Login / Logout Session Issue

Question

I am creating some kind of a login/registration system right now. Registration form, email confirmation and login is already working. I now have problems with my sessions. Please keep in mind that this project is just a test project. I know that I should use PDO but for this testing purposes I need to find out why it is not working they way I did it.

Here is my login.php PHP code:

<?php include ('inc/database.php');

if (isset($_POST['submit'])) {
 // Initialize a session:
session_start();
 $error = array();//this aaray will store all error messages

 if (empty($_POST['email'])) {//if the email supplied is empty
 $error[] = 'You forgot to enter  your Email ';
 } else {

 if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['email'])) {
 $Email = $_POST['email'];
 } else {
 $error[] = 'Your EMail Address is invalid  ';
 }
}

if (empty($_POST['passwort'])) {
 $error[] = 'Please Enter Your Password ';
 } else {
 $Password = $_POST['passwort'];
 }

 if (empty($error))//if the array is empty , it means no error found
 {
$query_check_credentials = "SELECT * FROM user WHERE email='$Email' AND password='$Password' AND activation IS NULL";
 $result_check_credentials = mysqli_query($connect, $query_check_credentials);
 if(!$result_check_credentials){//If the QUery Failed
 echo 'Query Failed ';
 }

 if (@mysqli_num_rows($result_check_credentials) == 1)//if Query is successfull
 { // A match was made.

$row = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);
$_SESSION['email'] = $row["email"];


//Assign the result of this query to SESSION Global Variable

 header("Location: index.php");

 }else
 { $msg_error= 'Either Your Account is inactive or Email address /Password is Incorrect';
 }
}  else {
 echo '<div> <ol>';
 foreach ($error as $key => $values) {
 echo '    <li>'.$values.'</li>';
}
 echo '</ol></div>';
}
 if(isset($msg_error)){
 echo '<div>'.$msg_error.' </div>';
 }
 /// var_dump($error);

} // End of the main Submit conditional.
?>

Here is the beginning of my protected index.php

<?php 
ob_start();
session_start();
if(!isset($_SESSION['email'])){
header("Location: login.php");
}
include 'header.php';
?>

<!DOCTYPE html>
<html lang="en">
<head>
</head>
.....

There must be a problem with my session and I do not know why. Is it wrong to use the email as session? Am I using the email as session? What other options do I have?

Problem is right now, that if I click on Login, nothing happens. I will be redirected to login.php instead of index.php!

Any suggestions?

Firstly, this is invalid `$_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);` - Then your `where` clause has brackets which are mostly used for subqueries. `$_SESSION['email']` is never set. — Funk Forty Niner, Aug 24 '15 at 16:03
Thanks @Fred-ii-! Brackets removed. I also thought that my $_SESSION is invalid. Can you tell me why and what my $_SESSION should look like? — Christoph C., Aug 24 '15 at 16:08
what are you sending in the **password** field in HTML codes??password or passwort?? in `(empty($_POST['passwort'])) { $error[] = 'Please Enter Your Password '; } else { $Password = $_POST['passwort']; }` — Itz Raghu, Aug 24 '15 at 16:45

score 2 · Accepted Answer · edited May 23 '17 at 12:06

2

As Fred -ii- already mentioned in comments above, your $_SESSION['email'] is never set, and therefor you are re-directed to your login-page every time.

It's also worth noting that when using header("Location: ...");, you can not have any output prior to the header! Otherwise the header will fail. Output is generally any HTML, echo, whitespace (see this SO).

So, once you make sure that your header("Location: index.php"); actually works, move on to fixing your $_SESSION.

$_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC); does not set $_SESSION['email'] (as already stated by Fred -ii-). To fix this, you need to fix your results from the database.

$row = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);
$_SESSION['email'] = $row["email"];

The code above will return the row "email" from the result in the database, and set it to the session of "email", which later is checked when you are trying to access index.php.

A couple of side-pointers (not really your current problem, but a few tips to make your code better).

You should use exit; after using header("Location: ..."); (See this SO)
You are not hashing your password, so it's stored in plain-text in your database (big no-no)
Indenting your code properly makes it a lot easier to read, and in turn easier to troubleshoot

If you do the above, and it still doesn't work, we'd need some more information to help troubleshoot further (like what happens when you're logging in (is it as expected?), what results are returned, and so forth).

edited May 23 '17 at 12:06

Community

1
1

answered Aug 24 '15 at 17:15

Qirel

25,449
7
45
62

Thanks for your help! I will look into your side-points once the script is working. I changed my code now and used your query (see my first post). Still the same issue. When I try to login nothin happens. I stay on the login.php page. When I remove the following code from my index.php: if(!isset($_SESSION['email'])) { //if not yet logged in header("Location: login.php"); and make again the login and click on "Login" button I am redirected to index.php and I can see it but I am not logged in. Is there anything else I can do? – Christoph C. Aug 24 '15 at 17:35
Do a `var_dump($_SESSION['email']);`, what does it contain? If it contains nothing, it's still not set in your `login.php`, and that's where you'll need to be looking. Try to `var_dump` or `echo` the different variables in `login.php`, and check if the values that are output are the ones you expect. Also make sure that you enter the proper `if`-statements (that it actually queries your database and get a proper result). – Qirel Aug 24 '15 at 17:38
I do not see anything with the var_dump function. Maybe I do something wrong but for I changed my code to: $error[] = 'Your EMail Address is invalid '; var_dump($error); and if I upload my login.php and refresh it, there is nothing that I can see. The same happens when I enter var_dump($_SESSION['email']); underneath $_SESSION['email'] = $row["email"];! There is nothing I can see. Why? What I am doing wrong? – Christoph C. Aug 24 '15 at 17:44
`var_dump` will return "NULL" if the variable isn't set (then that's the issue), or something like `string(3) "abc"`. --- I just tried your code on my server (just modified the query so it works with my database), and it works here. Are you sure that your `session_start();` is actually run? This should be the very first line of code after the ` – Qirel Aug 24 '15 at 18:06
Happy to have been of assistance! – Qirel Aug 24 '15 at 18:20

score 0 · Answer 2 · 2015-08-24T16:17:56.597

0

try to change,

 $_SESSION = mysqli_fetch_array($result_check_credentials, MYSQLI_ASSOC);

to

 $results = mysqli_fetch_row($result_check_credentials, MYSQLI_ASSOC);

 $_SESSION['email']=$results['email'];

and try to check your "activation" field in database for null while login...

edited Aug 24 '15 at 16:17

answered Aug 24 '15 at 16:11

Thanks for your help! I removed my code with your code but still the same issue. I click on "Login", page reloads but I am still on login.php instead of index.php – Christoph C. Aug 24 '15 at 16:14
activation table in database is set to NULL by the user who wants to login! Still same issue – Christoph C. Aug 24 '15 at 16:20

Login / Logout Session Issue

2 Answers2