0

I m having session values problem on page post.php I verify password and set session values and on page chekrole I check if session is logon or not it always returs session value empty first time and true if I try aagain,

POST.php

<?php 
ini_set("session.cookie_httponly", 1);
ini_set("session.cookie_secure", 1);
define('MyConst', TRUE);
require_once('includes/db.php');

$user=mysql_real_escape_string($_POST['login']);
$pass=mysql_real_escape_string($_POST['pass']);

$st=$con->stmt_init();
$st->prepare("select PASSWORD from users where USERNAME=?");
$st->bind_param('s',$user); 
$st->execute(); 

    $st->bind_result($hpass);
    $st->fetch();
    $st->close();   

if(password_verify($pass, $hpass)){

    if(!session_id())       
    session_start();
$_SESSION['logon']=true;
$_SESSION['time']=time()+7200;




$result=$con->query("select * from users where USERNAME='$user'");
    $row=$result->fetch_assoc();

// session values
    $_SESSION['user']=$user;
    $_SESSION['stname']=$row['STUDENT_NAME'];
    $_SESSION['tname']=$row['TEACHER_NAME'];
    $_SESSION['tsname']=str_replace("_"," ",$row['TEACHER_NAME']);
    $_SESSION['gender']=$row['GENDER'];
    $_SESSION['roll']=$row['ROLL'];
    $_SESSION['role']=$row['ROLE'];
    $_SESSION['stsession']=$row['SESSION'];
    $_SESSION['url']=$_SERVER['SERVER_NAME'];
    $_SESSION['class']=$row['CLASS'];
    $_SESSION['logo']=$row['LOGO'];

header('location: checkrole.php');
}else header('location: login.php');


?>

CHECKROLE.php

<?php
if(!session_id())
session_start();
if(!$_SESSION['logon'])
header("location: index.php");



if($_SESSION['role']=='Student')
header ('location: dashboard.php');
if($_SESSION['role']=='Teacher')

header('location:tdashboard.php');



?>
Ali Awais
  • 51
  • 3
  • 1
    You have to have `session_start();` at the top of all pages/scripts using sessions. – Jay Blanchard Jul 25 '16 at 15:28
  • You're mixing `mysql_*` and `mysqli_*` functions, which doesn't work. – Jay Blanchard Jul 25 '16 at 15:28
  • 1
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 25 '16 at 15:29

0 Answers0