Create session before access to page

Question

So when the user hits log in this code is executed: LoggedIn.php

<?php
include 'connect.php';
if ( !isset($_POST['username'], $_POST['password']) ) {
    // Could not get the data that should have been sent.
    die ('Username and/or password does not exist!');
}
// Prepare our SQL 
if ($stmt = $mysqli->prepare('SELECT password FROM users WHERE username = ?')) {
    // Bind parameters (s = string, i = int, b = blob, etc), hash the password using the PHP password_hash function.
    $stmt->bind_param('s', $_POST['username']);
    if(!$stmt->execute()){
    trigger_error("there was an error....".$mysqli->error, E_USER_WARNING);
    } 
    $stmt->store_result(); 
    // Store the result so we can check if the account exists in the database.
    if ($stmt->num_rows > 0) {
        $stmt->bind_result($password);
        $stmt->fetch();      
        // Account exists, now we verify the password.
        if (password_verify($_POST['password'], $password)) {
            // Verification success! User has loggedin!
            header('location: userPage.php');
                    //**should I create the session here?**

        } else {
            echo 'Incorrect username and/or password!';
        }
    } else {
        echo 'Incorrect username blar password!';
    }
    $stmt->close();
} else {
    echo 'Could not prepare statement!';
}
?>

OR should the session be created when they are on the userPage.php. This is the page that they get access to when they log on

<?php
ob_start();
include 'connect.php';
if(!isset($_SESSION['username']) || !isset($_SESSION['password']))
{
    header("location:http://www.fortunefilly.com/loginTemplate.php");
}
else
{
    session_start();
    $username =$_SESSION['username']  ;
}
?>

But I don't think its actually creating a session because I try to echo out $username but It doesn't work. Just a few pointers on the scenario would be helpful

Thank you in advance

missing `session_start();` in the start of the code, without which all of this (related to sessions) is useless. — DirtyBit, Sep 25 '15 at 16:29
You need to assign the $_SESSION['username'] variable for it to have a value — Cameron Spanos, Sep 25 '15 at 16:32
you don't see anything in $_SESSION['username'] because you aren't assigning it after the session starts. you're starting the session (session_start()) and then immediately trying to access $_SESSION['username']. — devlin carnate, Sep 25 '15 at 16:32

DirtyBit · Accepted Answer · 2015-09-25T16:48:44.147

2

If you plan to use/create/unset (whatsoever) the sessions, you must write session_start(); in the very beginning of your code:

LoggedIn.php

<?php
include 'connect.php';
session_start();
if ( !isset($_POST['username'], $_POST['password']) ) {
    // Could not get the data that should have been sent.
    die ('Username and/or password does not exist!');

Or in your userPage.php:

<?php
session_start();
ob_start();
include 'connect.php';
if(!isset($_SESSION['username']) || !isset($_SESSION['password']))
{
    header("location:http://www.fortunefilly.com/loginTemplate.php");
}

EDIT:

Coming back to the problem now, you need to set the sessions, a good palce would be:

 if (password_verify($_POST['password'], $password)) {
            // Verification success! User has loggedin!

            header('location: userPage.php');
                    //**should I create the session here?**

Taking it right out like a sore tooth:

if(!isset($_SESSION['username'])){ //should do it

edited Sep 25 '15 at 16:48

answered Sep 25 '15 at 16:36

DirtyBit

16,613
4
34
55

2

This `|| !isset($_SESSION['password'])` should be stricken everywhere! *Scary* – Funk Forty Niner Sep 25 '15 at 16:40
@Fred-ii- I can't believe I missed that, well as they say _Time is the best teacher!_ ;-) – DirtyBit Sep 25 '15 at 16:41
@Fred-ii- What should I have instead of || !isset($_SESSION['password']) – Small Legend Sep 25 '15 at 16:42
1

@SmallLegend Nothing, just take it right out *like a sore tooth*. Check to see if the session array is set/not empty for the username. Or you could add a condition to your `WHERE` clause and adding to it using both an id and username, just so there isn't a duplicate username, should that be the case. Make sure your table contains at least one UNIQUE column, or PK. – Funk Forty Niner Sep 25 '15 at 16:44
1

@SmallLegend well there you go, you're all set ;-) Remember to use a logout method and destroy the session. – Funk Forty Niner Sep 25 '15 at 16:47
1

how do I set the session? something like $_SESSION['username'] = $_POST['username']? – Small Legend Sep 25 '15 at 16:47
1

*You got it Pontiac* ^ @SmallLegend – Funk Forty Niner Sep 25 '15 at 16:48
@Fred-ii- He should rather be Big Legend, no? ;) – DirtyBit Sep 25 '15 at 16:49
I'm getting Warning: Cannot modify header information - headers already sent by (output started at /home4/fortunefilly/public_html/userPage.php:3) in /home4/fortunefilly/public_html/userPage.php on line 9 now – Small Legend Sep 25 '15 at 16:50
1

@HawasKaPujaari *Big surprises do often come in "Small" packages* ;-) – Funk Forty Niner Sep 25 '15 at 16:50
1

@SmallLegend See http://stackoverflow.com/questions/8028957/how-to-fix-headers-already-sent-error-in-php – Funk Forty Niner Sep 25 '15 at 16:51
This error keeps popping up, before I had this problem ha – Small Legend Sep 25 '15 at 16:51
1

@SmallLegend check the link provided above, it has _EVERYTHING_ you need ;) – DirtyBit Sep 25 '15 at 16:52
Bloody too much is what it is haha – Small Legend Sep 25 '15 at 16:53
1

@SmallLegend don't let me down man, I just called you a Big Legend :P – DirtyBit Sep 25 '15 at 16:54
@HawasKaPujaari haha thanks for your help man, got to trawl through this 5000 word essay to depict my problem wish me luck – Small Legend Sep 25 '15 at 16:55
1

@SmallLegend best wishes and prayers with you soldier! go get em' and remember we got your back ;) – DirtyBit Sep 25 '15 at 16:56
Can't understand why theres an error with the session_start @HawasKaPujaari on the **userPage** – Small Legend Sep 25 '15 at 17:17

score 1 · Answer 2 · answered Sep 25 '15 at 16:33

1

session must be started before accessing session variables:

<?php
session_start();
ob_start();
include 'connect.php';
if(!isset($_SESSION['username']) || !isset($_SESSION['password']))
{
    header("location:http://www.fortunefilly.com/loginTemplate.php");
}
else
{
    $username =$_SESSION['username']  ;
}

?>

answered Sep 25 '15 at 16:33

William_Wilson

1,244
7
16

this still doesn't assign $_SESSION['username']. That needs to be assigned before it will have a value. – devlin carnate Sep 25 '15 at 16:34
Where do I assign it? – Small Legend Sep 25 '15 at 16:35
Of course, but you wouldn't be checking username for isset if you didn't think the value was set elsewhere either. The scenario shown suggests it's set elsewhere, such as the validation of login page. – William_Wilson Sep 25 '15 at 16:36
same applies here (strike it) `|| !isset($_SESSION['password'])` - Ever heard of session hijacking? – Funk Forty Niner Sep 25 '15 at 16:41
1

that aimed at *moi?* ^ @William_Wilson – Funk Forty Niner Sep 25 '15 at 16:50
Haha, no. Doing to many things at once. I've merged around 4 trains of thought... and it splashed over onto this thread. – William_Wilson Sep 25 '15 at 16:52
@William_Wilson No problemo ;-) was just pointing out about sessions hijacking. Every little bit helps ;-) – Funk Forty Niner Sep 25 '15 at 16:53
*goes back to the pavilion* – DirtyBit Sep 25 '15 at 16:54

Create session before access to page

2 Answers2