managing session file separately to include in all file

Question

After logging, session will start. So i have to manage session.php in all my other files to manage session. Here is my login file:

<?php 
    if(isset($_POST['submit']))
    {
        include("connect.php");
        $user=mysqli_real_escape_string($con, $_POST['email']);
        $pass=mysqli_real_escape_string($con, $_POST['password']);
        $sql="SELECT * FROM users WHERE email='".$user."' AND password='".$pass."' ";
        $query=mysqli_query($con, $sql) or die(mysqli_error($con));
        $count=mysqli_num_rows($query);
        if($count==1)
        {   
            $row=mysqli_fetch_array($query);
            session_start();
            $_SESSION['user_id']=$row['uid'];
        }
        else {
            header("location:../index.php?error=1");
        }
        if(isset($_SESSION["user_id"])) {   
            header("location:../home.php");
        }
    }    
?>

And in sessions.php:

<?php
    session_start();
    session_regenerate_id();
    if($_SESSION["user_id"]) 
    {
        include("connect.php");
        $m1 = "select * from users where uid='".$_SESSION['user_id']."'";
        $m2 = mysqli_query($con, $m1);
        $m3 = mysqli_fetch_array($m2);
        $_SESSION['username'] = $m3['fname'].' '.$m3['lname'];
    } 
    else 
    if(!isset($_SESSION['user_id']))
    {
        header("location:index.php");
    }
?>

As the session is started in login.php itself, i get error in sessions.php 'Session is already started'. But if i remove session_start();, it redirects to index.php (login form). I am confused.

Can somebody help me in this?

Answer 1

Many commenters have pointed out issues with the question as asked. I can't comment, so I'll offer this bit of advice.

die(mysqli_error($con))

These errors should go to a log file, not printed for the user to see. Someone could find vulnerabilities in your system by reading the error message and exploit them. Don't make it easy for them!

Answer 2

<?php 
        session_start();
        $user_id =  $_SESSION['user_id'];
        if(isset($_POST['submit']))
        {
            include("connect.php");
            $user=mysqli_real_escape_string($con, $_POST['email']);
            $pass=mysqli_real_escape_string($con, $_POST['password']);
            $sql="SELECT * FROM users WHERE email='".$user."' AND password='".$pass."' ";
            $query=mysqli_query($con, $sql) or die(mysqli_error($con));
            $count=mysqli_num_rows($query);
            if($count==1)
            {   
                $row=mysqli_fetch_array($query);

                $_SESSION['user_id']=$row['uid'];
            }
            else {
                header("location:../index.php?error=1");
            }
            if(isset($_SESSION["user_id"])) {   
                header("location:../home.php");
            }
        }    
    ?>

And in sessions.php:

<?php
    session_start();
    session_regenerate_id();
    if($user_id) 
    {
        include("connect.php");
        $m1 = "select * from users where uid='".$user_id."'";
        $m2 = mysqli_query($con, $m1);
        $m3 = mysqli_fetch_array($m2);
        $_SESSION['username'] = $m3['fname'].' '.$m3['lname'];
    } 
    else 
    if(!isset($user_id))
    {
        header("location:index.php");
    }
?>