0

index.php

<form class="form" id="ex-form" method="post" action="index.php">
<input type="text" placeholder="Email" name="email">
<input type="password" placeholder="Password" name="password">
<button type="submit" id="login-button" name="login">Login</button>
</form>

<?php
session_start();
include 'db/db_connection.php';

if (isset($_POST['login'])) {

$email = $_POST['email'];
$password = $_POST['password'];

if($_POST['email']=="" || $_POST['password']==""){ //To check whether username and password fields are blank
$create_error_message='Blank Email OR Password...';

}else{

    $sql="SELECT * FROM user WHERE email='$email' AND password='$password' AND status='1'";
    $result=mysqli_query($dbcon,$sql);
    $row=mysqli_fetch_array($result);

    $_SESSION["status"] =$row['status'];
    $_SESSION["user_type_id"] =$row['user_type_id'];
    $_SESSION["first_name"] =$row['first_name'];

    $count=mysqli_num_rows($result);

      if ($count > 0) {
        $user = $row['user_id'];
        date_default_timezone_set('Asia/Colombo'); 
        $date = date('Y-m-d');
        $time = date('h:i:s');

        $sql2 = mysqli_query($dbcon,"INSERT INTO `login_sessions` (`date`, `time`, `user_id`) VALUES ('$date', '$time', '$user')")or die(mysql_error());

        if ($sql2) {
        $_SESSION['user'] = $user;

            if ($_SESSION["user_type_id"] == 1){
                 header("Location: src/system/modules/login/dashboard.php");
                //echo "WLCOME ADMIN";
            }else if($_SESSION["user_type_id"] == 2){
                header("Location: src/system/modules/login/dashboard.php");
                //echo "WLCOME Examiner";
            }else if($_SESSION["user_type_id"] == 3){
                //header("Location: ");
                echo "WLCOME Job Seeker";
            }else{
                //header("Location: ");

            }




        }//if($sql2)

      }//if count end



} //else
} //login

?>

dashboard.php

<?php
session_start();
include '../../db/db_connection.php';
$date = date('Y-m-d');
if(!empty($_SESSION['user'])){
?>

<html>
<body>

<div id="ad">
                <?php 
                    $query_user=mysqli_query($dbcon,"SELECT * FROM user WHERE user_id='".$_SESSION['user']."'")or die(mysql_error());
                    $row_user=mysqli_fetch_array($query_user);
                ?>
            <h3 style="color:#333; margin-left:20px;">Welcome
            <?php echo $row_user['first_name']." ". $row_user['last_name']; ?>
            </h3><br />
            </div><!--ad-->
</body>
</html>

databse table

user

**user_id first_name  last_name  email       password   status   user_type_id**
   1      AAA          aaa     aa@gmail.com    123         1           1
   2      BBB          bbb    bb@gmail.com     111         0           3 
   3      CCC          ccc    cc@gmail.com     111         1           3    
   4      DDD          ddd    dd@gmail.com     456         1            2

user_type

user_type_id     user_type_name
     1             admin
     2             examiner
     3             jobseeker

In here I have 1 login to all the users. When I login as Admin it will preview the Admin first_name and last_name in dashboard.php I will open next browser tab and login as Examiner. then It will preview the Examiner first_name and last_name in dashboard.php. BUT in the previous tab (login as admin) that was changed the values. It will preview the examiner firstname and last name.

So the both tabs I use login seperately as admin and examiner. but sessions are not working correct. How can I fix this error??

Koshila Kalansooriya
  • 21
  • 7
  • 1
    where have you seen two login sessions in the same browser? I am not sure how you want it to behave? The real question is how did you show login page in the second tab.. – Suraj Rao Apr 01 '17 at 06:06
  • you got a sql injection in your login query – user2659982 Apr 01 '17 at 06:08
  • how do I fix the errors – Koshila Kalansooriya Apr 01 '17 at 06:14
  • as user2659982 said, you leave door wide open :/ check [PHP doc](http://php.net/manual/fr/filter.filters.sanitize.php) and also, if I make no mistake, a browser tab will keep *one* session cookie for a website as explained here [SO question](http://stackoverflow.com/questions/34808498/php-session-per-tab) – OldPadawan Apr 01 '17 at 06:22
  • Is the same person logging in with two different levels of privlege? –  Apr 01 '17 at 06:30
  • different users(Admin & Examiner) logging to their dashborads. – Koshila Kalansooriya Apr 01 '17 at 06:36
  • @Terminus : it should not matter, as $_SESSION["status"] = $row['status']; and $_SESSION["first_name"] = $row['first_name']; then they will be overwritten, no ? – OldPadawan Apr 01 '17 at 06:37
  • 1
    @OldPadawan right. but using get parameters (or a session value works too I guess), you could `$_SESSION[$_SESSION['isAdmin']]['SomeKey']` Kinda cumbersome but that's what wrapper classes are for. –  Apr 01 '17 at 06:41

0 Answers0