Session Won't Start?

Hi all,

I'm trying to code a login script but the new user session won't start and just returns to login page -

<?php
session_start();

require_once "db.php";

if(isset($_SESSION['user_id'])!="") {
    header("Location: dashboard.php");
}

if (isset($_POST['login'])) {
    $email = mysqli_real_escape_string($conn, $_POST['email']);
    $password = mysqli_real_escape_string($conn, $_POST['password']);

    if(!filter_var($email,FILTER_VALIDATE_EMAIL)) {
        $email_error = "Please Enter Valid Email ID";
    }
    if(strlen($password) < 6) {
        $password_error = "Password must be minimum of 6 characters";
    } 

    $result = mysqli_query($conn, "SELECT * FROM users WHERE email = '" . $email. "' and pass = '" . md5($password). "'");
   if(!empty($result)){
        if ($row = mysqli_fetch_array($result)) {
            $_SESSION['user_id'] = $row['uid'];
            $_SESSION['user_name'] = $row['name'];
            $_SESSION['user_email'] = $row['email'];
            $_SESSION['user_mobile'] = $row['mobile'];
            header("Location: dashboard.php");
        }
    }else {
        $error_message = "Incorrect Email or Password!!!";
    }
}
?>

Code (markup):

Any idea's (i'm a novice!)

Best Regards
Justin

 

The strange code is here:

if(isset($_SESSION['user_id'])!="") {
    header("Location: dashboard.php");
}

PHP:

isset returns boolean TRUE or FALSE and you are comparing result to a string.
Maybe it should be

if(isset($_SESSION['user_id']))
    header("Location: dashboard.php");

PHP:

 

Also you need to stop script output by calling die() or exit() after the header("Location...") because returned content can prevent the redirect.

 

If it helps, this is what mine looks like @phplduser

<?php

// Initialize the session
session_start();
// Check if the user is already logged in, if yes then redirect him to welcome page
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true)  {
    header("location: user-account.php?user=$username");
    exit;
}
// Include config file
require_once "registerconfig.php";
// Define variables and initialize with empty values
$username = $password = "";
$customername = $username = "";
$customeremail = $username = "";
$username_err = $password_err = "";
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
    // Check if username is empty
    if(empty(trim($_POST["user_name"]))){
        $username_err = "Please enter username.";
    } else{
        $username = trim($_POST["user_name"]);
    }
   
    // Check if password is empty
    if(empty(trim($_POST["user_pass"]))){
        $password_err = "Please enter your password.";
    } else{
        $password = trim($_POST["user_pass"]);
    }
   
    // Validate credentials
    if(empty($username_err) && empty($password_err)){
        // Prepare a select statement
        $sql = "SELECT user_id, user_name, user_pass, customer_name, customer_email FROM users WHERE user_name = ?";
       
        if($stmt = mysqli_prepare($link, $sql)){
            // Bind variables to the prepared statement as parameters
            mysqli_stmt_bind_param($stmt, "s", $param_username);
           
            // Set parameters
            $param_username = $username;
            $param_customername = $customername;
            $param_customeremail = $customeremail;
           
            // Attempt to execute the prepared statement
            if(mysqli_stmt_execute($stmt)){
                // Store result
                mysqli_stmt_store_result($stmt);
               
                // Check if username exists, if yes then verify password
                if(mysqli_stmt_num_rows($stmt) == 1){                   
                    // Bind result variables
                    mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password, $customername, $customeremail);
                    if(mysqli_stmt_fetch($stmt)){
                        if(password_verify($password, $hashed_password)){
                            // Password is correct, so start a new session
                            session_start();
                           
                            // Store data in session variables
                            $_SESSION["loggedin"] = true;
                            $_SESSION["user_id"] = $id;
                            $_SESSION["user_name"] = $username;
                            $_SESSION["customer_name"] = $customername;
                            $_SESSION["customer_email"] = $customeremail;
                           
                            if($_POST["remember"]==true) {
                                $hash=md5($id);
                                setcookie ("token",$hash,time()+ (365 * 24 * 60 * 60),'/');
                                $hstmt = mysqli_prepare($link,"UPDATE users SET remember = ? WHERE user_id = ?");
                                mysqli_stmt_bind_param($hstmt,"si", $hash, $id);
                                mysqli_stmt_execute($hstmt);
                               
                                       
                            } else {
                                if(isset($_COOKIE["token"])) {
                                    setcookie ("token","");
                                        $hstmt = mysqli_prepare($link,"UPDATE users SET remember = '' WHERE user_id = ?");
                                        mysqli_stmt_bind_param($hstmt,"i", $id);
                                        mysqli_stmt_execute($hstmt);
                                }
                           
                            }
                           
                            // Redirect user to welcome page
                            header("location: user-account.php?user_name=$username");                           
                        } else{                           
                            // Display an error message if password is not valid
                            $password_err = "The password does is incorrect for the username entered.";
                        }
                    }
                } else{
                    // Display an error message if username doesn't exist
                    $username_err = "No account found with that username.";
                }
            } else{
                echo "Oops! Something went wrong. Please try again later.";
            }
        }
       
        // Close statement
        mysqli_stmt_close($stmt);
    }
   
    // Close connection
    mysqli_close($link);
}
?>

PHP:

 

ON top of correcting the broken check on isset -- which is indeed where most of your problem likely lies -- It might also help if you used mysqli PROPERLY.. See this?

    $email = mysqli_real_escape_string($conn, $_POST['email']);
    $password = mysqli_real_escape_string($conn, $_POST['password']);

    if(!filter_var($email,FILTER_VALIDATE_EMAIL)) {
        $email_error = "Please Enter Valid Email ID";
    }
    if(strlen($password) < 6) {
        $password_error = "Password must be minimum of 6 characters";
    } 

    $result = mysqli_query($conn, "SELECT * FROM users WHERE email = '" . $email. "' and pass = '" . md5($password). "'");

Code (markup):

100% hurr-durrz and completely defeats the reason the old mysql_ functions were abandoned... and why you shouldn't be building queries that way any time after 2005! Do NOT slop variables into the query string, that's why we have prepare->execute. If you have something like an invalid password length that should be handled BEFORE you even get as far as the query.

Don't even get me started about this header redirection BS. Just include() the correct page. Again, this is where anything but the "one index to rule them all" approach is incompetent trash.

<?php

// I'd put this in your index.php and/or every user callable file.

session_start();
session_regenerate_id();

require_once('db.php');

$loginErrors = [];

if (isset($_POST['login']) {
	if (
		empty($_POST['email']) ||
		empty($_POST['password'])
	) {
		$loginErrors['login'] = 'You failed to provide an E-Mail or password';
	} else {
		if (filter_var($_POST['email'],FILTER_VALIDATE_EMAIL)) {
			$loginErrors['email'] = 'Invalid E-mail';
		}
		if (strlen($_POST['password']) < 6) {
			$loginErrors['password'] = "Password must be minimum of 6 characters";
		} 
		if (!$loginErrors) { // remember, empty is loose false
			$pass = hash('sha512', $password);
			$stmt = $conn->prepare('
				SELECT uid, name, email, mobile
				FROM users
				WHERE email = ?
				and pass = ?
			');
			$stmt->bindParam('ss', $_POST['email'], $pass);
			$stmt->execute();
			$stmt->bind_result(
				$_SESSION['user_id'],
				$_SESSION['user_name'],
				$_SESSION['user_email'],
				$_SESSION['user_mobile']
			);
			if (!$stmt->fetch()) {
				$loginErrors['login'] = 'Invalid username or password';
			}
		}
	}
} else {
	// handle that no login was sent here
}

if ($loginErrors) {
	// re-send form using $loginErrors to pass what errors occurred.
} else {
	// handle successful login here
}

Code (markup):

Notice using sha512 instead of the pointless and rainbow-tabled MD5, the proper use of prepare/execute (I think, I'm more of a PDO than mysqli guy), ditching the derpy function based version of mysqli for the object one, since we have prepare/execute we don't need that dumbass real_escape_string trash (again, this isn't 2005), how we can bind straight to $_SESSION skipping a slew of "variables for nothing", etc, etc, etc.

Side note, you may want to ditch the outdated mysqli_ garbage for PDO.

 

Hi All,

Thank you, This helps alot.

Have a great day!
Justin