index.php
session_start();
if(isset($_POST['login'])){
$username = mysqli_real_escape_string($con,$_POST['username']);
$pass = mysqli_real_escape_string($con,$_POST['userpass']);
$sel_user = "select * from users where user_name='$username' AND user_password='$pass'";
$run_user = mysqli_query($con, $sel_user);
$check_user = mysqli_num_rows($run_user);
if($check_user>0) {
$_SESSION['loggedIn'] = true;
$_SESSION['user_name']=$username;
header("location:display.php");
die();
}
else {
echo "<script>alert('Username or Password is not correct, please try again!')</script>";
}
}
display.php
session_start();
if(!$_SESSION['loggedIn']) {
header("location: index.php");
die();
}
Hello, I'm trying to figure out why my index.php is not letting me properly login and access my display.php The password and username is right, but keeps redirecting me to index.php Any ideas why?
Why don't you use Cookies instead?
In your login.php page instead of:
if($check_user>0) {
$_SESSION['loggedIn'] = true;
$_SESSION['user_name']=$username;
header("location:display.php");
die();
}
Do this:
if($check_user>0) {
$_SESSION['user_name']=$username;
$Month = 86400 + time();
setcookie('user', $username, $Month);
header("Location:display.php");
}
and then on your display.php
session_start();
if(!isset($_COOKIE['user']))
{
header("location:index.php");
die();
}
Related
hi i want to block direct URL access to my pages using below php codes but if I include it to my forms I can't login even after typing my username and password it's like I'm locked out of my application. can someone help please
that's my security.php file
<?php
if(!isset ($_SESSION['user']))
{
header ('location:user_login.php');
}
?>
and the user login file
<?php
if (isset($_POST['btnLogin']))
{
$user = $_POST['user'];
$password = $_POST['password'];
//sql injection security
$user = mysqli_real_escape_string($con,$user);
$password = mysqli_real_escape_string($con,$password);
//select database
$db = mysqli_select_db($con,'nesthet');
$query = "SELECT * from users where user='$user' AND password='$password'";
$query_run = mysqli_query($con,$query);
$role = mysqli_fetch_array($query_run);
//user redirection base on user role
if($role['role'] == "admin"){
session_start();
$_SESSION['user'] = $user;
header('location: admin.php');
}
else if($role['role'] == "user") {
$_SESSION['user'] = $user;
header('location: mdi_parent.php');
}
else {
$_SESSION['status'] = "Username or password is invalid";
header('location: index.php');
}
}
?>
In security.php you should execute session_start() before using $_SESSION variable
<?php
if(!isset ($_SESSION['user']))
{
header ('location:user_login.php');
}
?>
In your code, you just only start session when role is admin
if($role['role'] == "admin"){
session_start();
$_SESSION['user'] = $user;
header('location: admin.php');
}
else if($role['role'] == "user") {
$_SESSION['user'] = $user;
header('location: mdi_parent.php');
}
else {
$_SESSION['status'] = "Username or password is invalid";
header('location: index.php');
}
I'm doing a login system for my webpage, when i key in the correct login id and password the page refresh back to the login page. I did all the things correct but the session keep messing things up and I don't know where is the error.
index.php
session_start();
if(!isset($_SESSION['loggedin'])){
header("location:login.php");
}
server.php
if(isset($_POST['login'])){
$username = mysqli_real_escape_string($db,$_POST['Username']);
$password = mysqli_real_escape_string($db,$_POST['password']);
if (empty($username)){
array_push($errors, "Username is required");
}
if (empty($password)){
array_push($errors, "Password is required");
}
if(count($errors) == 0){
$password = md5($password);
$query = "SELECT * FROM register where username='$username' AND password = '$password'";
$result = mysqli_query($db, $query);
if(mysqli_num_rows($result) == 1){//user found
$logged_in_user = mysqli_fetch_assoc($result);
if ($logged_in_user['type'] == 'admin') {
$_SESSION['loggedin'] = true;
$_SESSION['Username'] = $username;
$_SESSION['id'] = $id;
header('location: admin.php');
}
else{
$_SESSION['loggedin'] = true;
$_SESSION['Username'] = $username;
header('location: index.php');
}
}
}
}
Both pages should have session_start() at the top of code
for example
index.php
<?php
session_start();
server.php
<?php
session_start();
and so on
Another thing offtopic. Prefer using PDO instead of mysqli_ for database access
http://nl1.php.net/manual/pt_BR/book.pdo.php
Hello i have created login system but its not working for some reason , i start session after some one login and then made some check if session are isset and if session are no more then 1 hour :
this is my login script on index.php :
<?php
require 'mysql.php';
if(isset($_SESSION["username"]) && time() - $_SESSION["CREATED"] > 3600){
session_start();
session_unset();
session_destroy();
}
if(isset($_SESSION["username"]) && time() - $_SESSION["CREATED"] < 3600){
header('Location: main.php');
}
if (isset($_POST["login"])){
$username = $_POST["username"];
$password = $_POST["password"];
$stmt = $connect->prepare("SELECT username, password FROM users WHERE username=? ");
$stmt->bind_param("s", $username);
$stmt->execute();
$result = $stmt->get_result();
$rowcount = $result->num_rows;
if ($rowcount > 0){
while ($row = $result->fetch_assoc()) {
if ($row["username"] == $username && $row["password"] == $password){
if(!isset($_SESSION)) {
session_start();
}
$_SESSION["username"] = $username;
$_SESSION["usertype"] = $row["usertype"];
$_SESSION["userid"] = $row["id"];
$_SESSION["CREATED"] = time();
header('Location: main.php');
} else {
$error_msg2 = "Username or password does not mach";
$error2 = "error";
}
}
} else {
$error_msg2 = "No such user";
$error2 = "error";
}
echo $error_msg2;
$stmt->close();
$connect->close();
}
?>
and this is main.php code :
if(isset($_SESSION["username"]) && time() - $_SESSION["CREATED"] > 3600){
session_start();
session_unset();
session_destroy();
header('Location: index.php');
}
so ones you login you will by redirected to main.php and if session are set u should be unable to access index.php cuz if you will try u and session are not expired you will get redirected back you main.php same with main if session are expired you will get redirected back to index.php to login , but no matter if you are logged in or no you can walk between them freely
You should call session_start in any case - it fills $_SESSION with values. Also it's enough to unset $_SESSION['username'], no need to destroy whole session - PHP can take care of that. Here is code that should work:
index.php
<?php
require 'mysql.php';
session_start();
if (isset($_SESSION['username'])) {
if ($_SESSION['CREATED'] < 3600) {
header('Location: main.php');
exit;
}
unset($_SESSION['username']);
}
if (isset($_POST['username']) && isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$stmt = $connect->prepare('SELECT username, password FROM users WHERE username=? LIMIT 1');
$stmt->bind_param('s', $username);
$stmt->execute();
$result = $stmt->get_result();
$rowcount = $result->num_rows;
if ($rowcount > 0) {
$row = $result->fetch_assoc();
if ($row['username'] == $username && $row['password'] == $password) {
$_SESSION['username'] = $username;
$_SESSION['usertype'] = $row['usertype'];
$_SESSION['userid'] = $row['id'];
$_SESSION['CREATED'] = time();
header('Location: main.php');
exit;
} else {
$error_msg2 = 'Username or password does not mach';
$error2 = 'error';
}
} else {
$error_msg2 = 'No such user';
$error2 = 'error';
}
echo $error_msg2;
$stmt->close();
$connect->close();
}
main.php
session_start();
if (!isset($_SESSION['username']) || time() - $_SESSION['CREATED'] > 3600){
unset($_SESSION['username']);
header('Location: index.php');
exit;
}
You have to call session_start() before you can use $_SESSION.
<?php
require 'mysql.php';
session_start();
if(isset($_SESSION["username"]) && time() - $_SESSION["CREATED"] > 3600){
session_unset();
session_destroy();
}
I have a suggestion. Create a session validation function.
function sessionValidate($username,$id=NULL)
{
$status = session_status();
if($status == PHP_SESSION_NONE)
{
//There is no active session
session_start();
}
if(!isset($_SESSION[$username]))
{
return false;
}
$id = $_SESSION[$roleid];
if((time()- $_SESSION["created"]) >= 3600)
{
session_destroy();
return false;
}
return $id;
}
and check it in every page or use this in header page.
if(!($userid=sessionValidate($username)))
{
error_log("No session logging out ....");
header('Location: index.php');
}
UPDATE ::
Definition
session_status — Returns the current session status
Return Values
PHP_SESSION_DISABLED- if sessions are disabled.
PHP_SESSION_NONE - if sessions are enabled, but none exists.
PHP_SESSION_ACTIVE - if sessions are enabled, and one exists.
I'm trying to fix my login page...
It works fine on the login.php with redirecting but on the index it doesn't redirect even if the session is empty. Any pointers? I'm new to this, so forgive me if it's really obvious.
<?php
require_once('../includes/config.php');
session_start();
if(!isset($_SESSION['loggedin']) && $_SESSION['loggedin']=='no'){
// not logged in
header("location: login.php");
exit();
} else {
$_SESSION['loggedin'] = 'yes';
}
?>
<?php
include("../includes/config.php");
$error = NULL;
$atmpt = 1;
if (!isset($_SESSION)) {
session_start();
}
if(isset($_SESSION['loggedin']) && $_SESSION['loggedin']=='yes'){
// logged in
header("location: index.php");
exit();
}
if(isset($_POST['login']))
{
/* get username and password */
$username = $_POST["username"];
$password = $_POST["password"];
/* MySQL Injection prevention */
$username = mysqli_real_escape_string($mysqli, stripslashes($username));
$password = mysqli_real_escape_string($mysqli, stripslashes($password));
/* check for user in database */
$query = "SELECT * FROM admin_accounts WHERE username = '$username' AND password = '$password'"; // replace "users" with your table name
$result = mysqli_query($mysqli, $query);
$count = $result->num_rows;
if($count > 0){
//successfully logged in
$_SESSION['username']=$username;
$_SESSION['loggedin']='yes';
$error .= "<div class='alert alert-success'>Thanks for logging in! Redirecting you..</div>";
header("refresh:1;url=index.php");
} else {
// Login Failed
$error .= "<div class='alert alert-danger'>Wrong username or password..</div>";
$_SESSION['loggedin']='no';
$atmpt = 2;
}
}
?>
The line
session_start();
should be the very first line in the php script.
Just modify first three lines.
As session_start() should be put before any output has been put on the browser (even space).
<?php
session_start();
require_once('../includes/config.php');
if (empty($_SESSION['loggedin']) && $_SESSION['loggedin']=='no') {
...
the below given is my code for a simple login page using session...
since i'm new to php or any such languages i expect any one to correct my code yours faithfully Arunkumar
if(isset($_REQUEST['btnLogin']))
{
$Uname=$_REQUEST['txtUname'];
$pass=$_REQUEST['password'];
$obj-> check_login($Uname,$pass);
$result=$obj-> executec1();
//echo'Query'.$query;
//$result=mysql_query($query);
//$row = mysql_num_rows($result);
//if($row==0)
if($result)
{
// echo "username or password is incorrect";
//}
//else
if(isset($_REQUEST['']))
{
setcookie("username", $Uname);
setcookie("password", $password);
}
else {
setcookie("username", "");
setcookie("password", "");
}
$_SESSION['username'] = $Uname;
session_start();
if(isset($_POST['login_id']))
{
$login='';
$login_id=$_POST['login_id'];//username coming from login form page
$password =$_POST['password'];//password coming from login form page
$query = "SELECT * FROM users WHERE login_id='$login_id' AND password='$password'";
$result = mysql_query($query);
if(mysql_num_rows($result)> 0)//if user user_id and matches then it must show 1 coderun
{
$user_id = mysql_result($result, 0, "user_id");
$screen_name = mysql_result($result, 0, "username");
$_SESSION["session_user_id"] = $user_id;/*like this you can make
different session */
$_SESSION["session_screen_name"] = $screen_name;
header("Location: home.php");
exit();
}
else
{
$errormess = "Invalid Login ID or Password";
}
}
You should first start session with this
session_start();
or better
if(!isset($_SESSION))
{
session_start();
}
if(!isset($_SESSION['username']))
{
$_SESSION['username']=$Uname;
}