This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
PHP session seemingly not working
I'm currently coding my own CMS for fun but when I use $_SESSION, it doesn't work. The session isn't saved...
There's my code:
<?php
include('header.php');
if (isset($_SESSION['logged_in']))
{
$link = 'profile.php';
$link_name = 'Profile';
}
else
{
$link = 'login.php';
$link_name = 'Login';
}
if (isset($_POST['action']))
{
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$password = md5($password);
$user = mysql_query("SELECT * FROM users WHERE `username`='".$username."'");
if (mysql_num_rows($user) == 1)
{
while ($userinfo = mysql_fetch_array($user))
{
if ($userinfo['banned'] != true)
{
$_SESSION['user_id'] = $userinfo['id'];
$_SESSION['username'] = $userinfo['username'];
$_SESSION['logged_in'] = "true";
header('Location: index.php');
}
else
{
header('Location: login.php?error=banned');
}
}
}
else if (mysql_num_rows($user) == 0)
{
header('Location: login.php?error=not-found');
}
}
?>
In the code, I get the user information in my database then I check if the user isn't banned. If not, I set my $_SESSION[] and I redirect to the home...
You need session_start() at first.
you should call session_start() in the beginning of the script. make sure you call it on every page you need the access to session variables as well
Make sure session_start() is being called. Use Tamper Data to check the Headers for Sent and Received requests. Your looking for the Set-Cookie Header from the server and the Cookies Header from the client. This should contain your PHPSESSID. If you don't see this then your session is not started. Good Luck!
Related
I have session page with these code
session_start();
if (!isset($_SESSION['id'])){
header('location:order.php');
}
$ses_id = $_SESSION['id'];
I included it into my login page (order.php)
<?php include('session.php'); ?>
Here is the login scripts and functions
$username = clean($_POST['username']);
$password = md5($_POST['password']);
$apollos=$username;
$query=Login($username,$password);
$count = mysql_num_rows($query);
$row = mysql_fetch_array($query);
$phone=$row['Contact_Number'];
DeleteActivation($username);
if ($count > 0) {
$_SESSION['id'] = $row['memberID'];
UserPin($username,$pin,$member);
$From='eFarms';
$Message='Your User Login Pin from St. Apollos eFarms is '.$pin;
die("<script>location.href = 'login_sms.php'</script>");
session_write_close();
} else {
session_write_close();
}
Here is my Pin Validation Page
<?php include('header.php'); ?>
pin = clean($_POST['pin']);
$query=CheckPin($username,$pin,$member);
$count = mysql_num_rows($query);
$row = mysql_fetch_array($query)
if ($count > 0) {
$_SESSION['id'] = $row['memberID'];
die("<script>location.href = 'user_home.php'</script>");
session_write_close();
} else {
session_write_close();
}
Someone should please examine these codes, correct and show me how to receive the session to the USer Home Page as Username.
First, as provided by others, ur using very bad and insecure method !
Try to use PDO which is much easier (when u understand how it work) and it's much more secure !
Second, ur coding is not so clean, I think that's why u can't find the problem urself !
And finally, I think ur missing :
session_start();
in some part of ur code !
Before session start you have to check the session is already started or not like below in each script or in common script file.
if (!isset($_SESSION)) {
session_start();
}
Edited:
the above condition is not needed as it is checking internally as descripe in the documentation - http://php.net/manual/en/function.session-start.php
session_start();
Hi I am trying to get the user signed in via sessions, here is my code it was working before now it isn't i didnt even change the code.
profile.php (to show after logged in)
<?php
ob_start();
session_start();
$userName = $_SESSION['username'];
$userid = $_SESSION['userid'];
if(isset($_GET['session'])) {
$currentSessionID = $_GET['session'];
$currentSessionID = md5(md5(md5($currentSessionID)));
session_id($currentSessionID);
header("Location:profile.php");
return;
}
if(!isset($userName)){
echo "OUT";
return;
}
...
scripts/signin.php
ob_start();
session_start();
include"config.php";
echo "here";
// check for required fields
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['Username']) && isset($_POST['Password'])) {
$user = mysql_real_escape_string($_POST['Username']);
$pass = mysql_real_escape_string($_POST['Password']);
$decrypt = md5(md5(md5($pass)));
$ensure = "select * from userinfo WHERE Username = '$user' and Password='$decrypt' and status='1'";
$result= mysql_query($ensure);
if(mysql_num_rows($result) > 0) {
echo "here2";
$entry = mysql_fetch_array($result) or die(mysql_error());
$_SESSION['username'] = $entry['Username'];
echo $entry['Username'];
$_SESSION['userid'] = $entry['Id'];
$currentSessionID = session_id();
$currentSessionID = md5(md5(md5($currentSessionID)));
header("Location: http://www.myprocity.com/profile.php?session=".$currentSessionID);
echo "here3";
the reason why im passing in the session id is because im trying to only keep sign in and sign up HTTPS while the other pages HTTP so I can show Google ads, does anyone know how to implement this without security issues (perfectly)
it always goes to OUT even when $_SESSION is my username (database is correct)
In profile.php you are checking for the presence of a session ID, and changing the session ID if you find it. You are doing this after you've set up a session with session_start(), but the PHP manual specifically says you must call session_id() before session_start() for this to work.
You're also hashing $_GET['session'] before sending it, and again before using it. The session ID you're trying to use in profile.php won't match the session ID used in signin.php
The result is that $_SESSION does not have the data in it you are expecting.
You need to rationalise your use of session_id(), and ensure the correct value is passed from page to page. All the hashing with md5() is just complicating matters - drop it. Realistically, I don't see why you need anything more than session_start() at the top of each page and let PHP handle the sessions. You may have an argument for doing what you're doing, but your solution simply won't work.
I'm not very good at PHP and I have a little problem. I've been playing around with this script.
And I can't for the life of me figure out how to echo the username of a logged in user.
I tried to print all the information of the session like this:
var_dump($_SESSION)
but I just got the hashed password and the userlevel int.
Can someone maybe help me here? I just want to be able to echo the username.
You have to store the username in the session for it to be available on another page load, currently the script only stores these values in the session;
$_SESSION['loggedin'] = $row[$this->pass_column];
$_SESSION['userlevel'] = $row[$this->user_level];
What you have to do is add the $username to the session that is passed into the login function, like below;
$_SESSION['username'] = $username;
The username will now be stored in the session with the key username.
To be able to use it on another page, make sure that before attempting to use it you initiate the session by calling the function session_start().
Basically, just write it inside like
session_start();
echo $_SESSION['username'];
or
echo $_SESSION['password'];
A brief explanation of how sessions work.
first you start the session and assign any value to a session ex:
session_start();
$_SESSION['username'] = 'john';
then echoing works like:
echo $_SESSION['username']; // will echo out 'jonh'
note session_start() must be shared in-between the pages you want to use the session
You have session_start(); on top ?
In the login function you should write the username to the session after a successful login.
//instantiate if needed
include("class.login.php");
$log = new logmein();
$log->encrypt = true; //set encryption
if($_REQUEST['action'] == "login"){
if($log->login("logon", $_REQUEST['username'], $_REQUEST['password']) == true){
//do something on successful login
$_SESSION['username'] = $_REQUEST['username'];
}else{
//do something on FAILED login
}
}
<?php
include('db.php');
session_start();
$name=$_POST['name'];
$password=$_POST['password'];
echo $sql="SELECT * FROM register WHERE (name='$name' OR email='$name') AND password='$password'";
$result=mysqli_query($conn,$sql);
$num_rows = mysqli_num_rows($result);
if ($num_rows > 0)
{
$_SESSION['user']=mysqli_fetch_assoc($result);
$row = $_SESSION['user'];
$role = $row['role'];
if($role == 1)
{
header('location:usermanagement.php');
}
else{
header('location:user.php');
}
}
else
{
echo "Wrong Username or Password";
header('location:login.php');
}
$conn->close();
?>
If anyone can make a better title, please edit it.
The issue I am having is being unable to show the users name in their post. Quick snip of code.
if (isset($_SESSION['username']) )
{
$name = $_SESSION['username'];
}
else
{
$name = $_POST['name'];
}
How can I make it when the user posts it check to see if there is a session and then displays their name in their post.
There's nothing particularly wrong with what you've done here. Does $_SESSION['username'] actually have a value?
Also, make sure when you are working with sessions that you call session_start() before saving or pulling session data.
<?php
session_start();
$_SESSION['username'] = 'Greg';
if (isset($_SESSION['username']) )
{
$name = $_SESSION['username'];
}
Please try the following
session_start();
if (isset($_SESSION['username']) )
{
$name = $_SESSION['username'];
}
else
{
$name = $_POST['name'];
$_SESSION['username'] = $name;
}
Then reload the page, $_SESSION['username'] now should contain the user name
Garrett am i right in thinking your route is create $_SESSION['name'] first and regardless unless they have logged in if so the $_SESSION['name'] becomes $_SESSION['username']
If I am right and you are creating $_SESSION['username'] on login all you need to do is check if $_SESSION['name'] = $_SESSION['username'] and if it does unset it example:
// YOUR LOGIN CODE TO CHECK ASSUME SQL QUERY OF SOME DESCRIPTION AND 'true' IS YOUR RESULT and 'false' NOT A USER
if(true) {
$_SESSION['username'] = $result;
if($_SESSION['name'] && $_SESSION['name'] == $_SESSION['username'] ){
unset($_SESSION['name'])
}
// ACTION TO GO TO PAGE
} else {
// YOUR ERROR ACTION
}
We have a login form that is processed by php and ajax. The ajax sends a request to the php page with the username and password to be logged in. It gets a response and if it's correct and working info, it logs them in:
The php page that takes requests has this code:
echo (checkLogin($_POST['user'], $_POST['pass']) ? 'true' : 'false');
if(checkLogin($_POST['user'], $_POST['pass']) == true)
logIn($_POST['user'], $_POST['pass']);
The functions used in that statement:
function logIn($user, $pass)
{
$_SESSION['sid'] = md5(md5($user) . md5($pass));
$_SESSION['username'] = $user;
$_SESSION['password'] = $pass;
}
function checkLogin($user, $pass)
{
$user = strtolower($user);
$pass = strtolower($pass);
$res = mysql_query("SELECT * FROM users WHERE username='".$user."'");
if(mysql_num_rows($res) == 1)
{
$data = mysql_fetch_assoc($res);
if($data['pass'] == aCrypt($pass))
{
return true;
}
else
{
return false;
}
}
else
{
return false;
}
}
Now, it seems that the session is started and only able to be seen AFTER the user reloads the page. We need it to start the session right on the page...would we need to refresh the entire page with ajax? I don't really know where to go from here.
You probably want to use the Post-Redirect-Get pattern; after the user is successfully authenticated, use a redirect to send him to a new page.
As I noted above, please look into fixing the SQL injection and session fixation vulnerabilities in your code as well.