Checking user login using $_SESSIONS

Question

Below are the following scripts, the first one is checklogin.php. This matches up the username and password that is stored in MYSQL database. Once this information has been checked they will get sent to their personal page by using a redirect function.

The bottom php script is user1's landing page. I want something on there that will confirm that this person has correctly logged in and is not entitled to view this page.

At the moment, when i log in as user1 i get shown the page 3.php, i.e. it's saying that i am not correctly logged in. I know i need to set up a session like: $_SESSION[logged in'] == 'y'; and i think this should go where the passwords are being compared to what is stored in the database. At the moment I cannot enter my login details and be directed to the correct file at the end. Any help will be much appreciated.

<?php

session_start();
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

mysql_connect("localhost", "root", "root") or die(mysql_error()); //Connect to server
mysql_select_db("first_db") or die("Cannot connect to database"); //Connect to database
$query = mysql_query("SELECT * from users WHERE username='$username'"); //Query the users table if there are matching rows equal to $username
$exists = mysql_num_rows($query); //Checks if username exists
$table_users = "";
$table_password = "";

if ($exists > 0) {
    //IF there are no returning rows or no existing username

    //$_SESSION['logged in'] == 'y';

    while ($row = mysql_fetch_assoc($query)) {
        //display all rows from query
        $table_users = $row['username']; // the first username row is passed on to $table_users, and so on until the query is finished
        $table_password = $row['password']; // the first password row is passed on to $table_users, and so on until the query is finished
        $table_id = $row['id'];
        $page_id = $row['page'];
    }

    if (($username == $table_users) && ($password == $table_password)) {
        // checks if there are any matching fields

        if ($password == $table_password) {
            $_SESSION['user'] = $username; //set the username in a session. This serves as a global variable
            $_SESSION['logged_in'] = 'y';
            //echo $table_id;
            //echo $page_id;

            redirect($page_id); //take the user to the page specified in the users table
        } else {
            echo "Login Failed";
        }
    } else {
        print '<script>alert("1. Incorrect Password!");</script>'; //Prompts the user
        print '<script>window.location.assign("login.php");</script>'; // redirects to login.php
    }
} else {
    print '<script>alert("Incorrect Username!");</script>'; //Prompts the user
    print '<script>window.location.assign("login.php");</script>'; // redirects to login.php
}

function redirect($page_id)
{
    /* Redirect browser */
    header('Location: '.$page_id);
    /* Make sure that code below does not get executed when we redirect.         */
    exit;
}

?>

And landing page

<?php

session_start();
//user logged in??

if ($_session['logged in'] != 'Y') {
    //No- jump to log in page.
    header("location: 3.php");
    exit();
}
else
{
    echo 'this works';
}

?>

`if ($_session['logged in'] != 'Y')` there's your problem. Think "letter case". Think *superglobal* http://php.net/manual/en/language.variables.superglobals.php *and compare* ;-) — Funk Forty Niner, May 06 '15 at 13:32
Am i blind? Where do you set $_SESSION['logged in']? Why do you escape the user input password if you don't pass it through mysql? You should at least hash your passwords in db, too, for privacy reasons :) — Florian, May 06 '15 at 13:38
Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and consider using [PDO](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, May 06 '15 at 13:46

Loko · Answer 1 · 2015-05-06T13:51:18.303

3

You're defining the session like:

$_SESSION['logged in'] == 'y';

which should be:

$_SESSION['logged in'] = 'y';

yet you check like:

if ($_session['logged in'] != 'Y') {

it should be:

if ($_SESSION['logged in'] != 'y') {

You're checking if it's an uppercase Y while it holds a lowercase y. So it will never succeed.

Also $_SESSION is a superglobal which means:

Superglobals — Superglobals are built-in variables that are always available in all scopes

and variables are case sensitive.

edited May 06 '15 at 13:51

answered May 06 '15 at 13:38

Loko

6,539
14
50
78

it should be.... - what did the OP do that's incorrect? there's an important piece of information missing here. – Funk Forty Niner May 06 '15 at 13:43
`$_SESSION['logged in'] == 'y';` is not defining `$_SESSION['logged in']`, but doing a comparison. – Sean May 06 '15 at 13:44
@Sean Sorry. I just noticed there are a lot of problems with the code the OP has. I'm missing a couple. – Loko May 06 '15 at 13:44
@Fred-ii- Thanks for the comment. I added it to the answer. – Loko May 06 '15 at 13:51

Checking user login using $_SESSIONS

1 Answers1