-1

I have session page with these code

session_start();

if (!isset($_SESSION['id'])){
header('location:order.php');
}

$ses_id = $_SESSION['id'];

I included it into my login page (order.php)

<?php include('session.php'); ?>

Here is the login scripts and functions

$username = clean($_POST['username']);
$password =  md5($_POST['password']);
$apollos=$username;
$query=Login($username,$password);
$count = mysql_num_rows($query);
$row = mysql_fetch_array($query);
$phone=$row['Contact_Number'];

DeleteActivation($username);

if ($count > 0) {
    $_SESSION['id'] = $row['memberID'];

    UserPin($username,$pin,$member);
    $From='eFarms';
    $Message='Your User Login Pin from St. Apollos eFarms is '.$pin;

    die("<script>location.href = 'login_sms.php'</script>");
    session_write_close();
} else {
    session_write_close();
}

Here is my Pin Validation Page

<?php include('header.php'); ?>
pin = clean($_POST['pin']);


$query=CheckPin($username,$pin,$member);

$count = mysql_num_rows($query);
$row = mysql_fetch_array($query)

if ($count > 0) {
    $_SESSION['id'] = $row['memberID'];
    die("<script>location.href = 'user_home.php'</script>");
    session_write_close();
} else {
    session_write_close();
}

Someone should please examine these codes, correct and show me how to receive the session to the USer Home Page as Username.

Igbeh Emmanuel
  • 53
  • 1
  • 8
  • 2
    Just an FYI `md5()` is not a secure way to store a password. You should look into `password_hash`. As for what you have here it is very unclear what/where your issue is. – nerdlyist Oct 12 '16 at 12:06
  • 2
    You'd be amazed as to what error reporting and var_dump() will do. – Funk Forty Niner Oct 12 '16 at 12:31
  • 1
    To backup what @nerdlyist said: ***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Oct 12 '16 at 12:32
  • 1
    ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Oct 12 '16 at 12:33
  • Not quite sure what the question is here. – Progrock Oct 12 '16 at 21:24

2 Answers2

0

Before session start you have to check the session is already started or not like below in each script or in common script file.

if (!isset($_SESSION)) {
    session_start();
}

Edited:

the above condition is not needed as it is checking internally as descripe in the documentation - http://php.net/manual/en/function.session-start.php

session_start();
Manikandan S
  • 902
  • 1
  • 8
  • 18
  • 1
    No need to check if set or not. – vher2 Oct 12 '16 at 12:17
  • @vher2 I mean to say we have the session_start() in all the pages at first line also if you already started the session we no need to start again. So I added the if condition also with my answer. Any way thanks for your comment. – Manikandan S Oct 12 '16 at 16:52
  • There's no need because `session_start` will start new one if it's not yet started or will resume the existing. So there's no need for checking. – vher2 Oct 13 '16 at 10:24
  • @vher2 Ok thanks for your info. I will update my answer. – Manikandan S Oct 13 '16 at 10:39
0

First, as provided by others, ur using very bad and insecure method ! Try to use PDO which is much easier (when u understand how it work) and it's much more secure !

Second, ur coding is not so clean, I think that's why u can't find the problem urself !

And finally, I think ur missing :

session_start();

in some part of ur code !

Sinf
  • 123
  • 1
  • 4
  • 11
  • *"it's much more secure"*, but not automatically more secure. You'd need to bind your parameters, and handle errors/exceptions carefully. – ʰᵈˑ Oct 13 '16 at 10:44
  • @ʰᵈˑur right :) I had to say, if u use it correctly, it will be more secure :) – Sinf Oct 13 '16 at 12:04