0

i have been trying to prevent user that are logged in not to go back to the login page. please i need your help. i've tried different method, but yet to no avail. i will be much grateful if anyone can help me. Thanks.

here is my php code for login

<?php 
require 'connection.php';
session_start();
    
    $_SESSION['message'] = '';
    
    
    if(isset($_POST['login']))
    {
       if(empty($_POST['student']) || empty($_POST['pass']))
       {
            $_SESSION['message'] = " student id and password is required";
       }
       else
       {
           $password = md5($_POST['pass']);
           $student = $_POST['student'];
            $query= "select studentid, password, status from student_register where studentid='$student' and password='$password'";
            $result=mysqli_query($conn, $query);

            $row = mysqli_fetch_assoc($result);
            if($row)
            {
                $_SESSION['user']=$_POST['student'];
                $_SESSION['stat'] = $row['status'];
                $_SESSION['message'] =" Login successfully";
                header("refresh:5;url= Welcome.php");
            }
            else
            {
                $_SESSION['message'] =" Student id or password is incorrect";
            }
       }
    }
    else
    {
        
    }

?>
dan
  • 11
  • 2
  • On any page (except the login page itself) just check if `empty($_SESSION['user'])`, and if true, redirect. – GrumpyCrouton Jul 24 '20 at 19:44
  • 2
    **Never store `md5()` passwords!** Please use **PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)** (`password_hash()` and `password_verify()`) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). **It is not necessary** to [escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so _changes_ the password and causes unnecessary additional coding. – GrumpyCrouton Jul 24 '20 at 19:51
  • 1
    [Little Bobby](http://bobby-tables.com/) says [you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/). Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). – GrumpyCrouton Jul 24 '20 at 19:51
  • 1
    and on login page check the opposite: if (isset($_SESSION['user'])) {//redirect to homepage}. And fix sql injection issues. – blahy Jul 24 '20 at 19:52

1 Answers1

-1

You can add a small code into you login.php file to check the user already login or not.

if (isset($_SESSION['user'])) 
{
  header("LOCATION: Welcome.php");
}

If session is already set, redirect it back to welcome.php.

Use this code for those pages which require login to access the page.

if (!isset($_SESSION['user'])) 
{
  header("LOCATION: login.php");
}
mufazmi
  • 1,103
  • 4
  • 18
  • 37