Jump to content

Recommended Posts

Hi, I have a login form that I want to direct to a user account page once correct login information is entered. At the top of the user account page is this code, as i don't want anyone who is not logged in to be able to view this page.

 

session_start();
if (!(isset($_SESSION['user_id']) && $_SESSION['user_id'] != '')) {
header ("Location: ../registration.php");
}

 

The problem I am getting is that I am being redirected to registration.php and the login process is not being completed. I am assuming it is to do with the code at the top of the page as I have tried logging in to pages without the code at the top and it works fine.

 

This is the code for login.php which I include onto my master page:

 

if (!isLoggedIn())
{
    // user is not logged in.
    if (isset($_POST['email'], $_POST['password']))
    {
        // retrieve the email and password sent from login form & check the login.
        if (checkLogin($_POST['email'], $_POST['password']))
        {
            show_userbox();
        } else
        {
            echo "<p class='fail'>Incorrect login information. Please try again.</p>";
            show_loginform();
        }
    } else
    {
        // User is not logged in and has not pressed the login button
        // so we show him the loginform
        show_loginform();
    }

} else
{
    // The user is already loggedin, so we show the userbox.
    show_userbox();
}

 

These are the functions it calls:

 

<?php

#### Login Functions #####


function isLoggedIn()
{

    if (session_is_registered('user_id') && session_is_registered('email'))
    {
        return true; // the user is loged in
    } else
    {
        return false; // not logged in
    }

    return false;

}

function checkLogin($u, $p)
{
global $seed; // global because $seed is declared in the header.php file

    if (!valid_email($u) || !valid_password($p) || !user_exists($u))
    {
        return false; // the name was not valid, or the password, or the email did not exist
    }

    //Now let us look for the user in the database.
    $query = sprintf("
        SELECT user_id 
        FROM users 
        WHERE 
        email = '%s' AND password = '%s'
        LIMIT 1;", mysql_real_escape_string($u), mysql_real_escape_string(sha1($p . $seed)));
    $result = mysql_query($query);
    // If the database returns a 0 as result we know the login information is incorrect.
    // If the database returns a 1 as result we know  the login was correct and we proceed.
    // If the database returns a result > 1 there are multple users
    // with the same email and password, so the login will fail.
    if (mysql_num_rows($result) != 1)
    {
        return false;
    } else
    {
        // Login was successful
        $row = mysql_fetch_array($result);
        // Save the user ID for use later
        $_SESSION['user_id'] = $row['user_id'];
        // Save the email for use later
        $_SESSION['email'] = $u;

        // Now we show the userbox
        return true;
    }
    return false;
}
?>

 

Any help would be greatly appreciated, i've been going around in circles for hours on this.

Link to comment
https://forums.phpfreaks.com/topic/265488-login-form-sessions/
Share on other sites

A) You already have a function, isLoggedIn(), that returns the logged in state. You should use that function everywhere.

 

B) session_is_registered was depreciated over 10 years ago. You should be testing the $_SESSION variables in your isLoggedIn() function.

 

C) You need an exit; statement after your header() redirect to prevent the remainder of the code on the protected page from running while the browser performs the redirect. Without the exit; all you need to do is ignore the header redirect and you have full access to the 'protected' page.

 

D) Do you have a session_start() statement, before sending any characters at all to the browser, on every page that sets or references a $_SESSION variable?

 

 

Link to comment
https://forums.phpfreaks.com/topic/265488-login-form-sessions/#findComment-1360797
Share on other sites

Hi thanks for pointing out those errors, i've changed the code at the top of restricted pages to check the isLoggedIn() function, and i've changed the isLoggedIn() function to look if (isset($_SESSION['user_id']) && isset($_SESSION['email'])) instead of using session_is_registered.

 

Not sure how to write an exit statement without stopping the whole page loading though. I've put session start just before where the session variables are set in the checklogin function, is that the right place?

 

After trying all that, it's still doing the same thing, just redirecting to registration.php, it's like the session variables haven't been set. Yet if I change the form to action to index.php for example it will login in as it should and then I can visit the restricted pages like I should.

Link to comment
https://forums.phpfreaks.com/topic/265488-login-form-sessions/#findComment-1360830
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.