0
if(isset($_POST["submit"]))
   {
$email = trim($_POST['email']);
$upass = trim($_POST['password']);

if($user_login->login($email,$upass))
{
    $user_login->redirect("index.php");
}
}

public function login($email,$upass)
{
    try
    {
        $stmt = $this->conn->prepare("SELECT * FROM table WHERE userEmail=:email_id");
        $stmt->execute(array(":email_id"=>$email));
        $userRow=$stmt->fetch(PDO::FETCH_ASSOC);

        if($stmt->rowCount() == 1)
        {
            if($userRow['userStatus']=="Y")
            {
                if($userRow['userPass']==md5($upass))
                {
                    $_SESSION['userSession'] = $userRow['userID'];
                    return true;
                }
                else
                {
                    header("Location: login.php?error");
                    exit;
                }
            }
            else
            {
                header("Location: login.php?inactive");
                exit;
            }   
        }
        else
        {
            header("Location: login.php?error");
            exit;
        }       
    }
    catch(PDOException $ex)
    {
        echo $ex->getMessage();
    }

I've granted all the privileges to the database. The user is able to signup but when loggedin it doesn't log in but also doesn't show any error and directs the user to index.php without creating session.

random_user_name
  • 25,694
  • 7
  • 76
  • 115
Naren
  • 179
  • 2
  • 11
  • How about figuring out which condition is triggered? How about - instead of redirecting on failure, you `die()` on failure, with output of the error(s) or condition(s) that triggered? – random_user_name Oct 23 '17 at 17:47
  • 1
    Just a guess - try `session_start()` on beginning on script. – Dmytrechko Oct 23 '17 at 17:49
  • 1
    **You shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)**. Use **PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)** (`password_hash()` and `password_verify()`) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). **It is not necessary** to [escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. – GrumpyCrouton Oct 23 '17 at 17:50
  • Have you omitted a lot of code here? It looks like you have a class method without a class. – Don't Panic Oct 23 '17 at 17:53
  • @Dmytrechko The session_start( ) is at the beginning of the script in the header page – Naren Oct 23 '17 at 18:09
  • @Don'tPanic Yes there is a class user which handle login function. I didn't skip that code it's just that it's not needed here – Naren Oct 23 '17 at 18:10
  • Possible duplicate of [PHP Secure Session Login - Best Practice](https://stackoverflow.com/questions/8119496/php-secure-session-login-best-practice) – wp78de Nov 18 '17 at 02:20

1 Answers1

0

If you haven't already, I would recommend adding the following line of code to the top of all relevant pages which require Session based integration. Following this, you'll be able to set the session variables.

session_start();

With regards to the previous comment regarding the password Hashing methods, MD5 is considered very insecure compared to other methods of password hashing, including PHP's password_hash() and password_verify() functions.

<?php
$hashed_pass = password_hash($password, PASSWORD_BCRYPT);

if(password_verify($input_pass,$hashed_pass)) {
  //Password Matches DB
}
else {
  //Pass Doesn't Match DB
}
?>

I also see you use a lot of GET variables for the error messages, such as error and inactive. I would personally reccomend using the POST method on the Login form itself, and return back to itself, and handle the error messages that way, with the backend processes such as logging in etc being handled from the backend class.

Kieron Holmes
  • 60
  • 7
  • I added the session_start(); at the start of the index.php when it redirects. It is working perfectly on localhost and not working on the web server. – Naren Oct 23 '17 at 18:39
  • Are you able to post the full block of code you’ve used rather than just a snippet of the class? Based on what you’ve posted above, I can’t tell enough to identify the problem. – Kieron Holmes Oct 23 '17 at 18:58