1

I am learning how to build a login-system. It's not meant to be the most secure but it should work without getting hacked too easy by using sessions.

After logging in successfully you should be redirected to the index-page and some entries in the navigation should change (e.g. Login should be Logout).

My navigation:

<nav>
    <?php 
      if(!isset($_SESSION["username"])) {echo "<a class='left"; if($section == "login") {echo " active";} echo"' href='index.php?p=login'>Login</a>";}  
        else {echo "<a class='left"; if($section == "logout") {echo " active";} echo"' href='index.php?p=logout'>Logout</a>";}
    ?>
</nav>

My login form:

<form action="index.php?p=login_check" method="post">
  Username: <input type="text" size="24" maxlength="50" name="username"><br />   
  Passwort: <input type="password" size="24" maxlength="50" name="password"><br />
  <input type="submit" value="Abschicken">
</form>

My login validation:

<?php   
    $verbindung = mysql_connect("localhost", "root" , "")
    or die("Verbindung zur Datenbank konnte nicht hergestellt werden"); 
    mysql_select_db("website") or die ("Datenbank konnte nicht ausgewählt werden"); 

    $username = $_POST["username"]; 
    $password = $_POST["password"]; 

    $abfrage = "SELECT username, password FROM logins WHERE username LIKE '$username' LIMIT 1"; 
    $ergebnis = mysql_query($abfrage); 
    $row = mysql_fetch_object($ergebnis); 

    if(@$row->password == $password) 
        {
        session_start(); 
        $_SESSION["username"] = $username; 
        echo "<p>Login erfolgreich.</p>"; 
        } 
    else 
        { 
        echo "<p>Benutzername oder Passwort waren falsch. <a href=\"index.php?p=login\">Login</a></p>"; 
        } 
?>

My logout:

<?php
    session_destroy();

    $hostname = $_SERVER['HTTP_HOST'];
    $path = dirname($_SERVER['PHP_SELF']);
?>

Now when I am back on the starting-page I still see "Login" instead of "Logout". Do I have to include session_start() on my index-page or is there another way of checking if I am logged in?

Manticore
  • 1,284
  • 16
  • 38
  • 1
    you need session_Start() in the top of your index page yes – PoeHaH Dec 10 '12 at 13:28
  • so is it usual to have sessions stored for everyone who enters the page? – Manticore Dec 10 '12 at 13:29
  • Sessions are a common way to store "per session" data for users, yes. – webnoob Dec 10 '12 at 13:35
  • 1
    You are vulnerable to `SQL Injections`, http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection – Ravi Dec 10 '12 at 13:36
  • 1
    session_start() has to be always on top of your php file by the way.. and it doesn't matter since when users first access the index page, there are no valuable session variables set yet. basically you'll have an 'empty session' then. As for secutiry: you should make your script better for SQL injection. – PoeHaH Dec 10 '12 at 13:36

2 Answers2

3

If you have not included session_start() in the beginning then, my answer will be yes. You should use session_start() in the beginning of every page where you are accessing $_SESSION global variable.

Better choice will be, create an other file and put session_start in it, and include this file wherever you want sessions to work.

Ravi
  • 2,078
  • 13
  • 23
1

session_start() should be on the top of each page the $_SESSION variable is used on. Also, the use of mysql extension is not advised. It's soon to be deprecated. I'd look into using PDO.

SeanWM
  • 16,789
  • 7
  • 51
  • 83