1

I am creating a website and running into a problem with my sessions. As you can see, The sessions $_SESSION['username'] is set to the user's input but only if the username and passwords match. When the page then redirects to /home.php the session seems to become cleared.

How can I prevent this from happening as i need to access these for the homepage of the site.

index.php:

require 'db.php';
session_start();
$inputError = false;
echo $_SESSION['username'];
if (isset($_POST['uName']) && isset($_POST['pWord']) && $_POST['fName'] == "" && $_POST['lName'] == "" && $_POST['email'] == "") {
    $username = $mysqli->escape_string($_POST['uName']);
    $password = $mysqli->escape_string(sha1($_POST['pWord']));
    $usernames = $mysqli->query("SELECT * FROM `Users` WHERE `username` = '$username'");
if (mysqli_num_rows($usernames) == 1) {
    $continue = $mysqli->query("SELECT * FROM `Users` WHERE `username` = '$username' AND `password` = '$password'");
    if (mysqli_num_rows($continue) == 1) {
        $_SESSION['loggedIn'] = true;
        $_SESSION['username'] = $username;
            //header('Location: home.php');
            echo "<meta http-equiv='refresh' content='0; url=home.php/' />";             //header('Location: home.php');
            exit();
        } else {
            $_SESSION['errorMsg'] = "invalid password";
        }
    } else {
        $_SESSION['errorMsg'] = "invalid username";
    }
} else if (isset($_POST['uName']) && isset($_POST['pWord']) && isset($_POST['fName']) && isset($_POST['lName']) && isset($_POST['email'])) {
    $username = $mysqli->escape_string($_POST['uName']);
    $password = $mysqli->escape_string(sha1($_POST['pWord']));
    $firstname = $mysqli->escape_string($_POST['fName']);
    $lastname = $mysqli->escape_string($_POST['lName']);
    $email = $mysqli->escape_string($_POST['email']);

    $uNameRes = $mysqli->query("SELECT * FROM `Users` WHERE `username` = '$username'") or die($mysqli->error);
    $eMailRes = $mysqli->query("SELECT * FROM `Users` WHERE `email` = '$email'") or die($mysqli->error);
    if ($uNameRes->num_rows > 0) {
        $_SESSION['errorMsg'] = "username in use";
        $inputError = true;
    }
    if (mysqli_num_rows($eMailRes) > 0) {
        $_SESSION['errorMsg'] = "email in use";
        $inputError = true;
    }
    if (!$inputError) {
        $sql = "INSERT INTO `Users` (`username`, `password`, `email`,         `first_name`, `last_name`)"."VALUES ('$username', '$password', '$email', '$firstname', '$lastname')";
      if ($mysqli->query($sql)) {
            $_SESSION['active'] = 0;
            $_SESSION['loggedIn'] = true;
            $_SESSION['username'] = $username;
            //header('Location: home.php');
            echo "<meta http-equiv='refresh' content='0; url=home.php/' />";
            exit();
        }
    }
}

Some HTML code follows this but it is not needed for context.

home.php:

<?php
session_start();
if (!isset($_SESSION['username'])) {
    echo "Unset";
}
?>
<html>
<head>
    <title>magic</title>
    <link rel='icon' href='/Sources/Ski_Mask.png'/>
    <link rel='stylesheet' href='/Style/common.css'/>
    <script     src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.0/jquery.min.js"></script>
</head>
<body class='unselectable'>
<?php echo "<h1 id='welcome'>{$_SESSION['username']}</h1>"; ?>
    <h1 class='input'></h1>
    <center><button class='input' id='logOutButton'>log out</button</center>
    <p></p>
</body>
<script>
    $('#logOutButton').click(function() {
        $('p').html('<object data="logout.php"/>');
    });
</script>
</html>

Side note: If you have any idea what is wrong with my header() statement I would appreciate some help with that but it isn't my first priority.

Thanks

Tom Ayling
  • 13
  • 3
  • try calling session_start(); before requiring db.php. session_start(); should be the first thing in code. – Nawed Khan Dec 20 '18 at 22:20
  • @NawedKhan I tried that and unfortunately there was no difference – Tom Ayling Dec 20 '18 at 22:28
  • SHA1 is considered broken for security purposes and is not sufficient for password hashing. Use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. – Alex Howansky Dec 20 '18 at 22:41
  • Also, please note that you should not rely on `escape_string()` to prevent SQL injection. Instead use [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) with [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). See [**this page**](https://phptherightway.com/#databases) and [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for some good examples. – Alex Howansky Dec 20 '18 at 22:44
  • @AlexHowansky I know, The website is not in use for anything yet so i am using a simple solution for now. – Tom Ayling Dec 20 '18 at 22:53
  • The proper solution is just as simple. Don't get into bad habits, or you'll see this code get deployed live and then you'll have to fool yourself into thinking that you'll fix it later. – Alex Howansky Dec 20 '18 at 22:54
  • @AlexHowansky Okay, thanks for the advice. Any ideas on what may be causing the issue mentioned? – Tom Ayling Dec 20 '18 at 22:59

0 Answers0