I need help on PHP session on login

Question

Please help, I am writing a php login script. I really need help. I have tried it for days without success. I have this line of code on top of my login page

<?php
    ob_start();
    if (isset($_SESSION['admin'])) {
        header('Location: admin.php');
    }

Here is my login (index.php) script

<?php
require "includes/dc_conect.php";
if (isset($_POST['submit']))
{
    $username=mysql_real_escape_string(htmlentities($_POST['username']));
    $password=mysql_real_escape_string(htmlentities($_POST['password']));

    if($username==NULL || $password==NULL)
    {
        echo 'All fields must be field'; 
    }
    else
    {
        $sql="SELECT * FROM users WHERE username='$username' && password='$password'";
        $result=mysql_query($sql, $link);
        $dbfield=mysql_fetch_assoc($result);
        $count=mysql_num_rows($result);
        if($count>0)
        {
            //Set username session variable
            $_SESSION['admin'] = $username;
            header('Location: admin.php');
        }
        else
        {
            echo"<blink>"."<font color='#FF0000'>"."Username and/or Password is incorrect!"."</blink>";
        } 
    }       
}
?>

when I am logging in, it returns back to the login page

here is the script on the top of my admin.php

<?php
// start session
ob_start();
session_start();

//check to see if user is already loged in den redirect
if(!isset($_SESSION['admin']))
{
    header("Location: index.php"); 
    exit();
}
else
{
    require "includes/dc_conect.php";

    $username=$_SESSION['admin'];

    $sql="SELECT * FROM users WHERE username='$username'";
    $result=mysql_query($sql, $link) or die (mysql_error());
    $dbfield=mysql_fetch_assoc($result);
    $count=mysql_num_rows($result);

    echo $dbfield['username'];
}
?>

Please could someone help me?

You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. — Quentin, Nov 29 '13 at 17:37
`mysql_real_escape_string(htmlentities`? Why `htmlentities`? It is a database not an HTML document! — Quentin, Nov 29 '13 at 17:38
You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). — Quentin, Nov 29 '13 at 17:38
You never bother doing `session_start()` in your login script. — Marc B, Nov 29 '13 at 17:41
Remember: anywhere you use the $_SESSION global variable, you must call `session_start()` -- [usually as the very next command after ` — cssyphus, Nov 29 '13 at 17:47

score 2 · Accepted Answer · answered Nov 29 '13 at 17:39

2

You need to call start_session() before you try to read from $_SESSION

<?php
ob_start();
session_start();
if (isset($_SESSION['admin'])) {
header('Location: admin.php');

As MarcB points out, you also need to do this before setting the session variable in index.php.

answered Nov 29 '13 at 17:39

Quentin

914,110
126
1,211
1,335

3

worse than that, OP never does session_start in the login script, so the 'admin' flag never gets set in the first place – Marc B Nov 29 '13 at 17:41

I need help on PHP session on login

1 Answers1