0

I have a odd, but Im sure simple, login issue. When I use my code here, I have a problem with the session section. Validating the login info works fine, but it does not redirect on successful login. If I comment out the session info, it works fine. This happens on both my process-login.php page as well as my success.php page. Any thoughts would be appreciated.

Thank you in advance.

Here is my login page:

    <form action="process-login.php" method="post">
     <fieldset>
      <legend>Login Form</legend>
      <label for="username">Username:</label>
      <input type="text" id="username" name="username" />
      <label for="password">Password:</label>
      <input type="password" id="password" name="password" />
      <button type="submit">Send</button>
     </fieldset>
    </form>

Here is my process-login page:

    <?php

    ob_start();
    // Set form data as variables

    $myusername=$_POST['username'];
    $mypassword=$_POST['password'];

    // DB login
    $host="localhost";
    $username="root";
    $password="pass1";
    $db_name="contact";
    $tbl_name="users";

    // Open database connection
    mysql_connect("$host", "$username", "$password")or die("cannot connect");
    mysql_select_db("$db_name")or die("cannot select DB");

    // Query with data
    $query="SELECT * from $tbl_name where username='$myusername'
    and password='$mypassword'";
    $result=mysql_query($query);

    // Check for entry
    $count=mysql_num_rows($result);

    // If it matches register and send on
    if($count==1){
    session_start("username");
    session_start("password");
    header("location:success.php");
    }
    else {
    echo "Wrong!";
    }
    ob_end_flush();
    ?>

And finally, here is my success page:

    <?php
    session_start();
    if(!isset($_SESSION['username'])){
    header("location:login.php");
    }
    else
    {
    echo "Welcome";
    }
    ?>

Please let me know if you need more information

inzel
  • 15
  • 2
  • 3
    You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Jan 11 '13 at 15:09
  • 2
    Don't store non-hashed passwords, see [the faq](http://php.net/manual/en/faq.passwords.php). – Quentin Jan 11 '13 at 15:09
  • 2
    `session_start("username"); session_start("password");` What? – Waleed Khan Jan 11 '13 at 15:10
  • Where do you set the values for the session? Why do you always start a new session? And as Waleed Khan asked: what are those invocations supposed to be doing? – ppeterka Jan 11 '13 at 15:10
  • this [answers][1] can help you. .... [1]: http://stackoverflow.com/questions/2580322/is-there-any-harm-in-running-session-start-multiple-times-as-the-page-request – Sajjad Mohammadadeh Jan 11 '13 at 15:16
  • Thank you for the responses... I am actually coding this to practice sql injection so I am wanting it to be vuln. To Waleed Khan... thanks for pointing out the part that is wrong.. im obviously new to this but trying to learn. Most of us do make mistakes as we progress thru learning new things. – inzel Jan 11 '13 at 15:25

3 Answers3

3

session_start() creates a session. It doesn't take any arguments.

To store data in a session, you need to $_SESSION['foo'] = $bar;

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
1

First move to PDO. Second read about session_start() and how to set $_SESSION vars.

 session_start();
 $_SESSION['username']='me';
 if(!isset($_SESSION['username'])){
      header("Location:login.php");
 }
v0d1ch
  • 2,738
  • 1
  • 22
  • 27
0

You have to call session_start() only once. Registring vars for you session works via super globals:

session_start();
$_SESSION['username'] = $myusername;
$_SESSION['password'] = $mypassword;

You can then use $_SESSION['password'] on any site after session_start()

Zim84
  • 3,404
  • 2
  • 35
  • 40
  • Ah thank you for that answer. I appreciate it. I am, obviously, new to php and have been trying to learn a lot. What you posted makes sense to me. I will implement that and see how it works! – inzel Jan 11 '13 at 15:23
  • 1
    This worked perfectly! Thank you very much. New code snippets below: session_start(); $_SESSION['username']=$myusername; $_SESSION['password']=$mypassword; header("location:success.php"); } else { echo "Wrong!"; } And: – inzel Jan 11 '13 at 15:28