1

I am relatively new to PHP, so I realize this is very likely a beginners mistake; but I have done my due diligence and I have attempted to trouble-shoot the issue on my own, but with no luck.

First, I pass the values myusername and mypassword from the form to checklogin.php. From there it queries the database, and if a single row is returned where the username and password match, this code is run:

$_SESSION['myusername']=$myusername;
$_SESSION['mypassword']=$mypassword;
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

Now, I understand writing your own login mechanism is frowned upon --especially since mine doesn't even work. I understand this; but at this point, getting it to work is more of a learning experience for myself than a practical application.

From here I am directed to this page (‍login_success.php‍), which should only load if ‍$_SESSION['myusername']‍ is set or rather, I am "logged in".

<?php
session_start();
var_dump($_SESSION);
if(!isset($_SESSION['myusername'])){
header("location:login.php");
}

var_dump($_SESSION['myusername']);
var_dump($_SESSION['mypassword']);

?>

<html>
<body>
Login Successful
</body>
</html>

Now, immediately after logging in, both var_dumps output NULL. If I pull the whole ‍$_SESSION‍ array I get ‍‍‍arra‍y(0) { }.

Now, I also have a logout.php function:

<?php
session_start();
unset($_SESSION['myusername']);
$_SESSION = array();
session_destroy();
header("location:dashboard.php");
?>

a var_dump of $_SESSION['myusername'] still shows NULL, and a var_dump of $_SESSION is array(0) { }. Which is expected; HOWEVER when I got tologin_success.php, which should only load if$_SESSION['myusername']is set, it will still load; but thevar_dumpsof the$_SESSIONarray still showNULL`.

So, two issues. After setting my session tokens they are always null; and after unsetting/session_destory()ing my $_SESSION, I can still access a page that checks to see if $_SESSION['myusername'] is set.

Does anyone know what could cause this behavior?

Aᴍɪʀ
  • 7,623
  • 3
  • 38
  • 52
Jesse Pardue
  • 180
  • 1
  • 1
  • 9
  • 5
    so did you start the session in all files using it? doesn't look like it in your first body of code. check for errors http://php.net/manual/en/function.error-reporting.php – Funk Forty Niner Jan 12 '16 at 20:34
  • And *if* you've got session_start() at the top of all relevant scripts, you should then investigate the values in phpinfo() that are session-relevant, especially session.cookie_domain, session.cookie_httponly, session.cookie_lifetime, session.cookie_secure, session.use_cookies, session.use_trans_sid, session.use_only_cookies, session.name, etc. Inspection of cookies in your browser should yield a cookie with a name equal to session.name if your installation is working properly. – Kevin_Kinsey Jan 12 '16 at 20:43
  • Read up on http://stackoverflow.com/questions/8419332/proper-session-hijacking-prevention-in-php as well – Martin Jan 12 '16 at 20:47
  • Thanks, it turns out I was only invoking session_start() on login.php and logout.php, not the other pages. I will read up on the other material provided, since this is more of a learning experience than a project. Thank you everyone. – Jesse Pardue Jan 12 '16 at 21:31

1 Answers1

1

Make sure to have session_start(); in every PHP file where you are working with $_SESSION variables. Make sure to include it on the top of the PHP file.

Also, are you submitting the form with method POST? The variables you are posting are stored in a $_POST array, so:

$_SESSION['myusername']=$myusername;
$_SESSION['mypassword']=$mypassword;

should be:

$_SESSION['myusername']=$_POST['myusername'];
$_SESSION['mypassword']=$_POST['mypassword'];

Whenever submitting a password through a form, make sure to set the form attribute method to post, like so: <form method="post">

Gregory R.
  • 1,815
  • 1
  • 20
  • 32
  • Perfect, that's what it was. I was not calling session_start in all files; only login.php and logout.php. However; I am still able to access login_success.php (which should only load if $_SESSION['myusername'] is set) after clearing them and setting $_SESSION = array(); – Jesse Pardue Jan 12 '16 at 21:29
  • Also, I have changed my `IF` statement in logout.php to `if(!isset($_SESSION['myusername']) or empty($_SESSION['myusername'])) {`. I expected this to work; but I can still reach the page with my sessions unset and empty (null). – Jesse Pardue Jan 12 '16 at 21:41