Login form & sessions

[lukep11a]

Hi, I have a login form that I want to direct to a user account page once correct login information is entered. At the top of the user account page is this code, as i don't want anyone who is not logged in to be able to view this page.

 

session_start();
if (!(isset($_SESSION['user_id']) && $_SESSION['user_id'] != '')) {
header ("Location: ../registration.php");
}

 

The problem I am getting is that I am being redirected to registration.php and the login process is not being completed. I am assuming it is to do with the code at the top of the page as I have tried logging in to pages without the code at the top and it works fine.

 

This is the code for login.php which I include onto my master page:

 

if (!isLoggedIn())
{
    // user is not logged in.
    if (isset($_POST['email'], $_POST['password']))
    {
        // retrieve the email and password sent from login form & check the login.
        if (checkLogin($_POST['email'], $_POST['password']))
        {
            show_userbox();
        } else
        {
            echo "<p class='fail'>Incorrect login information. Please try again.</p>";
            show_loginform();
        }
    } else
    {
        // User is not logged in and has not pressed the login button
        // so we show him the loginform
        show_loginform();
    }

} else
{
    // The user is already loggedin, so we show the userbox.
    show_userbox();
}

 

These are the functions it calls:

 

<?php

#### Login Functions #####


function isLoggedIn()
{

    if (session_is_registered('user_id') && session_is_registered('email'))
    {
        return true; // the user is loged in
    } else
    {
        return false; // not logged in
    }

    return false;

}

function checkLogin($u, $p)
{
global $seed; // global because $seed is declared in the header.php file

    if (!valid_email($u) || !valid_password($p) || !user_exists($u))
    {
        return false; // the name was not valid, or the password, or the email did not exist
    }

    //Now let us look for the user in the database.
    $query = sprintf("
        SELECT user_id 
        FROM users 
        WHERE 
        email = '%s' AND password = '%s'
        LIMIT 1;", mysql_real_escape_string($u), mysql_real_escape_string(sha1($p . $seed)));
    $result = mysql_query($query);
    // If the database returns a 0 as result we know the login information is incorrect.
    // If the database returns a 1 as result we know  the login was correct and we proceed.
    // If the database returns a result > 1 there are multple users
    // with the same email and password, so the login will fail.
    if (mysql_num_rows($result) != 1)
    {
        return false;
    } else
    {
        // Login was successful
        $row = mysql_fetch_array($result);
        // Save the user ID for use later
        $_SESSION['user_id'] = $row['user_id'];
        // Save the email for use later
        $_SESSION['email'] = $u;

        // Now we show the userbox
        return true;
    }
    return false;
}
?>

 

Any help would be greatly appreciated, i've been going around in circles for hours on this.

[samshel]

Try this.

if (!isset($_SESSION['user_id']) && $_SESSION['user_id'] != '') {
header ("Location: ../registration.php");
}

 

Removed the () after the ! sign. It was checking for negation of both conditions. If you are logged in $_SESSION['user_id'] != '' will be true.

[lukep11a]

Hi, thanks for your reply, your suggestion now stops the page from redirecting but it is not logging the user in, any suggestions?

[PFMaBiSmAd]

A) You already have a function, isLoggedIn(), that returns the logged in state. You should use that function everywhere.

 

B) session_is_registered was depreciated over 10 years ago. You should be testing the $_SESSION variables in your isLoggedIn() function.

 

C) You need an exit; statement after your header() redirect to prevent the remainder of the code on the protected page from running while the browser performs the redirect. Without the exit; all you need to do is ignore the header redirect and you have full access to the 'protected' page.

 

D) Do you have a session_start() statement, before sending any characters at all to the browser, on every page that sets or references a $_SESSION variable?

 

 

[lukep11a]

Hi thanks for pointing out those errors, i've changed the code at the top of restricted pages to check the isLoggedIn() function, and i've changed the isLoggedIn() function to look if (isset($_SESSION['user_id']) && isset($_SESSION['email'])) instead of using session_is_registered.

 

Not sure how to write an exit statement without stopping the whole page loading though. I've put session start just before where the session variables are set in the checklogin function, is that the right place?

 

After trying all that, it's still doing the same thing, just redirecting to registration.php, it's like the session variables haven't been set. Yet if I change the form to action to index.php for example it will login in as it should and then I can visit the restricted pages like I should.