1

I have a login system and when the users login, they are sent to a new file called user.php. In the login file, I have this code:

$user = $check->fetch_assoc();
if (password_verify($_POST['password'], $user['password'])) {
    $_SESSION['logged_in'] = true;
    $_SESSION['username'] = $user['username'];
    header('location: user.php');
}

and when the user successfully logs in, he is sent to the user.php file and the code in the the file looks like:

    <?php
// Start The session
session_start();
// Chaeck if the user is logged in.
if ($_SESSION['logged_in'] = false) {
    $_SESSION['message'] = 'You must Login to continue use this section.';
    header('location: error.php');
} else {
    $username = $_SESSION['username'];
    echo $username;
}

?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Dashboard</title>
</head>
<body>
    <h1>
        Welcome, <?php echo $username?>,
    </h1>

</body>
</html>

But when the user logs in he gets the undefined index: username. I want to know why if I am using Sessions.

0xCursor
  • 2,242
  • 4
  • 15
  • 33
  • Why you are not started session in login page ? – Mohd Hasan Aug 18 '18 at 05:24
  • i am starting session in index.php where the user is sent to login.php when submiiting login form –  Aug 18 '18 at 05:25
  • change this `if ($_SESSION['logged_in'] = false) {` to `if ($_SESSION['logged_in'] ===false) {` – Elementary Aug 18 '18 at 05:27
  • Possible duplicate of [PHP: "Notice: Undefined variable", "Notice: Undefined index", and "Notice: Undefined offset"](https://stackoverflow.com/questions/4261133/php-notice-undefined-variable-notice-undefined-index-and-notice-undef) – urfusion Aug 18 '18 at 05:35

2 Answers2

1

Please next time try to send a full code so that helping you will become a lot easier. Username is undefined probably because you did not initialize session session_start(); in your authentication script eg login.php that first handle the session. Again u will need to mitigate session fixation attack by generating new session for each login user session_regenerate_id();

$user = $check->fetch_assoc();
if (password_verify($_POST['password'], $user['password'])) {


// initialize session
session_start();
// prevent session fixation attack
session_regenerate_id();

    $_SESSION['logged_in'] = true;
    $_SESSION['username'] = $user['username'];
    header('location: user.php');
}

Optionally

At user.php Remove the way your are performing session check and replace the code below. you can check if users session is set using this simple script

<?php
     // initialize session if session has not be initialize otherwise remove it
session_start();
if(!isset($_SESSION['username']) || (trim($_SESSION['username']) == '')) {
echo "you must login";
        exit();
    }else{
// login flows

}

?>

Pls send full code if this does not solve your problem

chinazaike
  • 517
  • 6
  • 19
1
$user = $check->fetch_assoc();
if(!empty($user)) {
$passwordCheck = password_verify($_POST['password'], $user['password'])
if ($passwordCheck) {
    $_SESSION['logged_in'] = true;
    $_SESSION['username'] = $user['username'];
    header('location: user.php');
}
}

Here is modified welcome page

<?php
// Start The session
session_start();
// Chaeck if the user is logged in.
if (!isset($_SESSION['logged_in']) && $_SESSION['logged_in']=="") {
    $_SESSION['message'] = 'You must Login to continue use this section.';
    header('location: error.php');
} else {
    $username = $_SESSION['username'];
    echo $username;
}

?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Dashboard</title>
</head>
<body>
    <h1>
        Welcome, <?php echo $username?>,
    </h1>

</body>
</html>
jvk
  • 2,133
  • 3
  • 19
  • 28