PHP SESSION is closed when the page is refreshed

#1

Hi,
I have created Signup and Login systems for my gallery website. When a user tries to login into system, their user and password and admin privilege is checked. If it was successful, the username is appeared on top left corner of the home page and Login turns to Logout. The problem is that when I refresh the page, the user is logged out.
Login code:

<?php

session_start();

class User

{

    public function CheckUser()

    {

        require "../app/core/database.php";

        if (isset($_POST['username']) && isset($_POST['pass'])) {

            $username = $_POST['username'];

            $password = $_POST['pass'];

            //to prevent sql injection

            $username = stripcslashes($username);

            $password = stripcslashes($password);

            $username = mysqli_real_escape_string($connection, $username);

            $password = mysqli_real_escape_string($connection, $password);

            $sql = "SELECT * FROM signup WHERE username = '$username' and password = '$password'";

                        $sql2 = "SELECT admin FROM signup WHERE username = '$username' and password = '$password' limit 1";

            $log_result = mysqli_query($connection, $sql);

            $count = mysqli_num_rows($log_result);

            if ($count == 1) {

                $_SESSION['loggedin'] = true;

                $_SESSION['username'] = $username;

                $_SESSION['is_admin'] = mysqli_query($connection, $sql2);

                header("Location: ../home/index");

            } else {

                echo "<script>Invalid()</script>";

            }

        }

    }

}

?>

<script>

    function Invalid() {

        alert("Invalid user/password");

    }

</script>

part of home page code:

<?php

error_reporting(E_ALL);

ini_set('display_errors', TRUE);

include "../app/model/loadImages.php";

include "../app/core/config.php";

include "../app/model/login.php";

?>

I did not used $_SESSION in the index.php because it has been included from Login.php
How can I fix this issue and avoid unwanted session end?

#2

So many issues with this code. The whole thing really needs to be tossed and re-written.

DO NOT STORE PLAIN TEXT PASSWORDS!

#3

Where do you check for an existing session?

As an aside and an expansion on @benanamen 's comment, this code is pretty dodgy. I’d suggest you stay away from classes until you’re comfortable writing PHP, as using them just gets in the way. The websites PHP the right way and PHP delusions are good places to start. Pay particular attention to the use of parameter escaping to prevent SQL injection, it’s explained in the database usage section of both of those sites.

2 Likes
#4

My suggestion is to learn PDO instead of mysqli and get the user logged in first then concentrate on fining tuning it.

An example

function login($username, $password, $pdo, $table) {
    /*
     * Create the PDO Query for the login
     */
    $sql = "SELECT id, hashed_password FROM " . $table . " WHERE username =:username LIMIT 1";
    /* Prepare the PDO for execution */
    $stmt = $pdo->prepare($sql);
    /* Execute PDO */
    $stmt->execute([ 'username'=> $username ]);
    /* Fetch the Password into an associate array */
    $user = $stmt->fetch(PDO::FETCH_ASSOC);
    /* Verify User's Password */
    if ($user && password_verify($password, $user['hashed_password'])) {
        unset($user['hashed_password']);
        session_regenerate_id(); // prevent session fixation attacks
        $last_login = $_SESSION['last_login'] = time();
        return $_SESSION['id'] = $user['id'];
    }
    return false;
}

the call of the function (login page):

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $result = login($_POST['user']['username'], $_POST['user']['hashed_password'], $pdo, 'admins');
    if ($result) {
        header("Location: index.php");
        exit();
    }
    echo "failed!";
}

and preventing a person who isn’t logged access to a page:

if (!isset($_SESSION['id'])) {
    header('Location: login.php');
    exit();
}

that’s just an example and as you gain further insights in coding it can easily be expanded and/or modified.

1 Like
#5

I was using Javascript for unsetting the session. I used different php file for unsetting and the problem solved.
My new problem is checking admin privilege. I have used int value in mysql admin column. 0 means NOT ADMIN and 1 means ADMIN. For checking:

<li>

              <?php

              if (!isset($_SESSION['loggedin']) && !isset($_SESSION['username'])) {

                echo "<a href='/MyProject/public/login/index'>LogIn</a>";

              } else {

                echo "<a href='/MyProject/public/logout/index'>Logout</a>";

                echo "<li>";

                if ($_SESSION['is_admin'] == 1) {

                  echo "<a href='/MyProject/public/admin/index'>Admin Area</a>";

                  echo "</li>";

                }

              } ?>

            </li>

and revised the following section in Login.php:

$_SESSION['is_admin'] = mysqli_query($connection, $sql2);

the problem is that it always show ADMIN AREA in the menu while I set 0 value for admin column in the mysql table.

#6

The basic rule of SESSIONS - first line of code is: session_start();
You have it in an ‘include’ statement, but it is buried deep down in the code.
I’m not the greatest coder, but been hacking my way through PHP for 20 years.

1 Like
Sponsor our Newsletter | Privacy Policy | Terms of Service