Session variables lost after redirect (using header)

Question

I have been learning PHP and MySQL for some time now and I encountered a problem. I have created a user database (MySQL), login form and page where you are supposted to be redirected after succesful login.

Login page

<?php 

require_once 'login.php'; //connecting to db
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());

mysql_select_db($db_database)
or die("Unable to select database: " . mysql_error());

session_start(); //
if (isset($_POST['username']) &&
isset($_POST['password']))

{
$username = $_POST["username"];
$password = $_POST["password"];

$salt1 = "qm&h*";
$salt2 = "pg!@";

$query = "SELECT * FROM login WHERE username='$username'";
$result = mysql_query($query);
if (mysql_num_rows($result) == 0) die("Wrong username or password.");

elseif (mysql_num_rows($result))
{
    $row = mysql_fetch_row($result);
    $crypt_login_pass = md5("$salt1$password$salt2");
    if ($crypt_login_pass == $row[2])
    {
        $_SESSION['username'] = $username;
        $_SESSION['password'] = $crypt_pass;

        header("Location: index_account.php");
        exit;
    }
    else {
        die("Wrong username or password.");
    }   
}
}
?>

The code ran flawlessly until I added the header("Location: index_account.php"). I used to have there just die("You are now logged in."). And here is the page you are supposted to be redirected to:

<?php
session_start();
if (isset($_SESSION['username']) &&
isset($_SESSION['password']))
{
$username = $_SESSION['username'];
$password = $_SESSION['password'];

echo "Your username is '$username'
and your crypted password is '$password'.";
}
else echo "Please <a href=index.php>click here</a> to log in.";
?>

All this code is running on localhost. The problem is that the $_SESSION['username'] and $_SESSION['password'] won't transfer to the second page (index_account.php). I have read many post and the most similiar I've found is this: Session variables lost after header redirect but without answear. Note that this is my first programing language (excluding HTML and CSS) and I am still very new to this.

P.S. Sorry for my Enlish. It's not my native language.

Thanks in advance!

[**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained, are [officially deprecated](http://j.mp/XqV7Lp) and can be [dangerous in live code](http://bit.ly/4zUdtT). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). — Jimbo, May 17 '13 at 18:48

George Cummins · Accepted Answer · 2013-05-17T19:15:23.630

5

You are assigning the password using a variable that doesn't exist:

$_SESSION['password'] = $crypt_pass;

Your code defines $crypt_login_pass so you should use that instead:

$_SESSION['password'] = $crypt_login_pass;

Additionally, the value of $_SESSION['username'] gets set from $username, which will be empty if $_POST['username'] is not set:

if (isset($_POST['username']) &&
    isset($_POST['password']))

{
    $username = $_POST["username"];

To correct this, be sure that your form has posted data in the 'username' field.

edited May 17 '13 at 19:15

answered May 17 '13 at 18:48

George Cummins

28,485
8
71
90

Thanks a lot! Can't belive it was this simple, I was so focused on $_SESSION I just learned that I completely ignored such an obvious mistake. – rancor1223 May 17 '13 at 19:13

Session variables lost after redirect (using header)

1 Answers1