0

New to php , still learning how to hash and verify has passwords. But before i get there, I need help with whats going wrong with my code. I can register, it saves the values to my db. but when entering my home.php or any other pages that use 

<?php 
  session_start(); 

  if (!isset($_SESSION['username'])) {
    $_SESSION['msg'] = "You must log in first";
    header('location: login.php');
  }
  if (isset($_GET['logout'])) {
    session_destroy();
    unset($_SESSION['username']);
    header("location: login.php");
  }
?>

with my login/register.php files containing the codes

$password = md5($password_1);
    $query = "SELECT * FROM loginsystem WHERE username='$username' AND password='$password'";
  $results = mysqli_query($db, $query);

    if (mysqli_num_rows($results) == 1) {
      $_SESSION['username'] = $username;
      $_SESSION['success'] = "You are now logged in";
      header('location: home.php');
    }else {
        array_push($errors, "Wrong username/password combination");

But everything redirects to login.php and resets the values as if i want it to destroy sessions. Is there something im doing wrong with validating sessions?

Clout Cloud
  • 31
  • 9
  • You can also try echoing values in your both if conditions, to identify, which part of your condition is causing the issue. – 5eeker May 26 '18 at 03:24
  • Do take a look at https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 as your code performs unsafe sql operations. Also you should not save passwords in using a md5 hash. Instead use http://php.net/manual/en/function.password-hash.php with http://php.net/manual/en/function.password-verify.php to validate the passwords – Jelmergu May 26 '18 at 04:43
  • ive been trying to use that exact link for hashing my passwords but im still having a undefined variable problem with it. – Clout Cloud May 26 '18 at 04:57

2 Answers2

0

Basically I have just combined your two if conditions in one using OR operator. Try using this.

<?php 
  session_start(); 

  if ((!isset($_SESSION['username'])) || isset($_GET['logout'] )) {
    session_destroy();
    unset($_SESSION['username']);
    header("location: login.php");
  }
?>
5eeker
  • 905
  • 1
  • 8
  • 30
  • worked after the login, thanks but i added the code to another page such as "purchase.php" and it goes right back to the login. – Clout Cloud May 26 '18 at 03:28
  • Yes, it works like, on login page you have to check the user entered password and if it matches to redirect to home page. The code i posted is for another pages which the user if tries to access via URL, should redirect to login page. – 5eeker May 26 '18 at 03:31
  • ok oh see thats my issue, a user could create and login to their account but if they refresh the home page or try to go read the terms of service it will direct them back to the login page. – Clout Cloud May 26 '18 at 03:33
  • how could i apply this to everypage and take out the redirect? its not finding sessions – Clout Cloud May 26 '18 at 03:48
  • You can create a file with this code and include that file in the top of your files. (using require or include) – 5eeker May 26 '18 at 03:49
  • still seems to redirect login! – Clout Cloud May 26 '18 at 04:01
  • It will redirect to login. Once u login, the session will be set and it won't redirect again to login until the user logs out. Try a fresh in incognito mode – 5eeker May 26 '18 at 04:22
  • tried on 2 different devices. i honestly dont know what could be causing this. – Clout Cloud May 26 '18 at 04:30
  • 1
    found my issue, i had a php script for unsessting the session under loggout instead of ref to the login page and unsetting the session – Clout Cloud May 26 '18 at 05:13
0

in your login/register page try starting new session with

session_start()

once the session is on, we can set session variables. Let me know how it turns out.

Himakar
  • 153
  • 10
  • Notice: Undefined variable: errors in /home/u572108555/public_html/includes/errors.php on line 1 Warning: count(): Parameter must be an array or an object that implements Countable in /home/u572108555/public_html/includes/errors.php on line 1.... My errors.php being - 0) : ?>

    – Clout Cloud May 26 '18 at 03:35
  • add ($errors && count($errors)>0) to the if condition and try again. – Himakar May 26 '18 at 03:38
  • Update your question with the following error. It may or may not be related to the session creation – Himakar May 26 '18 at 05:23