login page takes forever to redirect to dashboard after signin

[qwequtimbs]

I've implemented a login feature on the site, but whenever a user tries to sign in, the login page takes forever to redirect them to the dashboard or home page after successful authentication. It's frustrating because it's hindering the user experience and I'm afraid it might drive away potential users.

I've tried troubleshooting on my own, but I'm hitting a dead end. I thought maybe you could lend me a hand since you're more experienced in web development than I am. please can someone help me out?

[mac_gyver]

you probably have a redirect-loop or code that's caught in a loop in php.

you would need to post all the code, less any database connection credentials, for the login operation and at least the login check code from one of the other pages.

btw - the only redirect you should have in your login code should be to the exact same URL of the login page to cause a get request for that page. this will prevent the browser from trying to resubmit the form data should that page get reloaded or browsed back to, where someone can use the  browser's developer tools to see what the form data is, even if you prevent the form from being displayed. to allow someone to go to another page, provide navigation links, or put the login form processing/form on any page that needs it.

[qwequtimbs]

1. <?php
2. $UniqueName  = "Secure Login";
3. require_once("auth/header.php");
4. if (@$_SESSION['internetid']) {
5.     header("Location:./accounts/dashboard.php");
6. }
7.  
8. if (isset($_POST['acct_login'])) {
9.     $internetid = inputValidation($_POST['login']);
10.     // $internetid = inputValidation($_POST['internetid']);
11.     $acct_password = inputValidation($_POST['acct_password']);
12.     $log = "SELECT * FROM accounts WHERE internetid='$internetid' OR acct_email = '$internetid'";
13.     $stmt = $conn->prepare($log);
14.     $stmt->execute();
15.     $user = $stmt->fetch(PDO::FETCH_ASSOC);
16.     if ($stmt->rowCount() === 0) {
17.         toast_alert("error", "Invalid login details");
18.     } else {
19.         $validPassword = password_verify($acct_password, $user['acct_password']);
20.         if ($validPassword === false) {
21.             toast_alert("error", "Invalid login details");
22.         } else {
23.             // if ($user['acct_status'] === 'hold') {
24.             //     toast_alert("error", "Account on Hold, Kindly contact support to activate your account");
25.             // } else {
26.                 if (true) {
27.                     //IP LOGIN DETAILS
28.                     $device = $_SERVER['HTTP_USER_AGENT'];
29.                     $ipAddress = $_SERVER['REMOTE_ADDR'];
30.                     $nowDate = date('Y-m-d H:i:s');
31.                     $internetid = $user['internetid'];
32.  
33.                     $stmt = $conn->prepare("INSERT INTO audit_logs (internetid,device,ipAddress,datenow) VALUES(:internetid,:device,:ipAddress,:datenow)");
34.                     $stmt->execute([
35.                         'internetid' => $internetid,
36.                         'device' => $device,
37.                         'ipAddress' => $ipAddress,
38.                         'datenow' => $nowDate
39.                     ]);
40.  
41.                     $details = "Login into dashboard";
42.                     $internetid = $user['internetid'];
43.                     $stmt2 = $conn->prepare("INSERT INTO activities (internetid,details) VALUES(:internetid,:details)");
44.                     $stmt2->execute([
45.                         'internetid' => $internetid,
46.                         'details' => $details
47.                     ]);
48.                     if ($page['padiwise_sms'] == '1') {
49.                         $messageText = "New Login Notification";
50.                         $recipient = $user['acct_phone'];
51.                         $responseBody = send_bulk_sms(array(
52.                             'sender_name' => get_setting('display_name'),
53.                             'recipient' => $recipient,
54.                             'reference' => date('Y') . uniqid() . rand(1, 9),
55.                             'message' => $messageText
56.                         ));
57.                     }
58.  
59.                     if($page['otp_code'] == "1"){
60.  
61.                         $acct_otp = substr(number_format(time() * rand(), 0, '', ''), 0, 6);
62.                         $sql =  "UPDATE accounts SET acct_otp=:acct_otp WHERE internetid=:internetid";
63.                         $stmt = $conn->prepare($sql);
64.                         $stmt->execute([
65.                            'acct_otp'=>$acct_otp,
66.                             'internetid' => $internetid
67.                         ]);
68.                               
69.                            
70.                         $full_name = $user['firstname'] . " " . $user['lastname'];
71.                     $APP_NAME = WEB_TITLE;
72.                     $APP_URL = WEB_URL;
73.                     $SITE_ADDRESS = $page['website_address'];
74.                     $APP_NUMBER = WEB_PHONE;
75.                     $APP_EMAIL = WEB_EMAIL;
76.                     $user_email = $user['acct_email'];
77.                     
78.                     $message = $sendMail->OtpLoginMsg($full_name, $acct_otp, $APP_NAME, $APP_NUMBER, $APP_EMAIL, $APP_URL, $SITE_ADDRESS);
79.                     // User Email
80.                     $subject = "OTP CODE" . "-" . $APP_NAME;
81.                     $email_message->send_mail($user_email, $message, $subject);
82.                     $_SESSION['login'] = $user['internetid'];
83.                     header("Location:./otp-verify.php");
84.                     exit;
85.  
86.                     } else {
87.                         $full_name = $user['firstname'] . " " . $user['lastname'];
88.                     $APP_NAME = WEB_TITLE;
89.                     $APP_URL = WEB_URL;
90.                     $SITE_ADDRESS = $page['website_address'];
91.                     $APP_NUMBER = WEB_PHONE;
92.                     $APP_EMAIL = WEB_EMAIL;
93.                     $user_email = $user['acct_email'];
94.                     
95.                     $message = $sendMail->LoginMsg($full_name, $APP_NAME, $APP_NUMBER, $APP_EMAIL, $APP_URL, $SITE_ADDRESS);
96.                     // User Email
97.                     $subject = "Login Notification" . "-" . $APP_NAME;
98.                     $email_message->send_mail($user_email, $message, $subject);
99.                     $_SESSION['login'] = $user['internetid'];
100.                     header("Location:./pin.php");
101.                     exit;
102.                      
103.                
104.                     }
105.                     
106.                     
107.                 }
108.             }
109.         }
110.     }
111. // }
112. ?>
113. <div class="form-container">
114.     <div class="form-form">
115.         <div class="form-form-wrap">
116.             <div class="form-container">
117.                 <div class="form-content">
118.                     <h1 class="">Log In to <a href="/"><span class="brand-name"><?= $page['website_name'] ?></span></a></h1>
119.                     <p class="signup-link">New Here? <a href="./get-started.php">Create an account</a></p>
120.                     <form class="text-left" method="POST" enctype="multipart/form-data">
121.                         <div class="form">
122.                             <div id="username-field" class="field-wrapper input">
123.                                 <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-user">
124.                                     <path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"></path>
125.                                     <circle cx="12" cy="7" r="4"></circle>
126.                                 </svg>
127.                                 <input id="username" name="login" type="text" class="form-control" placeholder="Internet ID">
128.                             </div>
129.                             <div id="password-field" class="field-wrapper input mb-2">
130.                                 <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-lock">
131.                                     <rect x="3" y="11" width="18" height="11" rx="2" ry="2"></rect>
132.                                     <path d="M7 11V7a5 5 0 0 1 10 0v4"></path>
133.                                 </svg>
134.                                 <input id="password" name="acct_password" type="password" class="form-control" placeholder="Password">
135.                             </div>
136.                             <div class="d-sm-flex justify-content-between">
137.                                 <div class="field-wrapper toggle-pass">
138.                                     <p class="d-inline-block">Show Password</p>
139.                                     <label class="switch s-primary">
140.                                         <input type="checkbox" id="toggle-password" class="d-none">
141.                                         <span class="slider round"></span>
142.                                     </label>
143.                                 </div>
144.  
145.                             </div>
146.                             <br>
147.                             <center> <button type="submit" class="btn btn-primary btn-block mb-4 mr-2" name="acct_login">ACCESS DASHBOARD</button></center>
148.  
149.                             <div class="field-wrapper text-center keep-logged-in">
150.                                 <div class="n-chk new-checkbox checkbox-outline-primary">
151.                                     <label class="new-control new-checkbox checkbox-outline-primary">
152.                                         <input type="checkbox" class="new-control-input">
153.                                         <span class="new-control-indicator"></span>Keep me logged in
154.                                     </label>
155.                                 </div>
156.                             </div>
157.  
158.                             <div class="field-wrapper">
159.                                 <a href="reset-password.php" class="forgot-pass-link">Forgot Password?</a>
160.                             </div>
161.                         </div>
162.                     </form>
163.                     <p class="terms-conditions">© 2024 All Rights Reserved. <a href="/"><?= $page['website_name'] ?></a></p>
164.                 </div>
165.             </div>
166.         </div>
167.     </div>
168.     <div class="form-image">
169.         <div class="l-image">
170.         </div>
171.     </div>
172. </div>
173.  
174. <?php
175. require_once("auth/footer.php");
176. ?>

[qwequtimbs]

Please thats the code above

20 minutes ago, mac_gyver said:

you probably have a redirect-loop or code that's caught in a loop in php.

you would need to post all the code, less any database connection credentials, for the login operation and at least the login check code from one of the other pages.

btw - the only redirect you should have in your login code should be to the exact same URL of the login page to cause a get request for that page. this will prevent the browser from trying to resubmit the form data should that page get reloaded or browsed back to, where someone can use the  browser's developer tools to see what the form data is, even if you prevent the form from being displayed. to allow someone to go to another page, provide navigation links, or put the login form processing/form on any page that needs it.

 

[mac_gyver]

this code is apparently sending either a text or email with a one-time-pin. my guess is it isn't displaying the pin entry page, eventually times out, and redirects to the dashboard page.

you would need to show or state what exactly does happen and what you expect to happen.

the only things I can tell you based on the posted code are -

1. don't use the @ error suppressor. If you want to test if a variable is set, either use isset()/!isset() or use the Null coalescing operator to condition the input to a default false value.
2. the first header() redirect needs an exit/die statement to stop php code execution, like the rest of the code is using.
3. whatever your inputValidation() function does, it probably doesn't make a value safe to put directly into an sql query. correctly use a prepared query, like the rest of the code is using.