Okay, on my local dev server I can login with my simple form on index.php. it will redirect me to admin.php because my username and password has matched that in the database.
However when I upload this to my live server it doesn't work. I don't understand. To create the username and password in the database I use new_admin.php. Then using index.php i login which willa cces my functions from functions.php.
functions.php:
//*****************************************************************/
//mysql_prep();
//
function mysql_prep($string) {
global $connection;
$escaped_string = mysqli_real_escape_string($connection, $string);
return $escaped_string;
}
//*****************************************************************/
//confirm_query();
//
function confirm_query($result_set) {
if (!$result_set) {
die("Database query failed.");
}
}
//////////////LOG IN FUNCTIONS
/////////////////////////////////////////////////////////////////////////
//*****************************************************************/
//password_encrypt();
//
function password_encrypt($password) {
$hash_format = "$2y$10$"; // Tells PHP to use Blowfish with a "cost" of 10
$salt_length = 22; // Blowfish salts should be 22-characters or more
$salt = generate_salt($salt_length);
$format_and_salt = $hash_format . $salt;
$hash = crypt($password, $format_and_salt);
return $hash;
}
//*****************************************************************/
//generate_salt();
//
function generate_salt($length) {
// Not 100% unique, not 100% random, but good enough for a salt
// MD5 returns 32 characters
$unique_random_string = md5(uniqid(mt_rand(), true));
// Valid characters for a salt are [a-zA-Z0-9./]
$base64_string = base64_encode($unique_random_string);
// But not '+' which is valid in base64 encoding
$modified_base64_string = str_replace('+', '.', $base64_string);
// Truncate string to the correct length
$salt = substr($modified_base64_string, 0, $length);
return $salt;
}
//*****************************************************************/
//password_check();
//
function password_check($password, $existing_hash) {
// existing hash contains format and salt at start
$hash = crypt($password, $existing_hash);
if ($hash === $existing_hash) {
return true;
} else {
return false;
}
}
//*****************************************************************/
//find_admin_by_username();
//
function find_admin_by_username($username) {
global $connection;
$safe_username = mysqli_real_escape_string($connection, $username);
$query = "SELECT * ";
$query .= "FROM admins ";
$query .= "WHERE username = '{$safe_username}' ";
$query .= "LIMIT 1";
$admin_set = mysqli_query($connection, $query);
confirm_query($admin_set);
if($admin = mysqli_fetch_assoc($admin_set)) {
return $admin;
} else {
return null;
}
}
//*****************************************************************/
//attempt_login();
//
function attempt_login($username, $password) {
$admin = find_admin_by_username($username);
if ($admin) {
// found admin, now check password
if (password_check($password, $admin["hashed_password"])) {
// password matches
return $admin;
} else {
// password does not match
return false;
}
} else {
// admin not found
return false;
}
}
//*****************************************************************/
//logged_in();
//
function logged_in() {
return isset($_SESSION['admin_id']);
}
//*****************************************************************/
//confirm_logged_in();
//
function confirm_logged_in() {
if (!logged_in()) {
redirect_to("index.php");
}
}
new_admin.php:
<?php
session_start();
require_once("includes/db_connection.php");
require_once("includes/functions.php");
?>
<html>
<head>
</head>
<body>
<?php
if(isset($_POST['submit'])){
$username = mysql_prep($_POST["username"]);
$hashed_password = password_encrypt($_POST["password"]);
$query = "INSERT INTO admins (";
$query .= " username, hashed_password";
$query .= ") VALUES (";
$query .= " '{$username}', '{$hashed_password}'";
$query .= ")";
$result = mysqli_query($connection, $query);
if ($result) {
// Success
$_SESSION["message"] = "Admin created.";
redirect_to("admin.php");
} else {
// Failure
$_SESSION["message"] = "Admin creation failed.";
}
}
?>
<form action="new_admin.php" method="post">
username:
<input type="text" name="username"/><br/>
password:
<input type="password" name="password"/></br>
<input type="submit" name="submit"/>
</form>
index.php:
<?php
session_start();
require_once("includes/db_connection.php");
require_once("includes/functions.php");
?>
<?php
$username = "";
if (isset($_POST['submit'])) {
// Process the form
$username = $_POST["username"];
$password = $_POST["password"];
$found_admin = attempt_login($username, $password);
if ($found_admin) {
// Success
// Mark user as logged in
$_SESSION["admin_id"] = $found_admin["id"];
$_SESSION["username"] = $found_admin["username"];
redirect_to("admin.php");
} else {
// Failure
$_SESSION["message"] = "Username/password not found.";
}
} else {
// This is probably a GET request
} // end: if (isset($_POST['submit']))
?>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Test</title>
</head>
<body>
<?php
if(isset($_SESSION['message'])){
echo $_SESSION['message'];
}
?>
<h1>Login</h1>
<form action="index.php" method="post">
<p>Username:
<input type="text" name="username" value="" />
</p>
<p>Password:
<input type="password" name="password" value="" />
</p>
<input type="submit" name="submit" value="Submit" />
</form>
I know that i am putting in the correct login username and password but all i get is "Username/password not found." from my session error message.
Any ideas why this is happening?
EDIT:
Ive just noticed that i am not getting the error "Username/password not found" So this means that my attempt_login() function must be returning true. doesnt it?
Related
Recently I've been struggling in creating Login System using OOP PHP with Prepared Statement. When I clicked the login button after inputted the correct username and password, it still validate that I inputted the wrong username and password. Here's my code. Any help would be appreciated. Thanks!
login.php
<?php
require_once 'templates/header.php';
?>
<link rel="stylesheet" type="text/css" href="styles/login-style.css">
<script type="text/javascript" src="https://code.jquery.com/jquery-
3.3.1.min.js"></script>
<script type="text/javascript">
$(document).ready(function(){
$('#login').click(function(event){
event.preventDefault();
var username = $('#usernameID').val();
var password = $('#passwordID').val();
$.post("validation/validation_login.php",{
user_val : username,
password_val : password,
},function(data){
$('.error-message').html(data);
});
});
});
</script>
<title>Login</title>
<form>
<h1>Login</h1>
<input type="text" id="usernameID" name="username"
placeholder="Username" autocomplete="off"> <br>
<input type="password" id="passwordID" name="password"
placeholder="Password" autocomplete="off"> <br>
<input type="button" id="login" name="register-button" value="Login">
</form>
<div class="error-message">
</div>
<?php
require_once 'templates/footer.php';
?>
validation_login.php
<?php
require_once '../classes/input.php';
require_once '../classes/session.php';
require_once '../classes/database.php';
class validation_login{
private $username,$password;
public $errorMessage;
public function validate_login(){
$db = new database();
$this->username = input::get('user_val');
$this->password = input::get('password_val');
if(empty($this->username) || empty($this->password)){
$this->errorMessage = "Please fill all the fields!";
return false;
}else if(!$db->login()){
$this->errorMessage = "Invalid username or password!";
return false;
}else{
session::set('username',$this->username);
header('Location: index.php');
return true;
}
}
}
$validate_login = new validation_login();
$validate_login->validate_login();
echo "$validate_login->errorMessage";
?>
database.php
<?php
class database{
//db_initialization
private $HOST = 'localhost',
$USERNAME = 'root',
$PASSWORD = '',
$DBNAME = 'auth',
$connect;
//db_insert
private $usernameInput,
$firstnameInput,
$lastnameInput,
$passwordInput,
$hashedPassword;
public function __construct(){
$this->connect = new mysqli($this->HOST,$this->USERNAME,
$this->PASSWORD,$this->DBNAME) or die('connection error');
}
public function insert_data(){
$sql = "INSERT INTO users
(username,first_name,last_name,password) VALUES (?,?,?,?)";
if($statement = $this->connect->prepare($sql)){
$this->usernameInput = input::get('user_val');
$this->firstnameInput = input::get('first_name_val');
$this->lastnameInput = input::get('last_name_val');
$this->passwordInput = input::get('password_val');
$this->hashedPassword = password_hash( $this->passwordInput,
PASSWORD_DEFAULT);
$statement->bind_param("ssss",$this->usernameInput,
$this- >firstnameInput,$this->lastnameInput,
$this->hashedPassword);
$statement->execute();
}
}
public function validate_same_username(){
$sql_same_username = "SELECT username FROM users WHERE
username = ?";
if($statement_same_username =
$this->connect->prepare($sql_same_username)){
$this->usernameInput = input::get('user_val');
$statement_same_username->bind_param("s",
$this->usernameInput);
$statement_same_username->execute();
$result = $statement_same_username->get_result();
$num_rows = $result->num_rows;
if($num_rows > 0){
return false;
}else{
return true;
}
}
}
public function login(){
$sql_login = "SELECT username , password FROM users WHERE
username = ?";
if($statement_login = $this->connect->prepare($sql_login)){
$this->usernameInput = input::get('user_val');
$this->passwordInput = input::get('password_val');
$statement_login->bind_param("s",
$this->usernameInput);
$statement_login->execute();
//get hashed password from database
$statement_login->bind_result($username,$password);
if(password_verify($this->passwordInput,$password)){
return true;
}else{
return false;
}
}
}
}
?>
session.php
<?php
class session{
public static function set($name,$value){
return $name = $_SESSION[$value];
}
public static function get($name){
return $_SESSION[$name];
}
public static function exists($name){
if(isset($_SESSION[$name])){
return true;
}else{
return false;
}
}
}
?>
input.php
<?php
class input{
public static function get($name){
if(isset($_POST[$name])){
return $_POST[$name];
}else if(isset($_GET[$name])){
return $_GET[$name];
}else{
return false;
}
}
}
?>
looks like you are getting the user_val to the password field at validation_login.php
$this->password = input::get('user_val');
from your code it should be
$this->password = input::get('password_val');
i will start be changing to this line
edit to my initial answer:
you also can't use password_hash() (see return value section password_hash) to check if the password equal, you need to use password_verify to check if the password is equal in the login function
change your query to get the hashed password from the database and then compare it to the input password from the user with the password_verify
$sql_login = "SELECT username , password FROM users WHERE
username = ? ";
if(password_verify($this->passwordInput,$hashedPasswordFromDB)){
return true;
}else{
return false;
}
also check if you password column in the database in long enough to store the whole password length, and make sure you username is unique
encrypt the password in the database with the following code:
$pas = $_POST['password'];
$pass = password_hash($pas, PASSWORD_BCRYPT);
in the solucioncontroller.php I try to verify the encrypted password but it does not work
class solucionController {
include_once 'model/solucion.php';
public function Login()
{
$solucion = new solucion();
if (isset($_POST["login"]) && isset($_POST["password"]))
{
$login = htmlentities(addslashes($_POST["login"]));
$password = htmlentities(addslashes($_POST["password"]));
$solucion = $this->model->Logeo($login, $password);
$pass= $this->model->getpass();
if (password_verify($password, $pass)&&$solucion == 1)
{
setcookie('usuario', $login, time() + 3600);
session_start();
$_SESSION["Usuario"] = $login;
header("Location: view/header.php");
header("Location: view/solucion/solucion.php");
header("Location: view/Footer.php");
}
}
header('Location: index.php');
return;
}
}
in the model solucion.php I search for the user and the password entered in the login view
class solucion {
public $res;
public function Logeo($login, $pass)
{
try {
$sql = "SELECT * FROM logeo WHERE usuario = :login AND pass = :password";
$resultado = $this->pdo->prepare($sql);
$resultado->bindValue(":login", $login);
$resultado->bindValue(":password", $pass);
$resultado->execute();
$numero_registro = $resultado->rowCount();
if ($numero_registro != 0)
{
return 1;
}
$this->res = $resultado->fetch(PDO::FETCH_ASSOC);
} catch (Exception $e) {
die($e->getMessage());
}
}
}
public function getpass(){
return $this->res['pass'];
}
in the login view is the form where you enter the username and password
<?php
if(isset($_COOKIE['usuario'])){
require 'view/solucion/solucion.php';
}
else{
?>
<a class="btn btn-success pull-right" href="?c=solucion&a=Invitado">Invitado</a>
<h1>Introduce tus datos</h1>
<form action="?c=solucion&a=Login" method="post">
<div class="container">
<label for="login"><b>Username</b></label>
<input type="text" placeholder="Ingrese usuario" name="login" required>
<label for="password"><b>Password</b></label>
<input type="password" placeholder="Ingrese ContraseƱa" name="password" required>
<button type="submit">Login</button>
</div>
</form>
<?php }?>
when entering the username and password, the data is deleted and I remain in the login view
You should fetch data using usuario only not using usuario and pass from database. Because password saved in database is hashed and can't be compared with simple text password entered by user. Change the model code as below:
class solucion {
public $res;
public function Logeo($login, $pass) {
try {
$sql = "SELECT * FROM logeo WHERE usuario = :login";
$resultado = $this->pdo->prepare($sql);
$resultado->bindValue(":login", $login);
$resultado->execute();
$numero_registro = $resultado->rowCount();
if ($numero_registro != 0) {
return 1;
}
$this->res = $resultado->fetch(PDO::FETCH_ASSOC);
} catch (Exception $e) {
die($e->getMessage());
}
}
}
public function getpass() {
return $this->res['pass'];
}
Also need to get password from request as:
$password = $_POST["password"];
instead of
$password = htmlentities(addslashes($_POST["password"]));
When I register as a new user, and then try to login as that user, the username and/or password are not recognized. I've used this login system successfully in another application, but when I plugged it into a new application it started having this problem. I've checked everything and can't seem to find the issue. Any thoughts are greatly appreciated.
Here's the code:
<?php
function find_admin_by_username($username) {
global $connection;
$safe_username = mysqli_real_escape_string($connection, $username);
$query = "SELECT * ";
$query .= "FROM users ";
$query .= "WHERE username = '{$safe_username}' ";
$query .= "LIMIT 1";
$admin_set = mysqli_query($connection, $query);
confirm_query($admin_set);
if($admin = mysqli_fetch_assoc($admin_set)) {
return $admin;
} else {
return null;
}
}
function password_encrypt($password) {
$hash_format = "$2y$10$"; // Tells PHP to use Blowfish with a "cost" of 10
$salt_length = 22;
$salt = generate_salt($salt_length);
$format_and_salt = $hash_format . $salt;
$hash = crypt($password, $format_and_salt);
return $hash;
}
function generate_salt($length) {
// Not 100% unique, not 100% random, but good enough for a salt
// MD5 returns 32 characters
$unique_random_string = md5(uniqid(mt_rand(), true));
// Valid characters for a salt are [a-zA-Z0-9./]
$base64_string = base64_encode($unique_random_string);
// But not '+' which is valid in base64 encoding
$modified_base64_string = str_replace('+', '.', $base64_string);
// Truncate string to the correct length
$salt = substr($modified_base64_string, 0, $length);
return $salt;
}
function password_check($password, $existing_hash) {
// existing hash contains format and salt at start
$hash = crypt($password, $existing_hash);
if ($hash === $existing_hash) {
return true;
} else {
return false;
}
}
function attempt_login($username, $password) {
$admin = find_admin_by_username($username);
if ($admin) {
// found admin, now check password
if (password_check($password, $admin["password"])) {
// password matches
return $admin;
} else {
// password does not match
return false;
}
} else {
// admin not found
return false;
}
}
?>
<?php
if (isset($_POST['submit'])) {
// Process the form
// validations
$required_fields = array("username", "password");
validate_presences($required_fields);
if (empty($errors)) {
// Attempt Login
$username = $_POST["username"];
$password = $_POST["password"];
$found_admin = attempt_login($username, $password);
if ($found_admin) {
// Success
// Mark user as logged in
$_SESSION["admin_id"] = $found_admin["id"];
$_SESSION["username"] = $found_admin["username"];
redirect_to("MyAccount.php");
} else {
// Failure
$_SESSION["message"] = "Username/password not found.";
}
}
} else {
// This is probably a GET request
} // end: if (isset($_POST['submit']))
?>
I'm trying to create my own login form, having a few difficulties though.
I want to have a form where the user can log into the website, using AJAX:
If user doesn't enter username, show message
If user doesn't enter password, show message
Check with database if password is correct, if incorrect, show message
The problem is, I've done a little jQuery and next to no AJAX before. I'm trying to learn but haven't had any luck so far! My PHP/PDO script works fine without any AJAX/jQuery and checks all the requirements fine.
My code so far is below:
index.html
$(document).ready(function(){
$("#add_err").css('display', 'none', 'important');
$("#login-submit").click(function(){
username=$("#username").val();
password=$("#password").val();
if (username.length < 1)
errors = errors + "Please enter your username<br/>";
if (password.length < 1)
errors = errors + "Please enter your password<br/>";
var errors = "";
$.ajax({
type: "POST",
url: "process-login.php",
data: "username="+username+"&password="+password,
success: function(html) {
if(html=='true') {
window.location="account.php";
}
if (errors != "") {
$("add_err").html(errors).slideDown("fast");
}
}
});
return false;
});
});
</script>
<div id="login">
<form method="post" id="form" action="process-login.php">
<div class="err" id="add_err"></div>
<fieldset>
<p><input type="text" id="username" name="username" placeholder="Username"></p>
<p><input type="password" id="password" name="password" placeholder="Password"></p>
<input type="hidden" name="redirect" value="<?php echo "$redirect" ?>" />
<p><input type="submit" id="login-submit" name="submit" class="button" value="Let me in!"/></p>
<p>Not a member? Sign up now <i class="fa fa-arrow-right"></i></p>
</fieldset>
PHP
<?php
session_start();
try
{
$dbuser = "XXXXXXXXXXX";
$dbpass = "XXXXXXXXXXX";
$dbh = new PDO('mysql:host=XXXXXXXXXXX', $dbuser, $dbpass);
//Min length validation
function validateMinLength($length, $number){
//if it's NOT valid
if(strlen($length) < $number)
return false;
//if it's valid
else
return true;
}
//Max length validation
function validateMaxLength($length, $number){
//if it's NOT valid
if(strlen($length) > $number)
return false;
//if it's valid
else
return true;
}
if (isset($_POST['submit']))
{
$username = $_POST['username'];
$password = $_POST['password'];
$password = strtoupper(hash('whirlpool', $password));
$redirect = $_POST["redirect"];
$err = array();
if(!validateMinLength($_POST['username'], 2))$err[]='The username field is too short or empty';
if(!validateMaxLength($_POST['username'], 21))$err[]='The username field must be less than 21 characters';
if(!validateMinLength($_POST['password'], 2))$err[]='The password field is too short or empty';
if(count($err)){
foreach($err as $one_er){
echo $one_er . "<br/>";
}
exit();
}
if (empty($error) === true) {
$query = $dbh->prepare("SELECT * FROM user WHERE username = ? LIMIT 1");
$query->execute(array($username));
if ($query->rowCount() > 0) {
$data = $query->fetch(PDO::FETCH_OBJ);
if ($data->password != $password)
{
$err[] = "Invalid password";
}
if(count($err)){
foreach($err as $one_er){
echo $one_er . "<br/>";
}
exit();
}
else {
$query = $dbh->prepare("SELECT * FROM user WHERE username = ? AND isadmin = '1'");
$query->bindParam(1, $username, PDO::PARAM_STR, 25);
$query->execute();
if ($query->rowCount() == 1) {
$_SESSION["admin"] = $username;
$admin = $_SESSION["admin"];
$_SESSION['start_time'] = time();
$online = $dbh->query("UPDATE user SET online=1 WHERE username='$admin'");
header('location:http://www.colorshare.co' . $redirect);
echo "Success";
} else {
$_SESSION["member"] = $username;
$member = $_SESSION["member"];
$_SESSION['start_time'] = time();
$online = $dbh->query("UPDATE user SET online=1 WHERE username='$member'");
header('location:http://www.colorshare.co' . $redirect);
echo "Success";
}
}
}
}
}
$dbh = null;
}
catch (PDOException $e)
{
print "Error: " . $e->getMessage() . "<br/>";
die();
}
?>
Is there something I'm missing or doing completely wrong?
first thing you should check if the php script returning the right values that you testing on the JS side .
then you should check this :
if(html=='true') {
window.location="account.php";
}
if (errors != "") {
$("add_err").html(errors).slideDown("fast");
}
you should make it , i think :
if(html=='true') {
window.location="account.php";
}else{
errors = html ;//when 'html' variable is not returning 'true' the its returning errors
}
if (errors != "") {
$("add_err").html(errors).slideDown("fast");
}
i hope give us more information about the problem like what it's showing when you tested it .
I just produce a script to handle login process. I would like to have a good discussion on how am I able to improve my script to secure , simplify, and keep my programming DRY. This is not 'A need answer type of post' but more likely a discussion. Any guide and advise are most appreciated.
My login.php
<?php
class Login {
private $db = null;
private $ip = null;
private $uid = null;
private $date = null;
function Login() {
$this->db = db_connect();
$this->ip = $_SERVER['REMOTE_ADDR'];
$this->uid = 0;
$this->date = date('Y-m-d');
}
function checkLogin($username, $password) {
$username = sanitize($username, SQL);
$password = sha1($password);
if ($this->db) {
$query = "SELECT * FROM user WHERE username = '$username' AND password = '$password'";
$result = mysql_query($query);
$var = mysql_fetch_object($result);
if (is_object($var)) {
$this->storeSession($var, true, 'USER');
return true;
} else {
$this->sessionDefault();
return false;
}
}
}
function sessionDefault() {
$_SESSION['username'] = null;
$_SESSION['session'] = null;
$_SESSION['uid'] = 0;
$_SESSION['logged'] = false;
}
function storeSession(&$login, $init = true, $credit = 'USER') {
$_SESSION['username'] = $login->username;
$username = $login->username;
$_SESSION['uid'] = $login->id;
$uid = $login->uid;
$_SESSION['ip'] = $this->ip;
$ip = $this->ip;
$_SESSION['session'] = session_id();
$sid = session_id();
if ($this->db) {
$query = "INSERT INTO session VALUES ('$username','$sid','$ip','$this->date','USER')";
$result = mysql_query($query) or die(mysql_error());
}
}
function checkAuthorized($session, $ip, $admin = false) {
$session = sanitize($session, SQL);
$ip = fsanitize_ip($ip);
if ($this->db) {
$query = "SELECT * FROM session WHERE " .
"(session='$session') AND (ip='$ip') ";
$result = mysql_query($query);
$var = mysql_fetch_object($result);
if (is_object($var)) {
if ($var->credit == 'USER')
return 'USER';
else
return 'ADMIN';
} else
return false;
}
}
/*
*
* This function used to logout
* #param: $session will receive session_id()
* #return: Will return boolean
*
*/
function logout($session) {
$username = $_SESSION['username'];
unset($_SESSION);
session_destroy();
if ($this->db) {
$query = "DELETE FROM session WHERE session='$session'";
$result = mysql_query($query);
if ($result)
return true;
else
return false;
}
}
}
?>
My loginform.php
<?php
session_start();
include ('connection.php');
include ('sanitize.php');
include ('login.php');
/* Create object based on Login Class */
$auth = new Login();
/* Fetch session ID and insert into $session */
$session=session_id();
/* Fetch IP of client. This is repeated code */
$ip = $_SERVER['REMOTE_ADDR'];
/* Below will check session authentication */
$logincheck=$auth->checkAuthorized($session, $ip);
if ($logincheck) // Condition if session already there prevent viewing login form
{
header("Location:user.php"); // redirect to user page
}
?>
<!DOCTYPE html>
<head>
<script type="text/javascript">
function loginShow(show)
{
if(show==true)
{
document.getElementById(login-div).style.display = ""
}
else
{
document.getElementById(login-div).style.display = "none"
}
}
</script>
<style>
div#login
{
width : 400px;
height: 150px;
margin: 20% auto;
border:thin dotted gray;
}
input[type=text], input[type=password]
{
text-align: center;
width:250px;
}
input[type=submit]
{
width:80px;
}
div#login p
{
margin:5px auto;
text-align: center;
}
</style>
</head>
<html>
<body>
<div id="logindiv">
<div id="login">
<form method="POST" name="login" action="loginform.php" id="login">
<p>Username</p>
<p><input type="text" id="username" name="username"/></p>
<p>Password</p>
<p><input type="password" id="password" name="password"/></p>
<p><input type="submit" name="logged" id="logged" value="Login"/></p>
</form>
</div>
</div>
</body>
</html>
<?php
// Form processing engine goes here!
if ($_POST) {
extract($_POST);
$login = new Login();
$status = $login->checkLogin($username, $password);
if (!$status) {
echo "<script>loginShow('true')</script>";
} else {
header("Location:user.php");
exit();
}
} else {
echo "<script>loginShow(true)</script>";
}
?>
my authorize.php
<?php
session_start();
$session=session_id();
$ip = $_SERVER['REMOTE_ADDR'];
/* Create object based on Login Class */
$login = new Login();
/* Below will check and authenticate session and ip is valid */
$logincheck = $login->checkAuthorized($session, $ip);
if (!$logincheck) // Condition if login is not authentic or no session
{
header("Location:loginform.php"); // redirect to login form
}
else // Condition if session is valid and good
{
echo "<center>";
echo "<h1>Session already valid. No need to login</h1>";
echo "<a href='logout.php'>LOGOUT</a>";
echo "</center>";
}
?>
my logout.php
<?php
session_start();
$session=session_id();
$ip = $_SERVER['REMOTE_ADDR'];
include ('connection.php');
include ('sanitize.php');
require('login.php');
require('authorize.php');
$logout = new Login();
$logstatus = $logout->logout($session);
if ($logstatus)
{
echo "<center>";
echo "<h1>SESSION SUCCESSFULLY CLEARED</h1>";
echo "<a href='loginform.php'>LOGIN</a>";
echo "</center>";
}
else
{
echo "<center>";
echo "<h1>SESSION FAILED TO DELETE FROM DATABASE</h1>";
echo "<a href='logout.php'>RETRY</a>";
echo "</center>";
}
?>
Just one thing:
Use bCrypt to securely store your passwords and here's a simple PHP5 class that would do it for you.
If I had a penny each time I had to tell someone this, I would be a very rich man.