php session not redirecting to welcome page (postgresql)

Question

I have a working database in postgres where a session starts and the user makes an account and it get logged in the database. that much is butter! but when a user tries logging in from the login.php it doesn't redirect them to welcome.php. I do feel like I am missing some code but I don't know what to add. any help?

login.php:

<?php

require_once "config.php";
require_once "session.php";

if(isset($_POST['submit'])){
    
    $hashpassword = md5($_POST['password']);
    $sql = "SELECT * FROM public.users WHERE username = '".($_POST['username'])."' and password ='".$hashpassword."'";
    $data = pg_query($dbconn,$sql); 
    $login_check = pg_num_rows($data);
    if($login_check > 0){ 
        
        echo "Login Successfully";    
    }else{
        
        echo "Invalid Details";
    }
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <link rel="stylesheet" href="../css/main.css">
    <link rel="icon" href="../assets/icon.gif">
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js"></script>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>悲</title>
</head>
<body>
    <div id="audio-player-container">
    <audio id="player" src="../assets/sinners_lullaby.m4a" autoplay loop></audio>
</div>
<div id="sadtext">SAD SAD SAD SAD SAD SAD SAD</div>
<div id="display">
    <div><p id="audiomenutext">Audio Menu</p></div>
<div id="buttons">
    <li><button class="buttons" onclick="document.getElementById('player').play()">Play</button></li>
    <li><button class="buttons" onclick="document.getElementById('player').pause()">Pause</button></li>
    <li><button class="buttons" onclick="document.getElementById('player').muted=!document.getElementById('player').muted">Mute/ Unmute</button></li>
</div>
</div>
<button id="login" onclick="document.getElementById('id01').style.display='block'" style="width:auto;">Login</button>

<div id="id01" class="modal">
  
  <form class="modal-content animate" method="post">
    <div class="imgcontainer">
      <span onclick="document.getElementById('id01').style.display='none'" class="close" title="Close Modal">&times;</span>
      <img src="../assets/onepunchman copy.gif" alt="Avatar" class="avatar">
    </div>

    <div class="container">
      <label for="username"><b>Username</b></label>
      <input id="input" type="text" placeholder="Enter Username" name="username" required>

      <label for="password"><b>Password</b></label>
      <input id="input" type="password" placeholder="Enter Password" name="password" required>
        
      <button id="logininmodal" name="submit" type="submit">Login</button>
      <label>
        <input id="input" type="checkbox" checked="checked" name="remember"> Remember me
      </label>
    </div>

    <div class="container" style="background-color:#f1f1f1">
      <button id="cancel" type="button" onclick="document.getElementById('id01').style.display='none'" class="cancelbtn">Cancel</button>
      <span class="psw">Forgot <a href="#">password?</a></span>
    </div>
  </form>
</div>
</body>
<script type="text/javascript">
var modal = document.getElementById('id01');
window.onclick = function(event) {
    if (event.target == modal) {
        modal.style.display = "none";
    }
}</script>
</html>

welcome.php

<?php

session_start();

if (!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !==true) {
    header("location: login.php");
    exit;
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <link rel="stylesheet" href="../css/main.css">
    <link rel="icon" href="../assets/icon.gif">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>悲</title>
</head>
<body>
    <div id="audio-player-container">
    <audio id="player" src="../assets/sinners_lullaby.m4a" autoplay loop></audio>
</div>
<div id="sadtext">WELCOME <?php echo $_SESSION["username"]; ?></div>
<div id="display">
    <div><p id="audiomenutext">Audio Menu</p></div>
<div id="buttons">
    <li><button class="buttons" onclick="document.getElementById('player').play()">Play</button></li>
    <li><button class="buttons" onclick="document.getElementById('player').pause()">Pause</button></li>
    <li><button class="buttons" onclick="document.getElementById('player').muted=!document.getElementById('player').muted">Mute/ Unmute</button></li>
</div>
</div>
<button id="logout" style="width:auto;">Logout</button>
</body>
<script type="text/javascript" src="../js/home.js"></script>
</html>

session.php:

<?php

session_start();

if (isset($_SESSION["userid"]) && $_SESSION["userid"] != "") {
    header("location: welcome.php");
    exit;
}
?>

SOLVED!

fixed my login.php

<?php

require_once "config.php";
require_once "session.php";

if(isset($_POST['submit'])){
    $username = trim($_POST["username"]); 
    $hashpassword = md5($_POST['password']);
    $sql = "SELECT * FROM public.users WHERE username = '".($_POST['username'])."' and password ='".$hashpassword."'";
    $data = pg_query($dbconn,$sql); 
    $login_check = pg_num_rows($data);
    if($login_check > 0){ 
        session_start();
      $_SESSION["loggedin"] = true;
      $_SESSION["id"] = $id;
      $_SESSION["username"] = $username; 
      header("location: welcome.php");
    }else{
        
        echo "Invalid Details";
    }
}
?>

Thanks to Magnus Eriksson

Where are you saving the user session in `$_SESSION["userid"])` while logging in? — Hisham, Jul 22 '21 at 06:06
**Warning!** You're open to [SQL injection attacks](https://owasp.org/www-community/attacks/SQL_Injection)! You should use [prepared statements](https://www.php.net/manual/en/function.pg-prepare.php) with bound parameters instead of injecting variables directly into your queries. It's not just about security. If your data contains, for example, a single quote `'`, your query will break. — M. Eriksson, Jul 22 '21 at 06:11
**Warning!** md5/sha1 are not suitable for password hashing. The manual even warns you about it: _"Warning It is not recommended to use this function to secure passwords, due to the fast nature of this hashing algorithm."_ Use [password_hash()](https://www.php.net/manual/en/function.password-hash.php) and [password_verify()](https://www.php.net/manual/en/function.password-verify.php) instead. Read how to use them [here](https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords) — M. Eriksson, Jul 22 '21 at 06:11
Why would you expect the user to be redirected on successful login when all you're doing is echoing _"Login Successfully"_? If you want them to be redirected, you need to add some redirect code (and remove the echo). You should probably also set `$_SESSION["loggedin"]` and `$_SESSION["userid"]`. You're currently checking those values, but you never actually set them anywhere. — M. Eriksson, Jul 22 '21 at 06:14
ok ya idk why my post is locked but thats exactly it. i need to have set session code in place of the echo. i just dont know what to write im kinda new to php. — thejacobfo, Jul 22 '21 at 06:25
Well, there are thousands of tutorials about using sessions in PHP, including [the manual](https://www.php.net/manual/en/session.examples.basic.php). If you don't know how sessions (or redirects) work, where did you get the above code from seeing that they are using sessions and redirects? We're glad to help with specific issues you might have, but we do require you to do proper [research](https://meta.stackoverflow.com/questions/261592/how-much-research-effort-is-expected-of-stack-overflow-users) and learn the basics yourself first. — M. Eriksson, Jul 22 '21 at 06:29
thanks just edited my main post bc apparently i cant make replies. but ya thank you so much for tipping me off to the setting sessions code. i sorta took a guess at what code to use after your advice ! — thejacobfo, Jul 22 '21 at 06:32
There's some issues though. Since you're including `session.php` (which has `session_start()`) in your `login.php`, you should remove the `session_start()` you just added to `login.php` (or you will try and start an already started session, which will throw a warning/error). You're still wide open to SQL injections and are still using md5() for password hashing (those two are _major_ security issues you _must_ address asap). You should put an `exit;` after the `header()` you just added to make sure the script stops executing. Also `$_SESSION["id"] = $id;`, you've never defined `$id`. — M. Eriksson, Jul 22 '21 at 06:40
it actually worked just fine, i think bc the first session is the unlogged in session. then it starts a new one with the logged in user. i know it seems redundant but it works. and i know the password safety isnt the best im not going to be going public or anything its just a little homemade app i might share with my friends. but thanks for all the help! — thejacobfo, Jul 22 '21 at 06:49

php session not redirecting to welcome page (postgresql)

0 Answers0