PHP $_SESSION variables not holding

Question

I'm not great at this stuff as will be evident, but would like to try and get better. I have a wedding website for my fiancé and I, that I'm having troubles with. I have a simple login on the index that goes through a login page, login confirmation page and back to the index. It will hold the $_SESSION['name' variable from the form, confirmed in mysql, back to the index but not to anywhere else. Even in refreshing that page, it will disappear.

index.php

  <div id="login">
        <span class="login">
            <form action="login.php" method="post" id="loginform">
                <label for="name">User:</label>
                <input type="text" name="name" id="name" size="12">
                <label for="password">Password:</label>
                <input type="password" name="password" id="password" size="12">
                <input type="submit" value="submit" id="submit">
                <input type="button" value="hide" id="hide" onclick="loghide()">
            </form>
        </span>
    </div>
    <br />
    <div id="logged">
        <?php
if (isset($_SESSION['username'])){
echo "<script      type='text/javascript'>document.getElementById('logged').style.cssText='opacity:1;-webkit-transition:1s;-moz-transition:1s;-o-transition:1s;-ms-transition:1s;transition:1s;';</script>";
echo "<script    type='text/javascript'>document.getElementById('login').style.cssText='display:none;';</script>";
}      
?>
        <span class="logged">
                <ul id="adminlinks">
                    <div id="event">
                        <div id="hiddenlinks">
                            <li><a class="links" id="hidden2"     href="events.html">index</a></li>
                            <br />
                            <li><a class="links" id="hidden3"      href="events.html">our story</a></li>
                            <br />
                        </div>
                        <li><a class="links">update</a></li>
                    </div>
                    <li><a class="links" href="addphotos.php">add     photos</a></li>
                       <li><a class="links" href="<?php session_destroy(); header("Location:index.php"); ?>">Log Out</a></li>
                </ul>
        </span>
    </div>
</div>
<div id="bottom">
    <span class="foot">july fourth, two thousand and fifteen</span>
</div>
</div>

<?php
echo $_SESSION['username'];
echo $myusername;
?>

login.php

////deleted mysql connection stuff
session_start();
$_SESSION['username']=$myusername;
$_SESSION['password']=$mypassword; 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

login_success.php

<?php
session_start();
if (!isset($_SESSION['username'])){
echo "nope";
} else {header("location:index.php");}

?>

I have session_start()'s at the tops of those pages swell. It will work right there but then moving to my next admin link it won't. I had the echo $_SESSION['username']; at the bottom to see if it was registered.

Its hosted on GoDaddy which does save session stuff in a root/tmp folder so there is a path for it. I'm at a loss.

Any ideas for a noob?

It's not an important login or anything as it would just be me or my fiancé logging in to update pictures or something but wanted to do it myself and make it nice.

Thanks, Matt

Edit- Index.php and addphotos.php have session_start(); at the top of the page.

the next admin link as I called it is addphotos.php basically the same as the index with other content to be added later.

Double Edit - Was going to encrypt passwords. Would there be a better way to accomplish things without $_SESSION variables? What if only the $_SESSION['username'] was set but not a password one?

FINAL- Okay thanks everyone! Got it and am revamping things.

You need to add `session_start()` to the index page *and every page* you expect to use session variables. You're checking for session variables without starting the session. — Jay Blanchard, Mar 09 '15 at 17:54
You could try `print_r($_SESSION); exit;` in order to see the status of the SESSION variable. If it's not filled with your values, you might have forgotten to start the session as @JayBlanchard said, or you're unsetting the variables somewhere along. — James Spence, Mar 09 '15 at 17:56
Wise words; don't store vital information in sessions. Ever heard of sessions hijacking? Plus, don't store passwords in plain text. If you're going LIVE with this, you WILL get hacked. — Funk Forty Niner, Mar 09 '15 at 17:56
@JayBlanchard *Aye, Sam!* Danger lurks about plain text passwords too. — Funk Forty Niner, Mar 09 '15 at 17:57
Yeah I agree with not storing secure info in sessions. I wouldn't use this to secure any personal info but if it's just to keep the average user out who cares — Zach, Mar 09 '15 at 18:01
You need to assign your POST array to a sessions array/variables. Example http://stackoverflow.com/a/28682150/ - http://www.thesitewizard.com/php/sessions.shtml — Funk Forty Niner, Mar 09 '15 at 18:01
*"It's not an important login or anything as it would just be me or my fiancé logging in to update pictures"* - Believe me, there are people out there who sniff out sites like these and like I said earlier, you WILL get hacked. So, I would rethink this and use a proper login system using prepared statements and a strong password hashing function. I've seen this all too often. — Funk Forty Niner, Mar 09 '15 at 18:06
Use [**`mysqli` with prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php), or [**PDO with prepared statements**](http://php.net/pdo.prepared-statements). For password storage, use [**CRYPT_BLOWFISH**](http://security.stackexchange.com/q/36471) or PHP 5.5's [`password_hash()`](http://www.php.net/manual/en/function.password-hash.php) function. For PHP < 5.5 use the [`password_hash() compatibility pack`](https://github.com/ircmaxell/password_compat). — Funk Forty Niner, Mar 09 '15 at 18:07
Here, check out http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL and http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication — Funk Forty Niner, Mar 09 '15 at 18:11

score 0 · Accepted Answer · answered Mar 09 '15 at 18:15

0

<a class="links" href="<?php session_destroy(); header("Location:index.php");?>">Log Out</a>

This is not creating a link to this code, you're actually running it! Create a logout.php page with this code in it, and link to that page instead. This is why your session is being destroyed. You also need session_start() on all pages that use sessions.

answered Mar 09 '15 at 18:15

MattDiamant

7,330
4
32
45

Also, please pay attention to what everyone has said about security. Even though session hijacking would be extremely rare for your website, learning how to do logins and sessions properly is something that every developer needs to know, as you can probably tell by now :-) – MattDiamant Mar 09 '15 at 18:19

score -1 · Answer 2 · answered Mar 09 '15 at 19:08

You must call session_start(); on the index page in order to use it there, the sessions are kept, it's just that you need to tell the program to start the session and so it will use the values found there. put the following code on the first line of your index.php file:

<?php session_start(); ?>

Hope it helps.

PHP $_SESSION variables not holding

2 Answers2