0

Well, I know there is pluenty of threads like this. But I've tried EVERYTHING they said in the comments without any results. So I guess I've to try it out here...

Bascially, I've a login form at "Login.html" where you type "Username(Name=userId)" and "Password" and that will redirect you to "Login.php" to make sure username and password is written, if it is, it should redirect you again, but to "hidden.php".. And that works fine if I remove 

<?php
session_start();
if(!isset($_SESSION['User']))
{
   header('location: login.php');
   exit();
}
?>

This line from the top of "hidden.php".

But on the other side, if people just enter "/hidden.php" without typing password, it should redirect you to "Login.php" which is not working by any reason.. And I've searched a lot and found threads about it, but none of them is actually working in my case.

<?php
    session_start();

    $serverName = "den1.mysql2.gear.host";
    $username = "lexidatabaseweb";
    $password =  "*";
    $db = "lexidatabaseweb";

    //Create connection
    $conn = mysqli_connect($serverName, $username, $password, $db);

    if(isset($_POST['userId']))
{
    $User=$_POST['userId'];
    $Pass=$_POST['passId'];

    $sql = "SELECT * from tbl_register WHERE Username= '".$User."' AND Password = '".$Pass."' limit 1";
    $result = mysqli_query($conn, $sql);

    if(mysqli_num_rows($result) == 1){
        header('location: hidden.php');
        exit();
    }
    else{
        echo" <label style='color:red;'> Wrong username / password.</label>";
        exit();
    }
}
else
{
    echo "Invalid request";
}

?>

The code you can see above is from "Login.php"

  • 1
    set session in `mysqli_num_rows($result) == 1` then create logout.php file for session destroy and execute file, then again execute the `hidden.php` file. – Bilal Ahmed Oct 22 '18 at 10:21
  • Could it be you are looking at a cached version of that file which had been requested once _before_ you implemented the session handling? – arkascha Oct 22 '18 at 10:22
  • @BilalAhmed How do I destroy the session? I'm totally new to php.. –  Oct 22 '18 at 10:27
  • @arkascha Idk what that means, I'm new to php tho :/ –  Oct 22 '18 at 10:28

1 Answers1

2

You do not set the SESSION variable in your login page, so set it once the check is OK....

if(mysqli_num_rows($result) == 1){
    $_SESSION['User'] = $User;
    header('location: hidden.php');
    exit();
}

You should also change the password processing and read about password_hash()

Also look into prepared statements.

Nigel Ren
  • 56,122
  • 11
  • 43
  • 55
  • Oh! I solved the first issue.. But now I can write "/hidden.php" in the top of the page and it will direct me to it. Without the login –  Oct 22 '18 at 10:27
  • One thing about testing is that you may still have a session set - make sure you can clear your session before testing the 'not logged in' part. – Nigel Ren Oct 22 '18 at 10:29
  • Sorry for asking but... In what .php file should I do this? And should I use session_abort() or how should I clear it? –  Oct 22 '18 at 10:32
  • You probably need a logout link on your page - https://stackoverflow.com/questions/17564795/destroy-a-php-session-on-clicking-a-link – Nigel Ren Oct 22 '18 at 10:32
  • please add session destroy code for @LolPrezy. above he mention in comments – Bilal Ahmed Oct 22 '18 at 10:33
  • 2
    If this has helped, please consider marking it as answered - https://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work. The also covers the previous questions you have asked if you have a satisfactory answer for them. – Nigel Ren Oct 22 '18 at 10:39
  • Thanks a lot! Really helpful! –  Oct 22 '18 at 11:01
  • `

    Inloggad som:

    ` Just add your session variable to the echo.     – Nigel Ren Oct 22 '18 at 11:01