yours works of course thank you
I’d like to set a session based on the userid.
I’d also like to redirect to the admin.php page.
I know how to do the direct, just not sure of the most secure way to handle the session.
Thanks.
just set it after verifying username and password.
[php]$_SESSION[‘user’][‘id’] = $userId;[/php]
yeah but don’t I have to include session at the login page? at the top?
and should I not put the above code you sent closer to the bottom of page after all the code executes in case the user/pass is invalid? Any chance it would set session with a bad userid if I didn’t? Thx
yeah you should do something like this
[php]<?php
session_start(); // this should be on all pages
if (!empty($_SESSION[‘user’])) {
// do your login stuff
} else {
echo ‘you are already logged in!
To log out, click here’;
}[/php]
this doesn’t set the session:
[php]<?php
if(session_id() == “”)
{
session_start();
}
else
{
// Anything you want
}
//--------------
if (!empty($_SESSION[‘userid’])) {
// do your login stuff
} else {
echo ‘you are already logged in!
To log out, click here’;
}
include (‘conection.php’);
if (mysqli_connect_errno()) {
printf(‘Connect failed: %s\n’, mysqli_connect_error());
exit();
}
if (!empty($_POST[‘userid’]) && !empty($_POST[‘password’])) {
$hash = hash(‘sha512’, $_POST[‘password’]);
$query = ‘SELECT userid, password
FROM admins
WHERE userid = ?
AND password = ?’;
$stmt = $mysqli->prepare($query);
if (!$stmt) {
echo ‘failed to prepare statement’;
} else {
$_SESSION['user']['id'] = $userid;
echo ' <br> session_id() ';
$stmt->bind_param('is', $_POST['userid'], $hash);
$stmt->execute();
$stmt->bind_result($userid, $password);
$stmt->fetch();
if (empty($userid)) {
printf("%s with password %s not found in the system\n", $_POST['userid'], $_POST['password']);
} else {
printf("%s is equal to %s\n", $userid, $password);
}
$stmt->close();
}
}
$mysqli->close();
?>
[/php]you can just start the page with session_start(), you don’t need to check anything. Consider it more like starting the session engine, it won’t create a new session, just include the session functionality in your file.
if it sees the user has a cookie with a (valid) session id it will use that session, if not it will create a new session.
Thanks for the help so far.
After logging out using logout code below, this login code produces the error you are already logged in!
To log out, click (logoutpage) database is (dbnameprintshere).
user id is: 0758e86e835e38f1145ac19d60496033
not found in the system
[php]<?php
if (!empty($_SESSION[‘user’])) {
// display login form
echo ‘’;
echo ‘’;
echo ’ ';
echo ’ ';
echo ’ ';
} else {
echo ‘you are already logged in!
Click here to logout.’;
}
session_start(); // this should be on all pages for the session
include ('myconnectionfile');
if (mysqli_connect_errno()) {
printf(‘Connect failed: %s\n’, mysqli_connect_error());
exit();
}
if (!empty($_POST[‘userid’]) && !empty($_POST[‘password’])) {
$hash = hash(‘sha512’, $_POST[‘password’]);
$query = ‘SELECT userid, password
FROM admins
WHERE userid = ?
AND password = ?’;
$stmt = $mysqli->prepare($query);
if (!$stmt) {
echo ‘failed to prepare statement’;
} else {
$stmt->bind_param('is', $_POST['userid'], $hash);
$stmt->execute();
echo '
user id is: ';
//this will be taken out later, just showing user id for now
echo session_id(); //will be taken out later
echo ‘
’;
$stmt->bind_result($userid, $password);
$stmt->fetch();
if (empty($userid)) {
//printf("<br>%s with password %s not found in the system\n", $_POST['userid'], $_POST['password']);
printf("<br>not found in the system\n");
//will be taken out later just displaying for now for troubleshooting purposes
} else {
printf("
%s is the user id and the pwd is %s\n
", $userid, $password);
//redirect the logged in user to:
header(“Location: admin.php”);
}
$stmt->close();
}
}
$mysqli->close();
?>
[/php]and logout form is
[php]<?php
unset ($_SESSION[‘userid’]);
?>
logged out
[/php]