I am am trying to improve my login system for my students. I don't really understand this stuff.
I am using this from here:
It works on my laptop, but ...
I registered a user: mymail@somewhere.com, PW: Monday0518
I registered, logged in, no problem.
Then I deliberately entered a wrong PW. I still got in! I did not save the PW.
How can I alter this to take me back to the login page when the PW is wrong??
<?php
//start PHP session
session_start();
//check if login form is submitted
if(isset($_POST['login'])){
//assign variables to post values
$email = $_POST['email'];
$password = $_POST['password'];
//include our database connection
include 'conn.php';
//get the user with email
$stmt = $pdo->prepare('SELECT * FROM peter_users WHERE email = :email');
try{
$stmt->execute(['email' => $email]);
//check if email exist
if($stmt->rowCount() > 0){
//get the row
$user = $stmt->fetch();
//validate inputted password with $user password
if(password_verify($password, $user['password'])){
//action after a successful login
//for now just message a successful login
$_SESSION['success'] = 'User verification successful';
}
else{
//return the values to the user
$_SESSION['email'] = $email;
$_SESSION['password'] = $password;
$_SESSION['error'] = 'Incorrect password';
}
}
else{
//return the values to the user
$_SESSION['email'] = $email;
$_SESSION['password'] = $password;
$_SESSION['error'] = 'No account associated with the email';
}
}
catch(PDOException $e){
$_SESSION['error'] = $e->getMessage();
}
}
else{
$_SESSION['error'] = 'Fill up login form first';
}
header('location: ../Neil_Exam/NEleitfile.html');
?>
EDIT: I tried this:
else{
//return the values to the user
//$_SESSION['email'] = $email;
//$_SESSION['password'] = $password;
$_SESSION['error'] = 'Incorrect password';
header('location: ' . $_SERVER['DOCUMENT_ROOT'] . 'makePassword/index.php');
}
and this:
else{
//return the values to the user
$_SESSION['email'] = $email;
$_SESSION['password'] = $password;
$_SESSION['error'] = 'No account associated with the email';
header('location: login.php');
}
Even when I enter a wrong email and password, I still get to the page:
header('location: ../Neil_Exam/NEleitfile.html');
Something is wrong!
I think I need to unset the session on wrong PW or email!
I realized that there is no logout.php Maybe I need that??
EDIT AGAIN: This seems to work, but I have no idea if it is the correct way to do this! Maybe you experts can advise me?
//validate inputted password with $user password
if(password_verify($password, $user['password'])){
//action after a successful login
//for now just message a successful login
$_SESSION['success'] = 'User verification successful';
header('location: ../Neil_Exam/NEleitfile.html');
exit();
Without exit(); I just see the login form and the message "User verification correct'
I would still like a logout button somewhere, or automatic logout. I suppose that is for another question
