-3

I am currently in the process of developing a browser based game in php to test myself, and unfortunately I am having trouble with sessions. The pages seem to all just go blank if i set session include in the header, but then it doesn't redirect to membersarea.php when a user logs in using the form (form works i think). I may be doing all this wrong

header.php

<?php 
include 'inc/conf.php';
?>

<!DOCTYPE html>
<head>
  <title>Mineshaft Online | Free to play Browser MMORPG</title>
  <link rel="stylesheet" href="style/style.css">
</head>
<body>
<?php
if(isset($_SESSION['username'])) {
?>

<div class="navigation">
    <ul>
        <li><a href="membersarea.php">Dashboard</a></li>
        <li><a href="ms_game.php">Mineshaft</a></li>
        <li><a href="smeltery.php">Smeltery</a></li>
         <li><a href="blacksmith.php">Blacksmith</a></li>
          <li><a href="edit-profile.php">Settings</a></li>
          <li><a href="logout.php">Logout</a></li>
    </ul>
</div>

<?php 
} else {
?>

<div class="navigation">
    <ul>
        <li><a href="index.php">Home</a></li>
        <li><a href="login.php">Login</a></li>
        <li><a href="register.php">Register</a></li>
    </ul>
</div>

<?php
}
?>

<div class="main-content">

and here is the login.php

<?php
include 'inc/conf.php';
include 'header.php';

if(isset($_POST['submit'])){
            // Escape special characters in a string
                $username = mysqli_real_escape_string($conn, $_POST['username']);
                $password = mysqli_real_escape_string($conn, $_POST['password']);
            // If username and password are not empty
                if ($username != "" && $password != ""){
                // Query database to find user with matching username and password
                    $query = "select count(*) as cntUser from users where username='".$username."' and password='".$password."'";
                    $result = mysqli_query($conn, $query); // Store query result
                    $row = mysqli_fetch_array($result); // Fetch row as associative array
                    $count = $row['cntUser']; // Get number of rows
                    if($count > 0){
                        $_SESSION['username'] = $username;
                        header('location: membersarea.php');
                    } else {
                            echo "Error! Invalid username and password.";
                    }
                }
        }
?>

            <form method="post" action="">
                <div id="div_login">
                        <h1>Login</h1>
                        <div>
                            <input type="text" class="textbox" id="username" name="username" placeholder="Username" />
                        </div>
                        <div>
                            <input type="password" class="textbox" id="password" name="password" placeholder="Password"/>
                        </div>
                        <div>
                            <input type="submit" value="Submit" name="submit" id="submit" />
                        </div>
                </div>
            </form>

Here is the 'inc/session.php' file

<?php
    session_start();
    if(!isset($_SESSION["username"])) {
        header("Location: login.php");
        exit();
    }
?>
Dan Boyden
  • 5
  • 5
  • 3
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Jan 08 '23 at 23:29
  • 3
    **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Jan 08 '23 at 23:29

1 Answers1

0

It sounds like the inc/session.php file isn't included at any point in your project. If you want to use sessions, all the scripts using them must start with the session_start() function, and that, before you start to write any html in your page.

That being said, I'm tempted to assume that you've made a little mistake, writing 'inc/session.php' instead of 'inc/config.php' file, which is indeed loaded in your scripts.

I see two things that you should check:

  • In your 'login.php' file, you include the 'inc/config.php' as well as the 'header.php' file (which already includes 'inc/config.php'). That might be a problem, because you will then start your sessions two times.

  • In your 'inc/config.php' file (again, assuming that this is the 'inc/session.php' that you wrote), you start the sessions, and immediately say "if the session 'username' doesn't exist, then we redirect to login.php", which would be a problem if you don't have your 'username' session created before... this would do a redirection loop and your web browser should stop and display a message explaining so.

Other than that, make sure that your server has the sessions activated, you could write a simple script (with nothing else in the file, to keep it simple) like this:

<?php session_start(); $_SESSION['test'] = 'it works!'; ?>

Run the script once, then change the same file to:

<?php session_start(); if(isset($_SESSION['test'])) { echo $_SESSION['test']; } else { echo 'The SESSION test has not been set'; } ?>

And see what your script say.

Dharman
  • 30,962
  • 25
  • 85
  • 135
legibe
  • 552
  • 2
  • 6
  • 19