Login form is not working after adding SSL certificate

Question

I have a login form:

<form method="post" action="verify.php" name="loginform">
<table border="0" bgcolor="orange" align="center">
<tr><td colspan="3"><h1><b>Please Enter Username and Password</b></h1></td></tr>
<tr>
<td><label>User Name</label>
</td>
<td>:
</td>
<td><input type="text" name="user"/>
</td>
</tr>
<tr><br/>
<td><label>Password</label>
</td>
<td>:
</td>
<td><input type="password" name="pwd"/>
</td>
</tr>
<tr><td colspan="3" align="center"><input type="submit" class="submit-green" value="Login"/></td>
</tr>
</table></form>

and i have verify.php as

<?php
session_start();
include "dbconfig.php";
$user=$_POST['user'];
$pwd=sha1($_POST['pwd']);

$sql='select * from admin where username="'.$user.'" AND password="'.$pwd.'"';
$res=mysql_query($sql) or die('Login query error:'.  mysql_error());
if(mysql_num_rows($res)==1)
{
header("Location:index");
}
else
{
header("Location:login.php");
}
$row = mysql_fetch_array($res);
$_SESSION['admin']=$row['id'];
?>

is there any error here? I can't find any error. It was working fine till I use SSL certificate in my website. Now it is not working. I did a print_r request to know the values getting through post method. But only password is getting and also it is a wrong SHA1 value. Why this happening?

Something else changed, it's not ssl. Also, don't use mysql_ functions anymore. — Ja͢ck, Dec 26 '13 at 15:47
@Joel Have a look at [How can I prevent SQL injection in PHP?](http://stackoverflow.com/q/60174/53114) — Gumbo, Dec 26 '13 at 15:49

score 0 · Answer 1 · edited May 23 '17 at 12:19

0

You are losing your session when switching from HTTP to HTTPS because the HTTPS session cookies have the Secure flag set on them, so that they can only be accessed via HTTPS. That means you can't transfer your old HTTP session cookie when you switch to HTTPS. You can try passing the HTTP session over to HTTPS.

Here's an example taken from another answer:

HTTP code:

$currentSessionID = session_id();
header('https://yoursite.com/login.php?session='.$currentSessionID);

HTTPS code:

// Retrieve the session ID as passed via the GET method.
$currentSessionID = $_GET['session'];

// Set a cookie for the session ID.
session_id($currentSessionID);

Obviously, you will want to make this more secure. This is only a simple example to convey the general idea.

edited May 23 '17 at 12:19

Community

1
1

answered Dec 26 '13 at 15:31

Alex W

37,233
13
109
109

but my login page is also HTTPS. then why this problem? – Dec 26 '13 at 15:39
1

@Joel I believe it is because the form `action` needs to include HTTPS, e.g. `action="https://www.yoursite.com/verify.php"`. I also noticed that you are redirecting the user via `header("Location:login.php");`. You need to be more precise: `header("Location:https://www.yoursite.com/login.php");` – Alex W Dec 26 '13 at 15:47

Login form is not working after adding SSL certificate

1 Answers1