PHP Sessions gets deleted after going to new page on website

Question

my sessions gets deleted when I am going to a new page on my website, or this is what I think is wrong, but I am not sure about this.
I am using this in a login-system with PHP and MYSQLI.
I will post the code here so if anyone is up for it they can look at it and maybe see where the error is.

This is the index.php located in the root folder (/)

<?php session_start(); ?>
<?php

include_once "Includes/Database/check_login.php";

if (login_check() == TRUE) : ?>
this is an protected page!
<?php   else : ?>
<!DOCTYPE html>
<html>
    <head>
    <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"> </script>
</head>
<body>
<script>location.href='loginpage.php';</script>
</body>
<?php endif; ?>

This is the loginpage.php located in the root folder (/)

<?php  session_start();  // session starts with the help of this function 
include_once "Includes/Database/check_login.php";
?>

<!DOCTYPE html>
<html>
<head>
    <title>Hardcorefight.dk</title>
    <link rel="stylesheet" href="Includes/Layout/Index/loginlayout.css" />
    <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"> </script>
</head>
<body>
<div class="fixedwebsitesize" id="fixedwebsitesize">
    <div class="outerlogin" id="outerlogin">
        <div class="login" id="login">
            <form action="Includes/Database/login.inc.php" method="post"   name="login_form">  <!-- This is the login form, that sends to login.inc.php.-->                    
                <div class="username" id="username">
                    <input type="text"
                    name="user" 
                    placeholder="user" 
                    class="user_login"
                    />
                </div>
                <div class="password" id="password">
                    <input type="password" 
                    name="pass" 
                    class="pass_login"
                    placeholder="Password"
                    />
                </div>
                <div class="loginbutton" id="loginbutton" >
                    <input type="submit" 
                    value="Login" 
                    class="login_input"
                    /> 
                </div>
      </form>
        </div> 
    </div>
    <div class="logoutbox"> <!-- This is an button that changes to register or log out depending if the user is logged in or not -->
        <input type="button"
        <?php if (login_check() == TRUE) : ?> 
        onclick="location.href='destroysession.php';" 
        value="Log Out"
        <?php else : ?>
        onclick="location.href='register.php';"
        Value="register"
        <?php endif; ?>"
        class="logout_button"
         />
    </div>
</div>
</body>
</html>

This is the login.inc.php located in the Database folder (/Includes/Database/) It checks if the input information is correct and makes the Sessions.

<?php
session_start();  // session starts with the help of this function 
include_once "db_connect.php"; // include the connect file to the db.

$user_input = $_POST['user']; //Get's the post['user'] from loginpage.php
$pass_input = $_POST['pass'];  //Get's the post['pass'] from loginpage.php
if($result = $db_new->query("SELECT * FROM members WHERE username='$user_input'")){ // chooses the row from the DB that matches the username that the user wrote
    if($result->num_rows == 1){ //verify if there only is one user with that username
        $row = $result->fetch_assoc();
        if(password_verify($pass_input, $row["password"])){ //verify the password if it is the right password
            echo "password match";
            $_SESSION['username']=$row["username"]; //makes the session with the username
            $_SESSION['email']=$row["email"]; //makes the session with the email
            $_SESSION['id']=$row["id"]; //makes the session with the id
            $_SESSION['password']=$row["password"]; //makes the session with the password
            header("Location: /index.php"); // go to index
        }
        else { //if password is incorrect it will echo this.
            echo "password incorrect";
        }
    }
    else{ // if user doesn't exist it will echo this
        echo "user doesn't exist";
    }
} 
else {
    die($db_new->error);
}

This is the check_login.php located in the Database folder (/Includes/Database/) This reads the sessions and checks if the information match the DB, if it match the function is = TRUE else it is = FALSE.

<?php
function login_check(){
session_start();  // session starts with the help of this function 
include_once "db_connect.php";
$id = $_SESSION['id']; 
$password = $_SESSION['password'];
$username = $_SESSION['username'];
$email = $_SESSION['email'];

if(isset($id, //checks if all the sesions exist.
         $password,
         $username,
         $email)){
if($result = $db_new->query("SELECT * FROM members WHERE username='$username'")){ //select the row that's equal the username from the session.
    if ($result->num_rows == 1) { //checks if there only is 1 row with the username
        $row = $result->fetch_assoc();
        $db_password = $row["password"]; 
        $db_id = $row["id"];
        $db_email = $row["email"];
        if ($password == $db_password) { // checks if the session password equal the DB password
            if ($id == $db_id) { // checks if the session ID equal the DB ID
                if ($email == $db_email) { // checks if the session email equal the DB email
                     //logged in
                     return TRUE;
                } else {
                    //not logged in (error in email verify)
                    return FALSE;
                }
            } else {
                //not logged in (error in id verify)
                return FALSE;
            }
        } else {
            //not logged in (error in password_verify)
            return FALSE;
        }
    } else {
        //not logged in (error in num_rows)
        return FALSE;
    }
} else {
    //not logged in (error in query)
    return FALSE;
}
    } else {
//not logged in (error in isset)
return FALSE;
}
}

Your code is vulnerable to mysql injection, read more [**here**](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Fabio, Mar 22 '14 at 19:53
Thanks Fabio, i will look into the SQL security problems i got in my code and fix them after i resolved this problem. — Oliver Nybroe, Mar 22 '14 at 20:02

score 1 · Answer 1 · answered Mar 22 '14 at 19:56

1

After setting values into the session you need to call session_write_close before redirecting the user. In your login.inc.php after setting values in $_SESSION array:

...
$_SESSION['id']=$row["id"]; //makes the session with the id
$_SESSION['password']=$row["password"]; //makes the session with the password
session_write_close();
header("Location: /index.php"); // go to index
...

Otherwise, what you change in session is lost.

answered Mar 22 '14 at 19:56

mesutozer

2,839
1
12
13

ah thanks a lot, i added session_write_close(); to the code, but it did not solve the problem, the code still doesn't work. – Oliver Nybroe Mar 22 '14 at 20:01
What does password_verify do? Anything more than comparing two passwords? – mesutozer Mar 22 '14 at 20:09
password_verify is a new function together with the password_hash. in password_hash it makes the salt for me and the password_verify is able to verify the hashed password with the salt. – Oliver Nybroe Mar 22 '14 at 20:18
You are using password_verify on login but == string comparison on login_check function. That must be the reason for not being able to keep logged in. – mesutozer Mar 22 '14 at 20:20
nope that is correct. It didn't work before because i used password_verify in the login_check function. but the $password is from the session['password'] and the session['password'] have the information from the DB, and in the DB it is a hashed password. $db_password is just the information from the DB too. I am using the password_verify when i make the session['password'] in the login.inc.php – Oliver Nybroe Mar 22 '14 at 20:25

score 0 · Accepted Answer · answered Mar 23 '14 at 21:31

sorry for all the trouble here with sessions not working.
I have solved the problem, the problem was not in the programming, but it was in my PHP.
My main Drive on my server ran out of space, so it could not save anything to it, hence it could not save the sessions.
Thanks for all the other feedback, it will help me a lot with making my code more secure.

PHP Sessions gets deleted after going to new page on website

2 Answers2