1

The code is suppose to set a variable if the password and username are inserted. But $_SESSION variable is never set and I don't know why and it just keeps redirecting me to the login page.

loginform.php: 

<?php
    $server = 'hiddenforthispost';
    $username = 'hiddenforthispost';
    $password = 'hiddenforthispost';
    $schema = 'hiddenforthispost';
    $pdo = new PDO('mysql:dbname=' . $schema . ';host=' . $server, $username, $password,
    [ PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION]);

                if (isset($_POST['Submit'])) {
                    if(empty($_POST['Username']) || empty($_POST['Password'])) {

                            echo '<p> You must insert all of the fields! </p>';
                        }
                        else {
                            $stmt = $pdo->prepare('SELECT * FROM logins 
                                WHERE login_name = :username');
                            $criteria = [
                                        'username' => $_POST['Username']
                                        ];
                            $stmt->execute($criteria);
                            $user = $stmt->fetchColumn(1);
                            echo $user;
                            if (password_verify($_POST['Password'], $user)) {
                                session_start();
                                $_SESSION['loggedin'];
                                header('location: adminpage.php');
                                }
                                else {
                                    echo '<p> Wrong password </p>';
                                }
                            }
                        }
        ?>

The page where I want only logged in users to access: adminpage.php:

<?php
 session_start();
 if(!isset($_SESSION['loggedin'])){
  header('location: loginpage.php');
 } 
 else {
 }
?>
xafierz
  • 53
  • 1
  • 9
  • And yes, i've checked countless posts about this issue and none of them work. I have no idea what i'm doing wrong – xafierz Dec 04 '17 at 21:20
  • Turn on error reporting. You probably have output causing your headers ot be sent before the session is started. You can solve this by moving session_start() to the top of every file. – John Conde Dec 04 '17 at 21:22
  • @JohnConde See my answer, I don't think it's anything in that question. – Barmar Dec 04 '17 at 21:24
  • @Barmar I think that would make a good addition to the canonical question. – John Conde Dec 04 '17 at 21:25
  • can i make my $_SESSION = to a variable for example the password that I encrypted into my database? @Barmar – xafierz Dec 04 '17 at 21:27
  • all of these codes are put above the html code and the first line is session_start exception being in the loginform where i want session to only start if the password and username are correctly entered @JohnConde – xafierz Dec 04 '17 at 21:29
  • @xafierz It doesn't have to be code. A simple white-space character will cause headers to be sent out. – John Conde Dec 04 '17 at 21:30
  • I will check the code completely from the start to finish then thank you for suggestion @JohnConde – xafierz Dec 04 '17 at 21:31
  • @JohnConde His problem isn't really specific to session variables, he just doesn't know how to set variables properly. – Barmar Dec 04 '17 at 21:32
  • @xafierz You don't need to check the code, just check the log to see if it's sending the warning "Headers already sent". – Barmar Dec 04 '17 at 21:32
  • well now I technically set it properly, I did exactly what barmar told me which was to add = true, and I did but now it tells me that Cannot use isset() on the result of an expression (you can use "null !== expression" instead) @JohnConde – xafierz Dec 04 '17 at 21:37
  • @xafierz It sounds like you put `= true` in the `if(isset())`. It should only be done in the `loginform.php` script. – Barmar Dec 04 '17 at 21:54
  • I think I amended the issue by doing this line instead, which seems to let me in to the adminpage as well if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] = true) it lets me in and prints the variable to 1, which means true I believe. The only issue now is that once I log in, even if I turn off the page and go to it back again i can still go to the adminpage without logging in again... is it maybe because I don't unset the variable? and if so how would I do that? @Barmar and thank you for using your time on me! :) – xafierz Dec 04 '17 at 21:58
  • `= true` should be `== true`. `=` is for assignment, `==` is for comparison. – Barmar Dec 04 '17 at 22:04
  • When the user logs out you should either destroy the session or set the session variable to `false`. – Barmar Dec 04 '17 at 22:04
  • ok, thank you everything seems to work now, i'm sorry for being such a major pain in the ass, you are a god thank you @Barmar – xafierz Dec 04 '17 at 22:06

1 Answers1

0

You're never putting anything in the session variable. Writing a variable by itself on a line doesn't assign anything to it.

In loginform.php, the line:

$_SESSION['loggedin'];

should be something like:

$_SESSION['loggedin'] = true;
Barmar
  • 741,623
  • 53
  • 500
  • 612
  • could I put something like = $user ? @Barmar – xafierz Dec 04 '17 at 21:26
  • You can put anything you like into it, since the other script simply checks if it's set, it doesn't care what's in it. – Barmar Dec 04 '17 at 21:28
  • also another question, I can put session_start(); in the if (password_verify($_POST['Password'], $user)) ? I know session_start() has to go above all the code, but I don't want it to start anything unless that if statement's condition is met @Barmar – xafierz Dec 04 '17 at 21:33
  • You can do it wherever you like as long as it's before anything that causes output to be sent to the client. Putting it above all the code is just the easiest way to ensure that. – Barmar Dec 04 '17 at 21:53