How to mak a proper Session variable for WordPress based website

Question

I am doing a custom script to restrict a private website, user need access-code and their last name to access the website. The Webiste made with WordPress while the restrict credentials was from an external php application.

I have two files one is home.php and another is autho.php. The login form is in home.php where the form and Ajax code written their. The autho.php is the server-side script and creating the session to restrict WordPress site.

The session validation happening at /wp-content/themes/twentynineteen/header.php file. At the area of wordpress site I cannot able to find the session data which was created at autho.php. Please suggest.

home.php (login form)

<script type='text/javascript'>
$(document).ready(function(){
 $('#login_error').hide();
 $('#accessform').on('submit', function(event){
  event.preventDefault();
  $.ajax({
   url:"doctor_autho.php?action=login&type=login",
   method:"POST",
   data:$(this).serialize(),
   dataType:"json",
   beforeSend:function(){
    $('#submit').attr('disabled', 'disabled');
   },
   success:function(data)
   {
     if(data.result = 'false')
     {
      $('#login_error').show();
      $('#login_error').html("<strong> Doctors last name or code is invalid </strong>");
      $('#submit').prop('disabled', false);
     }
     if(data.result = 'true')
     {
      $('#login_error').show();
      $('#login_error').html("<strong> Access Granted !!! </strong>");
        window.location.href = "/index.php");
     }
    $('#submit').attr('disabled', false);
   },
   error: function (response) {
     $('#login_error').show();
        $('#login_error').html("<strong> Doctors last name or code is invalid  </strong>");
        $('#submit').prop('disabled', false);
    }
  })
 });
});
</script>

autho.php PHP file

$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error){
    die("Connection failed: " . $conn->connect_error);
}
$type = isset($_GET['type'])?$_GET['type']:"";
$action = isset($_GET['action'])?$_GET['action']:"";
if(isset($_POST) && $action == "login" && $type=="login"){ 
  $doctor_invitation_code= isset($_POST['doctor_invitation_code'])?$_POST['doctor_invitation_code']:"";
  $doctor_last_name= isset($_POST['doctor_last_name'])?$_POST['doctor_last_name']:"";
  if($doctor_invitation_code =="" OR $doctor_last_name ==""){
    $data = array("result" => "false", "msg" => "Parameter is required");
    die(json_encode($data));
  }else{    
    check_login($doctor_invitation_code,$doctor_last_name);     
  }
}else{
    $data = array("result" => "false", "msg" => "Parameter wrong used!");
    die(json_encode($data));
}
function check_login($doctor_invitation_code,$doctor_last_name){
    Global $conn;
    $doct_auto_query ="SELECT * FROM `tbl_user_master` WHERE patient_invition_code='".$doctor_invitation_code."' AND user_lname='".$doctor_last_name."' AND user_type='2' and is_deleted=0 limit 1";
    //echo $doct_auto_query;    
    $result = $conn->query($doct_auto_query);
    if($result->num_rows > 0){      
        $data = array("result" => "true", "msg" => "Access Granted !!!");
        session_start();
        $_SESSION['invitation_code'] = $doctor_invitation_code;
        $_SESSION['last_name'] = $doctor_last_name;     
        die(json_encode($data));
    }else{
        $data = array("result" => "false", "msg" => "The Invitation code or Last Name is wrong used!");
        header ("Location: home.php");
        die(json_encode($data));
    }
}

Session validation on theme's header.php file

session_start();

if (!isset($_SESSION['invitation_code']) && !isset($_SESSION['last_name']) ) {
   header("Location: https://www.website.com/home.php");
} 

At WordPress site under the theme header file I cannot able to access $_SESSION['invitation_code'] and $_SESSION['last_name'] there, please suggest how to fix this.

Answer 1

At First Put the session_start(); at wp-config.php file.

define( 'WP_SESSION_USE_OPTIONS', true );
session_start();

Your JQuery something like this

<script type='text/javascript'>
$(document).ready(function(){
     $('#login_error').hide();
     $('#accessform').on('submit', function(event){
      event.preventDefault();
      $.ajax({
       url:"autho.php?action=login&type=login",
       method:"POST",
       data:$(this).serialize(),
       dataType:"json",
       beforeSend:function(){
        $('#submit').attr('disabled', 'disabled'); 
       },
       success:function(data)
       { console.log(data);

         if(data.result =="true") {
          $('#login_error').show();
          $('#login_error').html("<strong> "+data.msg+" </strong>");
          window.location.href = "index.php"; 
          return false;      
         }      
         if(data.result == "false") {
          $('#login_error').show();
          $('#login_error').html("<strong> "+data.msg+" </strong>");
          $('#submit').prop('disabled', false);
          return false;
         }       
        $('#submit').attr('disabled', false);
       },
       error: function (response) {
         $('#login_error').show();
            $('#login_error').html("<strong> There is an error!  </strong>");
            $('#submit').prop('disabled', false);
        }
  })
 });
});
</script>

Your PHP code something like this

    <?php
    $con = mysqli_connect("127.0.0.1","dbuser","dbpassword","dbname");
    if (mysqli_connect_errno()) {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
      exit();
    }

    $doctor_last_name = mysqli_real_escape_string($con, $_POST['doctor_last_name']);
    $password = mysqli_real_escape_string($con, $_POST['doctor_invitation_code']);
    if($doctor_last_name !="" && $password !=""){   
            $query ="SELECT * FROM `tbl_user_master` WHERE  is_deleted=0 AND user_type='2' "; 

            if($doctor_last_name !=""){
            $query .=" AND user_lname='".$doctor_last_name."' ";
            $data=mysqli_query($con, $query);
            if ($data){
            if (mysqli_num_rows($data) == 0){
            $data = array("result" => "false", "msg" => "The Last Name is invalid.");
                  }
             }
            }
            //end 
            //validation for invitation code 
            if($password !=""){ 
            $query .=" AND patient_invition_code='".$password."' "; 
            $data=mysqli_query($con, $query);
            if ($data){
            if (mysqli_num_rows($data) == 0){
            $data = array("result" => "false", "msg" => "The Invitation Code is invalid.");

            }
            }
            } 

            $data=mysqli_query($con, $query);       
            if ($data){         
                if (mysqli_num_rows($data) > 0){
                    session_start();
                    $_SESSION['invitation_code'] = $password;
                    $_SESSION['last_name'] = $doctor_last_name;
                    $data = array("result" => "true", "msg" => "Access Granted !!!");
                    echo json_encode($data);

                    exit(); 
                }else {
                //validation of code and lastname only
                $data = array("result" => "false", "msg" => "The Last name & Invitation Code is invalid.");
                echo json_encode($data);
                exit();
                }
            }       
    }else{
    $data = array("result" => "false", "msg" => "Parameter is required.");
    echo json_encode($data);
    exit;   
    }
    reset($doctor_last_name);
    reset($password);
    mysqli_close($con);
    exit;

    ?>

And Lastly you can put session validation in any header file of your WordPress theme.

session_start();

if(!isset($_SESSION['invitation_code']) || $_SESSION['invitation_code'] == '') {
   header('location:home.php');

}