tycoonbob Posted December 30, 2013 Share Posted December 30, 2013 (edited) Hi everyone. I'm working on a simple app for internal use for a small company. I am having difficulties getting the account logins working correctly, and I believe it has something to do with $_SESSION not being set like I expected it to. Now I am fairly new to PHP, and have been learning as I go. index.php contains this: <?php session_start(); require_once('includes/config.inc.php'); require_once('includes/functions.inc.php'); // Check login status -- if not logged in, redirect to login screen if (check_login_status() == false) { redirect('login.php'); } So when I load the app, I'm redirected to login.php: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-type" content="text/html;charset=utf-8" /> <title>Login Page</title> <link rel="stylesheet" type="text/css" href="css/login.css" /> </head> <body> <form id="login-form" method="post" action="includes/login.inc.php"> <fieldset> <legend>Login to Inventory System</legend> <p>Please enter your username and password to access the Inventory system</p> <label for="username"> <input type="text" name="username" id="username" />Username: </label> <label for="password"> <input type="password" name="password" id="password" />Password: </label> <label> <input type="submit" name="submit" id="submit" value="Login" /> </label> </fieldset> </form> </body> </html> When I hit submit on the login page, includes/login.inc.php is called: <?php session_start(); require_once('config.inc.php'); require_once('functions.inc.php'); // Escape any unsafe characters before querying database $username = $con->real_escape_string($_POST['username']); $password = $con->real_escape_string($_POST['password']); // Construct SQL statement for query & execute $query = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . MD5($password) . "'"; $result = mysqli_query($con,$query) or die(mysqli_error($con)); // If one row is returned, username and password are valid if (is_object($result) && $result->num_rows == 1) { $_SESSION['logged_in'] = true; redirect('../index.php'); } else { redirect('../login.php'); } ?> Now I've been able to determine that the login is being processed successfully, because if I disable the check_login_status function in index.php, I'm redirected to index.php if I login with a valid account. Under the same conditions, an incorrect password will reload login.php. With the function disabled, I've also tried adding "print_r($_SESSION)" at the top of index.php, but nothing ever loads, which makes me think something is wrong with my function. functions.inc.php: <?php function redirect($page) { header('Location: ' . $page); exit(); } function check_login_status() { // IF $_SESSION['logged_in'] is set, return the status if (isset($_SESSION['logged_in'])) { return $_SESSION['logged_in']; } return false; } ?> config.inc.php: <?php $con=mysqli_connect("server_name","user","pass","db_name"); if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } ?> I'm really at a loss, and I don't know where the problem is. I've checked for syntax errors with "php -l file.php" and found no syntax errors. I'm not sure how to do any other debugging with this, or what I'm missing. Help is truly appreciated! EDIT: Yes, I know MD5 passwords are not recommended, and that will be changed to use salt once I can get functionality in my app. I will also be escaping/preparing all MySQL queries once I get the login piece working. Edited December 30, 2013 by tycoonbob Quote Link to comment Share on other sites More sharing options...
requinix Posted December 30, 2013 Share Posted December 30, 2013 1. Find your php.ini, open it up, set error_reporting = -1 display_errors = onand restart your web server. Any error messages? 2. If there aren't any errors, try modifying your redirect() to be function redirect($page) { session_id() && session_write_close(); header('Location: ' . $page); exit(); } Quote Link to comment Share on other sites More sharing options...
snoop_rogg Posted December 30, 2013 Share Posted December 30, 2013 If this is your webserver make sure the session.save_path is set to a folder with user read/write permissions or sessions will not be created. session.save_path = "C:\PHP\sessions" Quote Link to comment Share on other sites More sharing options...
snoop_rogg Posted December 30, 2013 Share Posted December 30, 2013 try putting }else{ return false; } for the following function function check_login_status(){ if(isset($_SESSION['logged_in'])){ return $_SESSION['logged_in']; }else{ return false; } } Quote Link to comment Share on other sites More sharing options...
tycoonbob Posted December 30, 2013 Author Share Posted December 30, 2013 Thanks for the replies. The web server is a VM running CentOS 6.x, using Nginx, PHP-fpm, and MySQL. php.ini had "session.save_path" disabled, so I enabled it (uncommented it), set it = to "/tmp/phpsess", created /tmp/phpsess/, and set the owner to nginx:nginx, which is what my web server is using. I've also added the { } around the check_login_status function, and also added the "session_id() && session_write_close();" line to the redirect function. I also added the two debug lines to my php.ini, restarted Nginx and PHP-fpm, but am seeing no error messages at all. Any other ideas? Quote Link to comment Share on other sites More sharing options...
requinix Posted December 30, 2013 Share Posted December 30, 2013 Check your cookies (as in within the browser), or add echo SID;to your code to output it. Is the session ID ever changing? Quote Link to comment Share on other sites More sharing options...
tycoonbob Posted December 31, 2013 Author Share Posted December 31, 2013 Check your cookies (as in within the browser), or add echo SID;to your code to output it. Is the session ID ever changing? I see a cookie being created called PHPSESSID, which expires when the session ends. Now what's really bothering me is I've installed WAMP on my local PC, copied over the scripts, imported a copy of the database, and everything works like it's supposed to. I've compared each setting in php.ini, and I am out of ideas. I have spent two days trying to figure this out and I feel like I'm getting nowhere. Quote Link to comment Share on other sites More sharing options...
requinix Posted December 31, 2013 Share Posted December 31, 2013 I see a cookie being created called PHPSESSID, which expires when the session ends.Right, but does the value change from page to page? Quote Link to comment Share on other sites More sharing options...
tycoonbob Posted December 31, 2013 Author Share Posted December 31, 2013 Right, but does the value change from page to page? It does not appear to change. Quote Link to comment Share on other sites More sharing options...
Solution tycoonbob Posted December 31, 2013 Author Solution Share Posted December 31, 2013 Figured out my issue. I'm using PHP-fpm instead of just PHP, and the www.conf file (/etc/php-fpm.d/www.conf) has a setting for session.save_path which was set to a non-existent directory. Once I changed that to the directory that I had set for that variable in php.ini, it started working. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.