View Full Version : Session won't keep me logged in *HELP*

08-12-2008, 08:47 PM
Hey guys, I'm building a register/login script. The register works fine as it sends the information to a database which I have checked and it works. The login works but it doesn't seem to keep me logged in?! Heres my login code:


include 'database.php';

if($logged[username]) {
echo 'header ("Location: index.php")';
} else {
if(isset($_POST['login'])) {
$username = ($_POST['username']);
$password = ($_POST['password']);
if(!$username | !$password) {
echo ("A field has been left blank!");
} else {
$find = mysql_query("SELECT * FROM `users` WHERE `username` = '$username'");
if ($uzes = mysql_num_rows($find) == '0') {
echo ("This username doesn't exist!");
} else {
$query = mysql_query("SELECT * FROM `users` WHERE `username` = '$username' AND `password` = '$password'");
$array = mysql_fetch_array($query);
$_SESSION['id'] = "$user[id]";
$_SESSION['password'] = "$user[password]";
echo ("You are now logged in!");
echo ("<meta http-equiv='Refresh' content='5; URL=index.php'>");
} else {
echo ("<form method='post' action='$_SERVER[PHP_SELF]'>
<input type='text' name='username' size='30'><br>
<input type='password' name='password' size='30'><br>
<input type='submit' name='login' value='Login'>
?>I know I haven't slated or md5'd the passwords but I will do after it's fixed, it directs me to index.php but when I go back to the login.php page it asks me to login again? :S


08-12-2008, 09:02 PM
You need an if statement to check if your $_SESSION variables have been set. If so, you know you're logged in, so you can show something besides the login form.


08-12-2008, 09:09 PM
that looks a lil bloated to me... here is one i use, maybe it'll help.

at the top of any page i want to use the session with:



// is the one accessing this page logged in or not?
if (!isset($_SESSION['is_logged_in'])
|| $_SESSION['is_logged_in'] !== true) {

// not logged in, move to login page
header('Location: login.php');

so if that session variable is blank or false we move to the login page. there we have the following:

$errorMessage = '';
//make sure they entered both
if (isset($_POST['uid']) && isset($_POST['upw'])) {
include 'dbs.php';
$conn = mysql_connect($sqlsrv, $sqlusr, $sqlpw) or die("Could not connect : " . mysql_error());
mysql_select_db($sqldb) or die ("Database " . $sqldb . " not selected.." . mysql_error());

//just in case
$userId = strip_tags($_POST['uid']);
$password = strip_tags($_POST['upw']);

// check if the user id and password combination exist in database
$sql = 'SELECT `id` FROM `uid` WHERE `id` = "' . mysql_real_escape_string($userId) . '" AND `password` = "' . mysql_real_escape_string($password) . '"';

$result = mysql_query($sql, $conn)
or die('Query failed. ' . mysql_error());

if (mysql_num_rows($result) == 1) {
// the user id and password match,
// set the session
$_SESSION['is_logged_in'] = true;

// after login we move to the main page
header('Location: index.php?page=select');
} else {
$errorMessage = 'Sorry, wrong user id / password';

<title>Please Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" media="screen">@import "tabs.css";</style>

<body OnLoad="document.frmLogin.uid.focus();">
<table border="0" cellpadding="3" cellspacing="1" class="forumline" align="center" valign="middle">
<tr><td align="center">This page and all pages herein contain confidential information and its use is restricted to Tri-State Search and Rescue and designated agents thereof. <br/>Unauthorized access is prohibited. Use may be monitored and recorded.</td></tr>
<h1 align="center">TSSAR Incident Manager Login<h1>
if ($errorMessage != '') {
<p align="center"><strong><font color="#990000"><?php echo $errorMessage; ?></font></strong></p>
<form method="post" name="frmLogin" action="login.php">
<table width="400" border="0" cellpadding="3" cellspacing="1" class="forumline" align="center">
<td width="150">User Id</td>
<td><input name="uid" type="text"></td>
<td width="150">Password</td>
<td><input name="upw" type="password"></td>
<td width="150">&nbsp;</td>
<td><input type="submit" name="btnLogin" value="Login"></td>

anyway, not that you need to use what i have... but it might have some handy examples or something. wha ti don't see is a session variable you're setting to prove authentication on the other pages, but maybe i miseed it.

08-12-2008, 09:11 PM
if (!isset($_SESSION['id'])) {
header( 'Location: login.php' ) ;

put that at the top of every page to be secure and it'll redirect all those pages to login if they're not logged in

On the login page you want to do it slightly different just below your session_start()

if (isset($_SESSION['id'])) {
header( 'Location: secure_section_main_page.php' ) ;

This time instead of checking that it doesn't exist your checking if it does exist then redirecting to the main menu page for your secure area in your case probably index.php

you can always optimise your login check too to be smaller check here for more info http://www.codingforums.com/showthread.php?t=146407