samedi 11 avril 2015

PHP Session destroy twice?

Upon entering the "secure" page, I have an if statement asking if the user is logged in, as shown below. This statement baffles me as the outcome of both statements are the same, but it is the only way for me to end session when refreshing page. So if I change the statement to if (!session == user) {session_destroy} else { continue with session}, refreshing the page will have the session going. Secure page session.php below.



<?php
// To connection
require("includes/functions.php");


// Is the user logged in?
if(!isset($_SESSION['user'])) {

//If user not set, destroy session.
session_destroy();
header("Location: index.php");
exit();
} else {
//Here is the funky part, why have if condition with two predicted equal statements, but have two different outcomes.
// If set, destroy session.
session_destroy();
} //Then the anything below should be secure.
?>


My functions.php (the included one) file is actually a connect to db with a session_start(). The login_process.php page looks as follows.




<?php

// Connection
require_once("functions.php");

//Once form has been clicked, the submitted name reappears, but first empty.
$submitted_username = '';

// IS form submitted?
if(!empty($_POST['login']))
{
// Find username
$query = "
SELECT
id,
username,
password,
salt,
email
FROM users
WHERE
username = :username
";

// The parameter values
$query_params = array(
':username' => $_POST['username']
);

try
{
// Execute the query against the database
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}

// Login bad first
$login_ok = false;

// Find user
$row = $stmt->fetch();
if($row)
{
// Check password
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for($round = 0; $round < 65536; $round++)
{
$check_password = hash('sha256', $check_password . $row['salt']);
}

if($check_password === $row['password'])
{
// If match, login good.
$login_ok = true;
}
}

// If allgood session start.
if($login_ok)
{
unset($row['salt']);
unset($row['password']);

//Issue here?
$_SESSION['user'] = $row;

// Redirect user to secret page.
header("Location: session.php");
exit;
}
else
{
// Tell the user they failed
$login_failed = "<p class='clear floatleft'>Login Failed.</p>";

$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
}
} ?>


The require_once in login_process.php is due to login_form.php being added as an include on every page. Thus always creating a session_start();. See login_form below.



<?php include('login_process.php'); ?>

<form action="" method="post">
<!-- Sign in form -->
<label>Username</label>
<input type="text" name="username" value="<?php echo $submitted_username; ?>">
<label>Password</label>
<input type="password" name="password" value="">

<input class="inline" type="submit" name="login" value="Login">
<input class="inline" type="submit" name="signup" value="Sign Up">
</form>
<?php if(isset($login_failed)) {
echo $login_failed;
}
?>


The form is picked up from a tutorial, please understand that I am not as of yet capable of producing such a login form rendering. I like to think that I understand the blocks of code by the comments I have created.


But I digest, I do not understand how the if/else statement in session.php can have two equal values and render differently. So any help on this particular subject would be greatly appreciated.


This question may be a duplicate, I have read so many questions regarding sessions that I feel blind to finding any help.


Thanks in advance.


Aucun commentaire:

Enregistrer un commentaire