0

I was trying to code a login system in a MVC architecture, of course, handling sessions but I realized that I'm not sure if my idea is properly formulated.

I'm going to show you the code writing the pretension of this.

My view: 

<?php 
    session_start();
    session_destroy();
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <link rel="stylesheet" type="text/css" href="../css/backend.css">
    <script src="../js/admlog.js"></script>
    <title>Access to administration panel</title>
</head>
<body>
    <form method="post" action="../controller/admlog.php">
      <h2><span class="entypo-login"></span> Login</h2>
      <button class="submit"><span class="entypo-lock"></span></button>
      <span class="entypo-user inputUserIcon"></span>
      <input type="text" name="user" class="user" placeholder="username"/>
      <span class="entypo-key inputPassIcon"></span>
      <input type="password" name="password" class="pass"placeholder="password"/>
    </form>

</body>
</html>

Nothing to say here, basic html form.

Controller of the login page:

<?php
//controller! 
    require "../model/backend.php";

    $username = $_POST['user'];
    $password = $_POST['password'];

    $dbcom = new dbInteraction;
    $dbcom->admlog($username, $password);
    $dbcom->conclose();

?>

Very simple too, what I do here is take the values of my inputs and send them to the backend.php, where petition will be handled.

Backend function where the login is handled:

public function admlog($username, $password){
        $this->username = $username;
        $this->password = $password;
        //$this->pdo = $pdo;
        //$adm = 1;

        $myquery = 'SELECT username FROM users WHERE username = :username AND password = :password'; //check admin flag

        $stmt = $this->pdo->prepare($myquery);
        $stmt->bindParam(':username', $username, PDO::PARAM_STR);
        $stmt->bindParam(':password', $password, PDO::PARAM_STR);
        //$stmt->bindParam(':isadmin', $adm, PDO::PARAM_STR);
        $stmt->execute();
        $result = $stmt->fetch(PDO::FETCH_ASSOC);
        if (count($result) > 0){
            session_start();
            $_SESSION['login'] = $result['username'];
            header('Location: ../view/backMain.php');
        }else{
            session_start();
            $_SESSION['login'] = ""; 
            //header('Location: ../manage.php');
            echo 'Incorrect user or password';
        }
    }

All the code works without problem, I mean, the select is performed correctly and user can log in the system.

The problem is the way that I handle the sessions. When user is found in the db, I coded:

session_start();
$_SESSION['login'] = $result['username'];
header('Location: ../view/backMain.php');

So it should create a new session, no? Well, the target page (backMain.php) have a restriction, restriction that check if there is a settled session or not.

<?php

if(!isset($_SESSION['login']))
{
    header("Location: http://google.es");
}

?>

I have to suppose that it is, but when I try to access I see that no.

How is handled the session in this kind of architecture? For me, the code make sense but the result is obvious that not.

I'm being redirected to google.es because the condition does not find any settled session even when I set that session in the backend.

I have to be missing something.

Thanks

vascowhite
  • 18,120
  • 9
  • 61
  • 77
ITPro Guy
  • 187
  • 1
  • 14
  • Please realise that you have logic in your view, which should be inside a controller (starting and destroying the session) if you want to pursue real MVC functionality. Next to that, the DB interaction class is not the best place to put your login logic, otherwise -anything- that has to access the database ends up inside the database class. – moorscode Nov 15 '15 at 12:00

1 Answers1

0

You are right, the problem is the way how you handle the session.

Seems, that you redirect user to another page before he gets session Cookie. Check with Chrome/FF developer console, if you receive session cookie properly. If no, I'd recommend to make redirect on meta/js level instead of HTTP headers, it will make user receive and write cookies before being processed to another page.

iXCray
  • 1,072
  • 8
  • 13
  • Interesting point but I'd have liked to use only php instead js, just for this case. – ITPro Guy Nov 15 '15 at 13:11
  • Well, if you are afraid of referrers or smth, you may want to make js redirect to another page with js on your server to make cookies be sent to client and after that redirect client with php further. – iXCray Nov 15 '15 at 19:50
  • I was working on that again and I came across to your reply again. The thing is that I'm worried about the possibility to change the js values, that's why I rather use php to handle this but... I'm still getting that problem. Seems that the user don't receive the session cookie and then, it's redirected to the error page. How can I handle it via js? @iXCray – ITPro Guy Nov 27 '15 at 18:25