Admin check login just redirects back to login page

PHP
1

Hey All, I am new to php and I am trying to learn how to set up my admin where it checks to see if the user is logged in before they can access the rest of the admin page. Right now I have it working but the user can access the pages if they know the url.

I tried following a tutorial I found online but all it is doing is redirecting me back to the login page.

Can you please look at my code and let me know if I am missing something simple? I asked on another board but just got bashed for not knowing php.

Any help would be very much appreciated.

My form

<?php
  session_start();
  include "includes/class.users.php";
  if(isset($_POST['login'])) {
    $email = $_POST['email'];
    $password = $_POST['password'];
    $users->login($email, $password);
  }
?>
<form method="POST" action="" name="login">
    <div id="wrappermiddle">
    <h2>Login</h2>
                <div id="username_input"> 
                <div id="username_inputleft"></div>
                    <div id="username_inputmiddle">
                    <input name="email" type="text" id="myusername" placeholder="Enter Email">
                    <img id="url_user" src="./images/mailicon.png" alt="">      
                    </div><!--ends username_inputmiddle-->
                    <div id="username_inputright"></div>                   
                </div><!--ends username_input-->

               <div id="password_input">
                <div id="password_inputleft"></div>
                    <div id="password_inputmiddle">       
                    <input name="password" type="password" id="mypassword" placeholder="Password">
                    <img id="url_password" src="./images/passicon.png" alt="">        
                    </div><!--ends password_inputmiddle-->
                 <div id="password_inputright"></div>
                </div><!--ends password_input-->
    
            <div id="submit"> 
            <input type="image" src="./images/submit.png" name="login" value="Login">      
           </form>

class.users.php

<?php
  include "class.database.php";
  class Users extends Database {
    public function login($email, $password) {
      $stmt = $this->mysqli->prepare("SELECT email, password FROM members WHERE email = ? AND password = ? LIMIT 1");
      $stmt->bind_param('ss', $email, $password);
      $stmt->execute();
      $stmt->bind_result($email, $password);
      $stmt->store_result();
      if($stmt->num_rows == 1) {
        while($stmt->fetch()) {
          $_SESSION['email'] == $email;
          header("Location: dashboard.php");
 if ( !isset($_SESSION) ) session_start();
        }
      } else {
          return false;
      }
      $stmt->close();
      $stmt->free_result();
    }
  }
  $users = new users();
?>

dashboard.php (members is the table in my database)

<?PHP
session_start();
if (!isset($_SESSION['members']) || $_SESSION['members'] != "1") {
header ("Location: index.php");
}
?>
2

Hi,

Your immediate problem is that the code at the top of dashboard.php is checking for a session var with the key ‘members’, but your login method is only setting $_SESSION[‘email’]. You might want to try amending your IF statement to something like:

 if ( empty($_SESSION['email']) ) {

which will make sure the session var exists and is not a falsy value.

There are a couple of other things you might want to consider:

  • It’s a really bad idea to store passwords as plain text. You should always securely hash passwords before saving them to the DB. If anyone managed to hack into your DB, all your user accounts would be compromised. Since version 5.4, PHP comes with the password_hash and password_verify functions that you can use to securely hash and check your passwords (there is a library available for older versions).

  • Instead of doing a redirect from within the login() method, you could return true or false to indicate whether the login was successful and do the redirect from outside of the method. This would make your code more flexible, and allow you to show an error message to the user if their login attempt failed.

3

I am still having issues with this just refreshing to the index.php page. I have tried everything I can think of and find on this and it still just refreshes to the index.php page with the login form.

I did add this to the dashboard.php and I got the message “Welcome to the member’s area”, which tells me that I am able to login.

<?PHP
session_start();
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true) {

echo "Welcome to the member's area, " . $_SESSION['username'] . "!";
} else {
echo "Please log in first to see this page.";
}
?>

If anyone can help I would greatly appreciate it.

index.php (top of page)

 <?php
      session_start();
      include "includes/class.users.php";
      if(isset($_POST['login'])) {
        $email = $_POST['email'];
        $password = $_POST['password'];
        $users->login($email, $password);
      }
    ?>

The form

<form method="POST" action="" name="login">
<div id="wrappermiddle">
<h2>Login</h2>
<div id="username_input"> 
<div id="username_inputleft"></div>
    <div id="username_inputmiddle">
    <input name="email" type="text" id="myusername" placeholder="Email Address">
    <img id="url_user" src="./images/mailicon.png" alt="">      
    </div><!--ends username_inputmiddle-->
    <div id="username_inputright"></div>                   
</div><!--ends username_input-->

<div id="password_input">
<div id="password_inputleft"></div>
    <div id="password_inputmiddle">       
    <input name="password" type="password" id="mypassword" placeholder="Password">
    <img id="url_password" src="./images/passicon.png" alt="">        
    </div><!--ends password_inputmiddle-->
 <div id="password_inputright"></div>
</div><!--ends password_input-->

<div id="submit"> 
<input type="image" src="./images/submit.png" name="login" value="Login">      
</form>

class.users.php

<?php
  include "class.database.php";
  class Users extends Database {
    public function login($email, $password) {
      $stmt = $this->mysqli->prepare("SELECT email, password FROM members WHERE email = ? AND password = ? LIMIT 1");
      $stmt->bind_param('ss', $email, $password);
      $stmt->execute();
      $stmt->bind_result($email, $password);
      $stmt->store_result();
      if($stmt->num_rows == 1) {
        while($stmt->fetch()) {
          session_start();
    $_SESSION['loggedin'] = true;
          header("Location: dashboard.php");
        }
      } else {
          return false;
      }
      $stmt->close();
      $stmt->free_result();
    }
  }
  $users = new users();
?>

class.database.php

<?php

class Database {
  public function __construct() {
    $host = 'localhost';
    $user = 'admin';
    $pass = 'password';
    $name = 'database';
    $this->mysqli = new mysqli($host, $user, $pass, $name);
  }
}

?>

dashboard.php ( on the top of page )

<?PHP
session_start();
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true) {
    } else {
header ("Location: index.php");
}
?>
4

Your code seems to work OK for me - I fill in the form with the correct login details, submit, and I get redirected to the dashboard page and see the message. Can you walk me through what you’re doing and what the results are?

5

I put in the email and password and the page refreshes with empty login fields.

6

And then if you manually navigate to dashboard.php, it shows that you are logged in?

7

Same thing, it just goes to the index.php

8

And is your password currently stored as plain text in the DB?

9

Yes, This is the tutorial I followed

https://www.2freehosting.com/forum/topic455-guide-php-mysqli-oop-simple-login-script.html

but instead of using username, I used email for the login.

10

I have asked on several boards and no one can figure out why it isnt working

11

What sort of setup are you running the code on - online? some sort of shared hosting? Or are you running it on your local pc, using WAMP or something similar?

12

Running it on hostgator shared hosting. I asked them and they told me they couldnt offer support because it was custom coded.

13

Is there some kind of validation going on that would reject an email address as a valid username?

14

Not that I am aware of. I posted all the code it uses and I cant find anything that would keep it from working.

15

I added this to the top of my dashboard.php and there is nothing coming up. Just going back to the login form

<?PHP
session_start();
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true) {

echo "Welcome to the member's area, " . $_SESSION['email'] . "!";
} else {
echo "Please log in first to see this page.";
}
?>
16

It looks as if the DB query may be failing for some reason. In the database class, try replacing the line $stmt->execute(); with this:

if (!$stmt->execute()) {
    echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
}
17

Added the code and nothing happens, It just refreshes with a blank login form on the index.php

18

What’s your error log file saying? Surely something must be in there.

19

Just missing a css file.

If anyone knows a better login system that I can use, I sure wouldnt oppose to it.

20

Is it possible your database has more than one row that contains the same email address and password, for testing purposes? You check to see if you only get one result, which means it will reject if there is more than one.

Add echo() statements so you can follow through the code and see where it’s going. Also note that you’re displaying $SESSION[‘email’] or $SESSION[‘username’] but not setting them.