I have a very basic php site using sessions for a login / password. I have a page doLogin.php that simply checks the username / password combo from post values and uses a JavaScript redirect to another page if the login is successful.
Sometimes for reasons I can't nail down, the login will be successful triggering the JavaScript redirect, but on the redirect the session values are gone. The connect function connects using ADODB database abstraction.
function doLogin()
{
if (array_key_exists('doLogin', $_POST))
{
$conn = connect(false);
$pass = ms($_POST['password']);
$email = ms($_POST['email']);
$query = "SELECT * from `users` WHERE `email` = '$email' AND `password` = '$pass';";
$r = $conn->execute($query);
if ($r === false)
{
error_log('Error ' . $conn->errorNo() . " " . $conn->errorMsg());
print "Unable to authenticate.";
}
if ($r->RecordCount())
{
$row = $r->FetchRow();
$approval = $row['approval'];
$user_id = $row['user_id'];
if($approval == 1)
{
$_SESSION['login'] = true;
$_SESSION['security'] = $row['security'];
$_SESSION['f_name'] = $row['f_name'];
$_SESSION['l_name'] = $row['l_name'];
$_SESSION['email'] = $row['email'];
$_SESSION['approval'] = $row['approval'];
$_SESSION['user_id'] = $row['user_id'];
session_write_close();
echo '<script type="text/javascript">setTimeout(function(){window.location="MYSITE/members"},1000)</script>';
}
else
{
$error = "";
}
}
else
{
$error = '<div class="warning" style="width: 920px; margin: 0 auto; padding: 25px 50px;">Invalid Username / Password combination.</div>
<script type=\"text/javascript\">window.location=\"MY SITE\"</script>';
}
}
return "$error";
}//end doLogin
I'm sure, I'm making an obvious mistake (besides the fact that I'm storing passwords as plain text). can anyone help me out?
EDIT: The code for the page that does not store the sessions
<?php
session_start();
header("Cache-control: private"); //IE 6 Fix
require_once '../php-inc/elements.php';
require_once '../php-inc/database.php';
$conn = connect(false);
//LOGOUT
if (array_key_exists('logout', $_GET) && ($_GET['logout'] == 1) && !array_key_exists('doLogin', $_POST))
{
session_destroy();
$_SESSION=array();
$logout = '<br><br><div class="success" style="width: 920px; margin: 0 auto; text-align: center; padding:25px 50px;"><strong>You have successfully logged out.</strong></div><br><br>';
echo '<script type="text/javascript">setTimeout(function(){window.location="MYSITE.org"},3000)</script>';
}
?>
<?php
if(!empty($_SESSION['user_id']))
{
//SHOW STUFF
}
else
{
$error = denyPermission();
echo $error;
}
?>
You must call
session_start()on the pages that you are storing and retrieving values from the session.PHP session_start() documentation