I've been scouring the internet to make a log in using LDAP.
So far I've got some code but as soon as I hit submit nothing seems to be happening, I don't know if i'm missing something so painfully obvious or i've coded it wrong but I would appreciate any help you can give.
Code in question:
index.html
<?php
include("authenticate.php");
// check to see if user is logging out
if(isset($_GET['out'])) {
// destroy session
session_unset();
$_SESSION = array();
unset($_SESSION['user'],$_SESSION['access']);
session_destroy();
}
// check to see if login form has been submitted
if(isset($_POST['userLogin'])){
// run information through authenticator
if(authenticate($_POST['userLogin'],$_POST['userPassword']))
{
header("Location: https://hyperspice.net/protected.php", true, 301);
die();
} else {
// authentication failed
$error = 1;
}
}
// output error to user
if(isset($error))echo "Login failed: Incorrect user name, password, or rights";
// output logout success
if(isset($_GET['out'])) echo "Logout successful";
?>
<html>
<head>
<meta charset="utf-8">
<title>Hyperspice</title>
<meta name="description" content="">
<meta name="author" content="">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href="//fonts.googleapis.com/css?family=Raleway:400,300,600" rel="stylesheet" type="text/css">
<link rel="stylesheet" href="css/normalize.css">
<link rel="stylesheet" href="css/skeleton.css">
<link rel="logo" type="image/png" href="images/logo.png">
<link rel="icon" type="image/png" href="images/favicon.png">
</head>
<body>
<div class="container">
<div class="row">
<div class="one-half column" style="margin-top: 25%">
<form method="post" action="index.html">
<div class="imgcontainer">
<img src="images/logo.png" alt="Hyperslice Ltd" />
</div>
<div class="container">
<label for="userLogin"><b>Username</b></label>
<input type="text" placeholder="Enter Username" name="userLogin" required>
<label for="userPassword"><b>Password</b></label>
<input type="password" placeholder="Enter Password" name="userPassword" required>
<input type="submit" name="submit" value="submit" ></input>
<label>
<input type="checkbox" checked="checked" name="remember"> Remember me
</label>
</div>
</form>
</div>
</div>
</div>
</body>
</html>
authenticate.php:
I changed the variable contents to something different for security
<?php
function authenticate($user, $password){
if(empty($user) || empty($password)) return false;
$ldap_host = "1234.net";
$ldap_dn = "OU=departments,DC=1234,DC=net";
$ldap_user_group = "users";
$ldap_manager_group = "managers";
$ldap_usr_dom = "#1234.net";
$ldap = ldap_connect($ldap_host);
ldap_set_option($ldap,LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ldap,LDAP_OPT_REFERRALS,0);
// verify user and password
if($bind = #ldap_bind($ldap, $user.$ldap_usr_dom, $password)) {
// valid
// check presence in groups
$filter = "(sAMAccountName=".$user.")";
$attr = array("memberof");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
ldap_unbind($ldap);
// check groups
$access = 0;
foreach($entries[0]['memberof'] as $grps) {
// is manager, break loop
if(strpos($grps, $ldap_manager_group)) { $access = 2; break; }
// is user
if(strpos($grps, $ldap_user_group)) $access = 1;
}
if($access != 0) {
// establish session variables
$_SESSION['user'] = $user;
$_SESSION['access'] = $access;
return true;
} else {
// user has no rights
return false;
}
} else {
// invalid name or password
return false;
}
}
?>
protected.php:
<?php
// initialize session
session_start();
if(!isset($_SESSION['user'])) {
// user is not logged in, do something like redirect to login.php
header("Location: index.html");
die();
}
if($_SESSION['access'] != 2) {
// another example...
// user is logged in but not a manager, let's stop him
die("Access Denied");
}
?>
<p>Welcome <?= $_SESSION['user'] ?>!</p>
<p><strong>Secret Protected Content Here!</strong></p>
<p>Mary Had a Little Lamb</p>
<p>Logout</p>
I have a feeling it's something to do with the header in index.html or that the form is not posting the contents of the form correctly to authenticate.php.
Any help would be massively appreciated!
if(!isset($_SESSION['user'])) {
// user is not logged in, do something like redirect to login.php
header("Location: index.html");
die(); }
the session 'blank' and back to Location
Related
I am having trouble writing code how to log in user automatically after registration. I am using epoch and when user passes payment it redirects him to site but he is not logged in. I already did redirection with window.location = 'www.site.com/members/?username={$member.username}'; and it redirects me to that page with correct username in URL but the user is not logged in. I just need help on how to write logic that logs in user. Any help is appreciated. Here is my code.
header.php (Here is user redirected after successful registration and here I need to write login logic. Currently I am just being redirected to login page. In elseif it would go that logic.)
<?php
session_start();
if(!isset($_SESSION["loggedin"])) {
header("Location: www.site.com/tour/login.php");
} elseif(isset($_GET["username"])) {
login_function();
}
?>
custom_functions.php (Here is my login function that logs in user on site)
function login_function() {
session_start();
require 'connection.php';
$_SESSION["username_error"] = $username_error;
$_SESSION["password_error"] = $password_error;
$v_username = $_POST['username'];
$v_password = $_POST['password'];
$username = validation($v_username);
$password = validation($v_password);
$remember = isset($_POST['remember']);
if(empty($username))
{
$_SESSION["username_error"] = "<p>Please enter your username!</p>";
header("Location: login.php");
exit();
}
if(empty($password))
{
$_SESSION["password_error"] = "<p>Please enter your password!</p>";
header("Location: login.php");
exit();
}
if($username && $password) {
$sql = "SELECT * FROM member_auth WHERE username = :username";
$stmt = $pdo->prepare($sql);
$stmt->bindValue(':username', $username);
$stmt->execute();
$user = $stmt->fetch(PDO::FETCH_ASSOC);
$cryptpass = $user['cryptpass'];
if($user === false){
$_SESSION["username_error"] = "<p>User doesn't exist</p>";
header("Location: login.php");
exit();
} elseif($user) {
$newpass = crypt($password, $cryptpass);
if($cryptpass == $newpass) {
$_SESSION['loggedin'] = TRUE;
$_SESSION['username'] = $username;
if($remember == "on") {
setcookie("remember", $username, time()+3600);
}
header('Location: login_success.php');
exit();
} else {
$_SESSION["password_error"] = "<p>Password is not correct!</p>";
header("Location: login.php");
exit();
}
}
}
}
login.php
<?php
session_start();
?>
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="stylesheet" href="/login_assets/css/style.css">
<link href="https://fonts.googleapis.com/css?family=Raleway:300,400,500&display=swap" rel="stylesheet">
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,600&display=swap" rel="stylesheet">
<link rel="stylesheet" href="/login_assets/css/media.css">
<script src="/login_assets/js/jquery.min.js"></script>
<script src="/login_assets/js/modernizr.custom.js"></script>
<!-- <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous"> -->
</head>
<div id="login_body">
<header class="clear hBlack">
<div class="jLogo"><img src="/login_assets/images/logo.png" alt=""></div>
</header>
<div class="logArea clear">
<form action="custom_functions.php" method="post" enctype="application/x-www-form-urlencoded">
<div class="logbox">
<div class="box clear">
<h2>Members Area</h2>
<div class="logTypes">
<input type="text" name="username" class="logtextbox" placeholder="Username or email">
<span class="text-danger"><?php if(isset($_SESSION['username_error'])){ echo $_SESSION["username_error"]; unset($_SESSION["username_error"]); } ?></span>
<input type="password" name="password" class="logtextbox" placeholder="Password"><br>
<span class="text-danger"><?php if(isset($_SESSION['password_error'])){ echo $_SESSION["password_error"]; unset($_SESSION["password_error"]); } ?></span>
<!-- <input type="text" name="captcha" class="logtextbox" placeholder="Enter the code shown below"><br>
<img style="margin: 0 auto;" src="captcha.php">
<span class="text-danger"></span> -->
<div style="text-align: center">Remember my login: <input name="remember" type="checkbox"></div>
</div>
</div>
<input type="submit" value="submit" class="logBtn" name="submit">
</div>
</form>
<div class="logtext1">
</div>
<div class="logtext2">
</div>
</div>
</div>
<footer class="clear">
</footer>
</div>
</html>
Your registration logic looks fine for me. Your header checks whether the user has logged in before, which is stored in the session variable.
if(!isset($_SESSION["loggedin"])) {
header("Location: www.site.com/tour/login.php");
} elseif(isset($_GET["username"])) {
login_function();
}
I don't understand why you call login_function again. If the Session Variable "loggedIn" is true, the user has been logged in already. Why do you want to call login function again. If you need to fetch data for that user, you need to store the user id in a session variable and use that to make the request.
If you want to login automatically after you login register and login process should be like this,
when user registration done, set the $_SESSION["loggedin"].
the login page should check if $_SESSION["loggedin"] was setted, if setted head to login success page.
You can also head to login success page when registration done, without bypass the login page.
I have a login page that regardless of what the input is (correct login or not) the page just refreshes when hitting the "login" button. I've searched on stack overflow and nothing has solved my problem yet.
Login Page Session Code
<?php
session_start();
if(isset($_SESSION['login'])) {
header('LOCATION: test-page.php'); die();
}
echo isset($_SESSION['login']);
?>
Login Page Form
<!DOCTYPE html>
<html>
<head>
<meta charset='utf-8'>
<title>Login</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
<link rel="stylesheet" href="styles.css">
</head>
<body>
<div class="form-container">
<div class="image"></div>
<div class="form">
<form>
<h1>Login</h1>
<ul>
<li>
<input class="input" type="text" id="username" autocomplete="off">
<label for="username">Username</label>
<span></span>
</li>
<li>
<input class="input" type="password" id="password" autocomplete="off">
<label for="password">Password</label>
<span></span>
</li>
</ul>
<footer>
<button type="submit" class="gradient">Login</button>
</footer>
</form>
Login Page Username and Password
<?php
if(isset($_POST['submit'])){
$username = $_POST['username']; $password = $_POST['password'];
if($username === 'admin' && $password === 'password'){
$_SESSION['login'] = true; header('LOCATION: test-page.php'); die();
} elseif ($username === 'billy' && $password === 'bob') {
$_SESSION['login'] = true; header('LOCATION: test-page.php'); die();
} else {
echo "<div class='alert alert-danger'>Username and Password do not match.</div>";
}
}
?>
</div>
</div>
<script src="login.js"></script>
</body>
</html>
Page After Login Success
<?php
session_start();
if(!isset($_SESSION['login'])) {
header('LOCATION: login.php'); die(); // mlac-resources-login.php
}
?>
The login page is split up for readability but it is all one continuous block of code. The
Redirects (or any kind of header for that matter) require NO OUTPUT SENT for it to work.
Outputs include:
Echo commands
<!DOCTYPE html>
Even any whitespace could break it! (New lines or spaces)
For example:
<?php
session_start();
echo isset($_SESSION['login']); //Output
if(isset($_SESSION['login'])) {
header('LOCATION: test-page.php'); die(); //Won't work since there's already output...
}
?>
Try changing your code to:
<?php
session_start();
if(isset($_SESSION['login'])) {
header('LOCATION: test-page.php'); die(); //This should work now!
}
echo isset($_SESSION['login']); //Output goes here!
?>
A form's default method is GET and you're processing POST. Either set the method to post, or use $_GET when processing the form.
<form method="post">
...
or
if (isset($_GET['submit'])){
...
I am creating a login page for an administrative backend. For some reason my form is not redirecting me to the protected index page. I feel like I am missing something super simple.
Login Form
<?php
include_once '../db/db_connect.php';
include_once '../db/functions.php';
sec_session_start();
if (login_check($mysqli)==true) {
$logged='in' ;
} else {
$logged='out' ;
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="author" content="">
<title>Login | Duplin County Employee Portal</title>
<!-- Bootstrap Core CSS -->
<link href="../bower_components/bootstrap/dist/css/bootstrap.min.css" rel="stylesheet">
<!-- MetisMenu CSS -->
<link href="../bower_components/metisMenu/dist/metisMenu.min.css" rel="stylesheet">
<!-- Custom CSS -->
<link href="../dist/css/sb-admin-2.css" rel="stylesheet">
<!-- Custom Fonts -->
<link href="../bower_components/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">
<!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->
<script type="text/JavaScript" src="js/sha512.js"></script>
<script type="text/JavaScript" src="js/forms.js"></script>
</head>
<body>
<div class="container">
<div class="row">
<div class="col-md-4 col-md-offset-4">
<div class="login-panel panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">Please Sign In</h3>
</div>
<div class="panel-body">
<?php if (isset($_GET[ 'error'])) { echo '<p class="error">Error Logging In!</p>'; } ?>
<form action="../db/process_login.php" method="post" name="login_form">
<fieldset>
<div class="form-group">
<input class="form-control" placeholder="UserName" type="text" name="username" autofocus/>
</div>
<div class="form-group">
<input class="form-control" placeholder="Password" type="password" name="password" id="password" />
</div>
<div class="checkbox">
<label>
<input name="remember_me" id="remember_me" type="checkbox" value="Remember Me" checked="checked">Remember Me
</label>
</div>
<input class="btn btn-lg btn-success btn-block" type="button" value="Login" onclick="formhash(this.form, this.form.username, this.form.password);" />
</fieldset>
</form>
<?php if (login_check($mysqli)==true) { echo '<p>Currently logged ' . $logged . ' as ' . htmlentities($_SESSION[ 'username']) . '.</p>'; echo '<p>Do you want to change user? Log out.</p>'; } else { echo '<p>Currently logged ' . $logged . '.</p>'; echo "<p>If you don't have a login, please <a href='register.php'>register</a></p>"; } ?>
</div>
</div>
</div>
</div>
</div>
<!-- jQuery -->
<script src="../bower_components/jquery/dist/jquery.min.js"></script>
<!-- Bootstrap Core JavaScript -->
<script src="../bower_components/bootstrap/dist/js/bootstrap.min.js"></script>
<!-- Metis Menu Plugin JavaScript -->
<script src="../bower_components/metisMenu/dist/metisMenu.min.js"></script>
<!-- Custom Theme JavaScript -->
<script src="../dist/js/sb-admin-2.js"></script>
</body>
</html>
Process Login PHP
<?php
include_once 'db_connect.php';
include_once 'functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['username'], $_POST['p'])) {
$username = $_POST['username'];
$password = $_POST['p']; // The hashed password.
if (login($username, $password, $mysqli) == true) {
// Login success
header('Location: ../pages/index.php');
} else {
// Login failed
header('Location: ../index.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
Secure Session Function
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(true); // regenerated the session, delete the old one.
}
Login Functions
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM users
WHERE username = ?
LIMIT 1")) {
$stmt->bind_param('s', $username); // Bind "$username" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($users_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($users_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$users_id = preg_replace("/[^0-9]+/", "", $users_id);
$_SESSION['users_id'] = $users_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$users_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
I am positive that the issue is in one of these three files. Any help you can give me would be amazing.
Im trying to integrate usercake onto my website. I installed it and registered an account. When i try to login with that account, the browser loads then nothing happens and i cant get into an account.
<?php
/*
UserCake
http://usercake.com
Developed by: Adam Davis
*/
require_once("models/config.php");
//Prevent the user visiting the logged in page if he/she is already logged in
if(isUserLoggedIn()) { header("Location: account.php"); die(); }
?>
<?php
/*
Below is a very simple example of how to process a login request.
Some simple validation (ideally more is needed).
*/
//Forms posted
if(!empty($_POST))
{
$errors = array();
$username = trim($_POST["username"]);
$password = trim($_POST["password"]);
//Perform some validation
//Feel free to edit / change as required
if($username == "")
{
$errors[] = lang("ACCOUNT_SPECIFY_USERNAME");
}
if($password == "")
{
$errors[] = lang("ACCOUNT_SPECIFY_PASSWORD");
}
//End data validation
if(count($errors) == 0)
{
//A security note here, never tell the user which credential was incorrect
if(!usernameExists($username))
{
$errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
}
else
{
$userdetails = fetchUserDetails($username);
//See if the user's account is activation
if($userdetails["Active"]==0)
{
$errors[] = lang("ACCOUNT_INACTIVE");
}
else
{
//Hash the password and use the salt from the database to compare the password.
$entered_pass = generateHash($password,$userdetails["Password"]);
if($entered_pass != $userdetails["Password"])
{
//Again, we know the password is at fault here, but lets not give away the combination incase of someone bruteforcing
$errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
}
else
{
//Passwords match! we're good to go'
//Construct a new logged in user object
//Transfer some db data to the session object
$loggedInUser = new loggedInUser();
$loggedInUser->email = $userdetails["Email"];
$loggedInUser->user_id = $userdetails["User_ID"];
$loggedInUser->hash_pw = $userdetails["Password"];
$loggedInUser->display_username = $userdetails["Username"];
$loggedInUser->clean_username = $userdetails["Username_Clean"];
//Update last sign in
$loggedInUser->updateLastSignIn();
$_SESSION["userCakeUser"] = $loggedInUser;
//Redirect to user account page
header("Location: account.php");
die();
}
}
}
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login</title>
<link href="cakestyle.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="wrapper">
<div id="content">
<div id="left-nav">
<?php include("layout_inc/left-nav.php"); ?>
<div class="clear"></div>
</div>
<div id="main">
<h1>Login</h1>
<?php
if(!empty($_POST))
{
?>
<?php
if(count($errors) > 0)
{
?>
<div id="errors">
<?php errorBlock($errors); ?>
</div>
<?php
} }
?>
<div id="regbox">
<form name="newUser" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
<p>
<label>Username:</label>
<input type="text" name="username" />
</p>
<p>
<label>Password:</label>
<input type="password" name="password" />
</p>
<p>
<label> </label>
<input type="submit" value="Login" class="submit" />
</p>
</form>
</div>
</div>
<div class="clear"></div>
</div>
</div>
</body>
</html>
Its ok. The problem was with my web host and their php sessions configuration.
I'm creating a small membership site. I've created a login script and was wondering if this is on it's way to becoming secure from common attacks and what else I could do to make it even more secure. No credit card details are stored on the system, that's being processed by a separate merchant.
Login.php
<?php
session_start();
$notifications = array();
if(!empty($_POST['login'])) {
if(empty($_POST['email']) || empty($_POST['password'])) {
$notifications[] = 'Login failed! Please provide a username and password.';
}
if(count($notifications) == 0) {
try {
$dbh = new PDO('mysql:dbname=lf_database;host=127.0.0.1', 'root', 'root');
$sql = "SELECT email, verified FROM users WHERE email = :email AND password = :password";
$sth = $dbh->prepare($sql);
$sth->execute(array(
':email' => $_POST['email'],
':password' => md5($_POST['password'])
));
$result = $sth->fetch(PDO::FETCH_ASSOC);
if($result) {
// Set session details and redirect user to members page
session_regenerate_id();
$_SESSION['logged_in'] = true;
$_SESSION['verified'] = $result['verified'];
$_SESSION['created'] = time();
$_SESSION['ua'] = md5($_SERVER['HTTP_USER_AGENT']) . 'fable3';
header('Location: members.php');
} else {
$notifications[] = "Username or Password incorrect.";
}
} catch (PDOException $e) {
echo 'We\'re having database issues at the moment. Don\'t worry, we\'re getting it sorted!';
}
}
} elseif(!empty($_POST['forgot_password'])) {
// Not yet implemented
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Members Login</title>
<link rel="stylesheet" type="text/css" href="css/reset.css">
<!--[if IE]>
<script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
</head>
<body id="home">
<h1>Members Login</h1>
<?php if(count($notifications) > 0) : ?>
<ul>
<?php foreach($notifications as $notification) : ?>
<li><?php print $notification ?></li>
<?php endforeach; ?>
</ul>
<?php endif; ?>
<form method="POST" action="">
<fieldset>
<legend>Login</legend>
<input type="email" name="email" placeholder="Email Address" required>
<input type="password" name="password" placeholder="Password" required>
<input type="submit" name="login" value="Login">
</fieldset>
</form>
Need Account? Sign Up
<form method="POST" action="">
<fieldset>
<legend>Forgot Your Password?</legend>
<input type="email" name="forgot_password_email" placeholder="Email Address" required>
<input type="submit" name="forgot_password" value="Request New Password">
</fieldset>
</form>
</body>
</html>
Members.php
<?php
session_start();
$verified = false;
// Is the user logged in?
if(!isset($_SESSION['logged_in'])) {
session_destroy();
header('Location: login.php');
}
// Is the previous session valid?
if ($_SESSION['ua'] != md5($_SERVER['HTTP_USER_AGENT']) . 'fable3') {
session_destroy();
header('Location: login.php');
}
// Is the user verified?
if(isset($_SESSION['verified'])) {
if($_SESSION['verified']) {
$verified = true;
}
}
// Expire session here after 2 hours (user will be watching a movie, no point expiring before hand)
?>
<h1>Logged In!</h1>
<h2>Debug:</h2>
<pre><?php print_r($_SESSION); ?></pre>
Logout
error_reporting(0) and just to be sure, turn register_globals off. And session_destroy() is not enough to "destroy" the session. You'd have to empty the $_SESSION superglobal using $_SESSION = array() and then unset the session cookie in the $_COOKIE superglobal.