], ENT_QUOTES, "ISO-8859-1");
$password = stripslashes($password);
$sql="SELECT * FROM member WHERE username= '$username' AND password='$password' AND status='1' ";
$result=mysql_db_query($dbname,$sql);
$row=mysql_fetch_row($result);
$num=mysql_num_rows($result);
$msg= "<h3 style='padding:0px;margin:0px;font-size:16px;background:#fff;padding:8px;'><font color='red'><center>Incorrect login data</center></font></h3>";
if($num>0)
{
$_SESSION['id'] =$row[0];
$_SESSION['fullName'] =$row[1];
$_SESSION['username'] =$row[2];
$_SESSION['password'] =$row[3];
$_SESSION['email'] =$row[4];
$_SESSION['userType'] =$row[5];
$_SESSION['status'] =$row[6];
header('location:index.php');
}
}
?>
My HTML Form
<form method="post">
<p><?php if (isset($_POST['submit'])) { echo $msg; } ?> </p>
<div>
<input type="text" name="uname" class="form-control" placeholder="Username..." required="" />
</div>
<div>
<input type="password" name="pass" class="form-control" placeholder="Password..." required="" />
<p align="right">Forgot it?</a></p>
</div>
<div>
<button class="btn btn-success submit" type="submit" name="submit"> Login <i class="fa fa-sign-in"></i></button>
</div>
</form>
Remove session_start(); in index.php
and Add this in your config.php
if (session_status() == PHP_SESSION_NONE)
{
session_start();
}
Going by your last comment I guess it is due to the query string you are using. Basically using password as a column name sometimes breaks the query as password is also a mysql keyword.
Also, regarding your session you can refer to session_id() vs session_regenerate_id() for further details regarding the functions. Session_id('login') basically sets the session id to login which works on your mobile device as this creates the session with the specific static id. However, you can try using session_regenerate_id(true) to see if it helps.
Also i tried executing the code by putting static value as username as follows
login.php
<?php
$username = "deadlock";
if (isset($_SESSION))
{
$_SESSION['username'] = $username;
}
else
{
session_start();
$_SESSION['username'] = $username;
}
print_r($_SESSION);
index.php
<?php
if (isset($_SESSION['username'])){
session_regenerate_id(true);
} else if (!isset($_SESSION)){
session_start();
}
print_r(session_id());
I started using index.php directly using the phone which printed the output as array() with no values.turned out that the Login.php file is not executed.after I explicitly executed Login.php the index.php printed the session array. Can you make sure that the login php file is properly executed.
Regards
Check that session_start() is placed before any browser output. I have found that Chrome on Desktop can be a lot more forgiving then other browsers as well as Mobile Chrome
This problem is generated with Chrome "Lite Mode" to reduce data load throw the Phone. If you use secret navigation so the lite mode is automatically disable an page work correctly. You have to disable "Lite Mode" on Chrome.
This is the final solution.
My problem was on server-side the session.save_path not definied to my server. Thanks a lot to all, who helped me :)
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
I have a problem
this is my index.php file
<section class="main">
<form class="form-3" method="post" action="back/login.php">
<p class="clearfix">
<input type="text" name="username" id="username" placeholder="username">
<label for="login">username</label>
</p>
<p class="clearfix">
<input type="password" name="password" id="password" placeholder="password">
<label for="password">password</label>
</p>
<p class="clearfix">
<input type="submit" name="submit" value="Sign In">
</p>
<p class="clearfix">
<label for="remember">remember me</label>
<input type="checkbox" name="remember" id="remember">
</p>
</form>
*
<div class="error"><?php echo $error;?></div>
*
</section>
and this is my login.php file
<?php
session_start();
include("connection.php");
$error = "";
if (isset($_POST["submit"])) {
if (empty($_POST["username"]) || empty($_POST["password"]))
$error = "Both fields are required.";
else {
$username = $_POST['username'];
$password = $_POST['password'];
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysqli_real_escape_string($db, $username);
$password = mysqli_real_escape_string($db, $password);
$password = md5($password);
$sql = "SELECT uid FROM users WHERE username='$username' and password='$password'";
$result = mysqli_query($db,$sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);
$login_user = $username;
if (mysqli_num_rows($result) == 1) {
$_SESSION['username'] = $login_user;
header("location: home.php");
}
else {
$error = "Incorrect username or password.";
header("location: ../index.php");
}
}
}
but my $error in html code doesn't work...
I mean when i put incorrect password and user name, it just redirect my index.php page and there is not any error inside...
Also my login.php file is included in my index.php
This is because the $error variable is inside the login.php file and not index.php.
There is basically no variable named $error in the index.php file.
A simple way to do what you're trying to do is redirecting to index.php from login.php with an error variable like:
header("location: ../index.php?error=1");
and then within index.php, use a switch case for errors like:
if(isset($_GET['error'])) {
$error_id = $_GET['error'];
switch($error_id) {
case 1:
$error = "Incorrect username or password.";
break;
}
}
I hope that helps!
I'm trying to confirm if a user submitted valid credentials.
HTML
<form action="assets/php/account/login_user.php" method="post" id="login" class="center">
<div id="register_errorloc"></div>
<div class="form-group">
<input type="text" name="login_username" id="login_username" class="form-control" placeholder="Username" />
</div>
<div class="form-group">
<input type="password" name="login_password" id="login_password" class="form-control" placeholder="Password" />
</div>
<div class="form-group">
<input type="submit" value="login" id="submit_login" class="btn btn-success form-control"/>
</div>
</form>
PHP
$username = trim($_POST['login_username']);
$password = hash('sha512',trim($_POST['login_password']));
//to check if values are correct by myself
echo '<br>' . $username . '<br>' . $password . '<br>';
include_once '../../../assets/php/DB/DBConnect.php';
//check if valid credentials are entered
$stmt = $conn->prepare("SELECT * FROM tbl_users WHERE username = ?");
echo $stmt->bind_param('s', $username);
echo $stmt->execute();
echo $stmt->store_result();
if($stmt->num_rows == 1){
echo 'Good Creds';
}else{
echo 'Bad Creds';
}
When I'm doing this it always shows 0 results. When I change the querystring to
$stmt = $conn->prepare('SELECT * FROM tbl_users WHERE username = "abc"');
I get the result I'm looking for. I'm confused because I'm using the same approach on a different page and it's working like a charm.
Screenshots
Login form
Submitted form
Row I'm looking for
Edit: Added all code.
Edit2: Added screenshots
Edit3: Added Form HTML
Edit4:
Nothing is wrong with the form submit. When I'm hardcoding the variable like this:
$username ='abc';
It still doesn't work
I'm sorry but you posted screenshots that don't help us.
In order to avoid further commenting, am submitting the following.
Your form and its related elements may be failing and require a POST method and that name attributes exist for each of them.
I.e.:
<form method="post" action="???">
<input type="text" name="login_username">
...
Edit:
Try the following, comments are getting too extensive:
$check = $conn->prepare("SELECT * FROM tbl_users WHERE username=?");
$check->bind_param("s", $username);
$check->execute();
$check->store_result();
$row_chqry = $check->num_rows;
if($row_chqry > 0 ) {
echo "Exists";
$check->close();
$conn->close();
}
Edit #2:
OP posted an answer stating that they were using the same variable for their db connection.
Something I would have spotted right away and causing a conflict, had full code been posted. I've seen that happen quite a few times before, and remember posting answers for them too. As to where they are exactly, it would take some time for me to find them; but I do remember posting answers for related questions.
Oh well, problem solved.
Solutions:
Use a different variable for your username(s).
Use unique variables.
I finally found the error:
When connecting to my DB I use:
$servername = "";
$username = "";
$password = "";
$db = "";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $db);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
In my submission script I also use $username. Including the DBconnection file caused my local variable ($username that I get from the form) to be overwritten with the username found in the DBconnect.
just having an issue with an index error. It's basically throwing this at me
http://puu.sh/chc2e/7e26d51bda.png
I am unsure of why it's giving it to me as I have listed it in the index? Any ideas
My code:
<?php
include ('config.php');
?>
<?php
// Getting username and password from login form
$username = $_POST['username'];
$password = md5($_POST['password']);
// To protect MySQL injection
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql="SELECT * FROM login WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
// Mysql_num_row is to count number of row from the above query
$count=mysql_num_rows($result);
// count is 1 if the above username and password matches
if($count==1){
// now redirect to dashboard page, we also store the username in session for further use in dashboard
$_SESSION['username']= $username; // storing username in session
header("location:index.php");
}
//if the username and password doesn't match redirect to homepage with message=1
else {
echo '
<script language="javascript" type="text/javascript">
window.location.href="index.php?message=1";
</script>';
}
?>
Any help is appreciated. Thanks!
EDIT: User asked to see my Login form
<?php
if(isset($_POST["submit"])){
if(!empty($_POST['user']) && !empty($_POST['pass'])) {
$user=$_POST['user'];
$pass=$_POST['pass'];
$pass = strip_tags($pass);
$pass = md5($pass); // md5 is used to encrypt your password to make it more secure.
$con=mysql_connect('localhost','root','') or die(mysql_error());
mysql_select_db('aha') or die("cannot select DB");
$query=mysql_query("SELECT * FROM login WHERE username='".$user."' AND password='".$pass."'");
$numrows=mysql_num_rows($query);
if($numrows!=0)
{
while($row=mysql_fetch_assoc($query))
{
$dbusername=$row['username'];
$dbpassword=$row['password'];
}
if($user == $dbusername && $pass == $dbpassword)
{
session_start();
$_SESSION['sess_user']=$user;
/* Redirect browser */
header("Location: member.php");
}
} else {
echo "<div class='results'>Invalid username or password</div>";
}
} else {
echo "All fields are required!";
}
}
?>
HTML LOGIN:
<form action="" method="POST">
<label>Username:</label>
<input type="text" name="user" required />
<label>Password:</label>
<input type="password" name="pass" required />
<input type="submit" value="Login" name="submit" class="submit" />
<br><br>
<center>
<h2><p>Register</p></h2>
</center>
You have E_NOTICE enabled on your webserver (in php.ini).
You can typically ignore these errors, (disable them in your ini file will do the trick).
In order to fix the issue you need to define $username and $password as something (before the $_POST) because $_POST does not always exist.
$username = false;
$password = false;
for example.
As for the mysql issue, I strongly suggest looking into mysqli!
The standard mysql contains so many bugs, security issues and flaws it doesn't even exist anymore in the newer php versions.
in your first code change
$username = $_POST['user'];
$password = md5($_POST['pass']);
edit:
edit password line like point andrewsi
Change your login form with these name attributes :
<form action="" method="POST">
<label>Username:</label>
<input type="text" name="username" required />
<label>Password:</label>
<input type="password" name="password" required />
<input type="submit" value="Login" name="submit" class="submit" />
<br><br>
<center>
<h2><p>Register</p></h2>
</center>
</form>
Also replace all your $_POST['user'] and $_POST['pass'] occurences by $_POST['username'] and $_POST['password'] in your PHP code.
The fields are null, please var_dump() them. Need to see your frontend to determine more.
If you are posting form then try accessing the form via;
$_POST['Form']['Field']
Undefined Index means that the key you are trying to access in the array does not exist in the array. Undefined Index = Key (string), Undefined Offset = Index (number).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Closed 9 years ago.
Improve this question
Im trying to create an html form to change password in php.
my database is created in easyphp.
Here is the code to I wrote to change the password, when i test it nothing happened or changed.
<?
$user_name = "root";
$pass_word = "";
$database = "login";
$server = "127.0.0.1";
if(isset($_POST['submit']))
{
$oldpassword = md5($_POST['cur_password']);
$newpassword= md5($_POST['new_password']);
$confirm_password = md5($_POST['confirm_password']);
$usermane = $_SESSION['username'];
$con = mysqli_connect($server, $user_name, $pass_word,$database);
if (!$con)
{
die('Could not connect: ' . mysqli_connect_error());
}
$select=mysqli_query("select * from login where L1='$username'");
$fetch=mysqli_fetch_array($select);
$data_password=md5($fetch['password']);
if($newpassword==$confirm_password && $data_password==$oldpassword)
{
$insert=mysqli_query("update login set L2='$confirm_password' where L1='$username'");
}
if($insert)
{
echo "Password changed";
}
else
{
echo "Password not changed";
}
}
}
mysqli_close($con);
?>
<html>
<head>
</head>
<body>
<FORM NAME ="form1" METHOD ="POST" ACTION ="changepassword.php">
<p>old password<br />
<input type="password" name="current_password" /></p>
<p>New password<br />
<input type="password" name="new_password"/>
</p>
<p>Confirm password<br />
<input type="password" name="confirm_password"/>
</p>
<input name="submit" type="submit" value="Save Password" />
</body>
</html>
Please tell me what is wrong here.
Thanks :D
$usermane on line 12. Looks like a syntax error. Shouldn't you be getting any errors?
Also usermane and username mismatch
$usermane = $_SESSION['username'];
$select=mysqli_query("select * from login where L1='$username'");
change
$data_password=md5($fetch['password']);
to
$data_password=$fetch['password'];
you are already storing the passwords as hashes (at least according to your insert statement), when you take the hash of a hash you just get a new hash.
which causes $data_password to not equal $oldpassword
if($newpassword==$confirm_password && $data_password==$oldpassword)
{
$insert=mysqli_query("update login set L2='$confirm_password' where L1='$username'");
}
also as Eisa Adil pointed out
$usermane
should be
$username