Username not stored in session across PHP

Question

So I am having a problem storing the username typed into my site and keeping myself logged into the site. I can log in (I see this because of the "You have been logged in" message. but the second I click the link to go to the members.php page it returns the echo "You are not logged in.". Why isn't the $username value being added to the SESSION?

Here are 4 of my codes. I have a fifth one aswell with all my MySQL information, which I dont wish to share, however, my username is confirmed via the MySQL since I receive the first login validation. YES, I followed a tutorial on YouTube.

index.php

<html>

    <form action='login.php' method='POST'>
    Username: <input type='username' name='username'><br>
    Password: <input type='password' name='password'><br>
    <input type='submit' name='button' value='Login'>
    </form>

 </html>

login.php

<?php

    session_start();

    $password = $_POST['password'];
    $username = $_POST['username'];

    include ("connect.php");

if ($username && $password)
{
    // info is provided
    $queryget = mysql_query("SELECT * FROM login WHERE username='$username' AND password ='$password' ");
    $numrows = mysql_num_rows($queryget);
    if ($numrows != 0)
    {
        $_SESSION['username'] = $username;

        echo "You have been logged in. <a href='members.php'>Go to the members page</a>";
    }
    else echo "This password is wrong";
    include ("index.php");

}
else
{
    echo "Wrong password, try again!";
    include ("index.php");
}

?>

members.php

<?php

session_start();
$username = $_SESSION['username'];

if ($username)
    {
    echo "Welcome $username | <a href='logout.php>Logout</a>'";
    }
else
    {
    echo "You are not logged in.";
    include ("index.php");

    }

?>

logout.php

<?php

session_start();
$username = $_SESSION['username'];

session_destroy();

echo "You have been logged out.";

?>

One day, someone will try to log in as `'; DROP TABLE login; --` and you'll be crying out loud. — Denis de Bernardy, Jun 01 '13 at 11:53
Isn't that possible with anything though? Thought you had to get into the server's Mysql to get around it... — , Jun 01 '13 at 11:55
@Denis PHP’s MySQL extension does not allow multiple statements. But you should [fix that SQL injection vulnerability](http://stackoverflow.com/q/60174/53114), FriedBitz. Entering the password `' OR '1'='1` would bypass the authentication. — Gumbo, Jun 01 '13 at 11:55
I shall take a look on it, but at the moment I dont have anything to hide, just learning the basics of MySQL and PHP communication :) Thanks for the tip! — , Jun 01 '13 at 11:58
aside from the horrible security flaws and the inefficient mysql query, it looks like it should work. have you tried a simpler test? `test1.php` where you set a session var, `test2.php` where you read it? — designosis, Jun 01 '13 at 12:00
Well that is basically what is happening between the index, login and the members page... they can connect, but it doesn't result in the correct statement... it gives me the "else" statement insted of the "if" statement even if the username is set to $username. — , Jun 01 '13 at 12:07
What happens when you do a `var_dump($_SESSION);` on the `members.php` page? Can you add the output of the `var_dump()` to your question? — Phil Cross, Jun 01 '13 at 12:12
Add the `var_dump($_SESSION); exit;` php directly after `session_start();` — Phil Cross, Jun 01 '13 at 12:16
and do you want me to add the var_dump() within the if statement then or? just delete the $username = $_SESSION['username']; part? — , Jun 01 '13 at 12:18
no its ok, it only needs to be after the `session_start()` function, like this: `session_start(); var_dump($_SESSION); exit; $username = $_SESSION['username'];`, but it has to be in `members.php` — Phil Cross, Jun 01 '13 at 12:19
@FriedBitz I have added an answer, If you could look over it, look especially at the `mysql_query() or die()` line, and also the `if($numrows>0)` line. — Phil Cross, Jun 01 '13 at 12:26
Okai, so I searched around a bit, and apparently this function might still not be possible, could it be it? $queryget = mysql_query("SELECT * FROM login WHERE username='$username' AND password ='$password' ") or die(mysql_error()); if(!$queryget){ echo 'An error occured: ' . mysql_error(); exit; } $numrows = mysql_num_rows($queryget); — , Jun 02 '13 at 02:28

Phil Cross · Answer 1 · 2013-06-01T13:46:13.837

0

After looking at your code, there may be an error in your SQL query. You are doing the following to check for users:

if($numrows!=0)...

However, if mysql_query or mysql_num_rows returns false (if there was an error), then this would also authenticate the user.

Try the following code below in login.php and see what happens.

error_reporting(E_ALL);
ini_set('display_errors', '1');
session_start();

include ("connect.php");

$password = $_POST['password'];
$username = $_POST['username'];

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

if ($username!='' && $password!='')
{
    // info is provided
    $queryget = mysql_query("SELECT * FROM login WHERE username='$username' AND password ='$password' ") or die(mysql_error());
    if(!$queryget){ echo 'An error occured: ' . mysql_error(); exit; }

    $numrows = mysql_num_rows($queryget);

    if ($numrows > 0)
    {
        $_SESSION['username'] = $username;

        echo "You have been logged in. <a href='members.php'>Go to the members page</a>";
        exit;
    } else {
        echo "The username or password is wrong";
       include ("index.php");
       exit;
    }
} else if($username=='') {
    echo "You need to specify a username, try again!";
    include ("index.php");
    exit;
} else if($password=='') { 
    echo "You need to specify a password, try again!";
    include("index.php");
    exit;
}

edited Jun 01 '13 at 13:46

answered Jun 01 '13 at 12:25

Phil Cross

9,017
12
50
84

Also, I'd advise you to move away from `mysql_*` functions, its depreciated, perhaps start using `mysqli` or `PDO`. At the very least, escape your mysql input :) – Phil Cross Jun 01 '13 at 12:28
This made my login stop working... I dont even get the You have been logged in message... – Jun 01 '13 at 12:30
In this case, you may have a mysql error. I have updated my answer, if you could run this one instead, hopefully it should output the error message – Phil Cross Jun 01 '13 at 12:32
@FriedBitz, i've updated the code again, (appologies for all the updates, I'm trying to narrow down exactly what the error is), if you could try the new code? – Phil Cross Jun 01 '13 at 12:39
haha, dont worry, just want to figure this problem out. Got the message: You need to specify a username, try again! – Jun 01 '13 at 12:44
Ah, misread your last comment! Ok, if you do a `var_dump($_POST); exit;` after `session_start()` in my answer, and then post the results? – Phil Cross Jun 01 '13 at 12:48
Here it is, pathethic password, I know, haha :P array(3) { ["username"]=> string(9) "FriedBitz" ["password"]=> string(8) "Password" ["button"]=> string(5) "Login" } – Jun 01 '13 at 12:51
In my answer (sorry!), i've updated it again. I've moved the `include('connect.php');` to directly below the `session_start()` function. Could you try this please? – Phil Cross Jun 01 '13 at 12:56
Okai, I could get logged in again now, but when I hit the link it says You are not logged in again.... – Jun 01 '13 at 13:01
Ok, at least the login script is working now :) On the `members.php` page again, could you do a `var_dump($_SESSION); exit;` directly below the `session_start()` function and comment the results? I'm now thinking there may be a problem saving the data to the session (maybe due to permissions?) – Phil Cross Jun 01 '13 at 13:22
Yeah, think it wont save for some reason... Got array(0) { } – Jun 01 '13 at 13:26
Its either going to be an issue with permissions, saving the data to the `tmp` folder, or you have `php errors` hidden, and theres output to the browser before using sessions. I'll update my answer to hopefully display any errors to the screen. – Phil Cross Jun 01 '13 at 13:45
Okai, let me know when its updated, I have been working on this problem for about 5 hours straight and its 01:45 so, I need a break, I will notify you when I wake up again. Thanks so far! – Jun 01 '13 at 13:46
I've updated the answer, I'm on most days so i'll pick it up again later! – Phil Cross Jun 01 '13 at 13:47
Hey, so do the problem is remembering the session after going away from the login.php..... What problems can cause this? I haven't checked your code yet, but is the problem really in login.php? – Jun 01 '13 at 23:34

abdul quadir · Answer 2 · 2013-06-01T12:46:52.240

-1

login.php:

<?php
 session_start();

    $password = $_POST['password'];
    $username = $_POST['username'];

    include ("connect.php");

if ($username && $password)
{
    // info is provided
    $queryget = mysql_query("SELECT * FROM login WHERE username='$username' AND password ='$password' ");
    $numrows = mysql_num_rows($queryget);
    $row=mysql_fetch_array($queryget);
    if ($numrows != 0)
    {
        $_SESSION['username'] = $row['username'];
        $_SESSION['logged']   = 1;

        echo "You have been logged in. <a href='members.php'>Go to the members page</a>";
    }
    else 
    {
    $_SESSION['logged']   = 0;
    echo "This password is wrong";
    include ("index.php");}

}
else
{
    echo "Wrong password, try again!";
    include ("index.php");
}

?>

member.php:
<?php 
session_start();
if($_SESSION['logged'])
{

 echo "Welcome $_SESSION['username'] | <a href='logout.php>Logout</a>'";
}

else { echo "You are not logged in."; include ("index.php");

}
?>

edited Jun 01 '13 at 12:46

answered Jun 01 '13 at 11:56

abdul quadir

24
1
7

This made the whole thing just give me a error when I hit the link from the login.... – Jun 01 '13 at 12:01
try: if(isset($_SESSION['username'])){} – abdul quadir Jun 01 '13 at 12:08
nope, still can't give me the if statement: echo "Welcome $username | – Jun 01 '13 at 12:11
are sure that you are logged in? – abdul quadir Jun 01 '13 at 12:16
It returns the echo in the login.php saying "You have been logged in" which validates that it has been checked with my MySQL server. If it saves is another problem it seemes... – Jun 01 '13 at 12:19
ok.you can edit login.php.add this stmt:$row=mysql_fetch_array($queryget);and in if condition edit:$_session['username']=$row['username']; – abdul quadir Jun 01 '13 at 12:24
Where exacly do I add that? Infront of/behind what? – Jun 01 '13 at 12:25
if ($username && $password) { // info is provided $queryget = mysql_query("SELECT * FROM login WHERE username='$username' AND password ='$password' ") or die(mysql_error()); $numrows = mysql_num_rows($queryget); $row=mysql_fetch_array($queryget); if ($numrows > 0) { $_session['username']=$row['username']; echo "You have been logged in. Go to the members page"; } else { echo "This password is wrong"; include ("index.php"); } } – abdul quadir Jun 01 '13 at 12:28

Username not stored in session across PHP

2 Answers2