使用$ _SESSIONS检查用户登录

Question

Below are the following scripts, the first one is checklogin.php. This matches up the username and password that is stored in MYSQL database. Once this information has been checked they will get sent to their personal page by using a redirect function.

The bottom php script is user1's landing page. I want something on there that will confirm that this person has correctly logged in and is not entitled to view this page.

At the moment, when i log in as user1 i get shown the page 3.php, ie it's saying that i am not correctly logged in. I know i need to set up a session like: $_SESSION[logged in'] == 'y'; and i think this should go where the passwords are being compared to what is stored in the database. At the moment I cannot enter my login details and be directed to the correct file at the end. Any help will be much appreciated.

<?php

session_start();
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

mysql_connect("localhost", "root", "root") or die(mysql_error()); //Connect to server
mysql_select_db("first_db") or die("Cannot connect to database"); //Connect to database
$query = mysql_query("SELECT * from users WHERE username='$username'"); //Query the users table if there are matching rows equal to $username
$exists = mysql_num_rows($query); //Checks if username exists
$table_users = "";
$table_password = "";

if ($exists > 0) {
    //IF there are no returning rows or no existing username

    //$_SESSION['logged in'] == 'y';

    while ($row = mysql_fetch_assoc($query)) {
        //display all rows from query
        $table_users = $row['username']; // the first username row is passed on to $table_users, and so on until the query is finished
        $table_password = $row['password']; // the first password row is passed on to $table_users, and so on until the query is finished
        $table_id = $row['id'];
        $page_id = $row['page'];
    }

    if (($username == $table_users) && ($password == $table_password)) {
        // checks if there are any matching fields

        if ($password == $table_password) {
            $_SESSION['user'] = $username; //set the username in a session. This serves as a global variable
            $_SESSION['logged_in'] = 'y';
            //echo $table_id;
            //echo $page_id;

            redirect($page_id); //take the user to the page specified in the users table
        } else {
            echo "Login Failed";
        }
    } else {
        print '<script>alert("1. Incorrect Password!");</script>'; //Prompts the user
        print '<script>window.location.assign("login.php");</script>'; // redirects to login.php
    }
} else {
    print '<script>alert("Incorrect Username!");</script>'; //Prompts the user
    print '<script>window.location.assign("login.php");</script>'; // redirects to login.php
}

function redirect($page_id)
{
    /* Redirect browser */
    header('Location: '.$page_id);
    /* Make sure that code below does not get executed when we redirect.         */
    exit;
}

?>

And landing page

<?php

session_start();
//user logged in??

if ($_session['logged in'] != 'Y') {
    //No- jump to log in page.
    header("location: 3.php");
    exit();
}
else
{
    echo 'this works';
}

?>

Answer 1

You're defining the session like:

$_SESSION['logged in'] == 'y';

which should be:

$_SESSION['logged in'] = 'y';

yet you check like:

if ($_session['logged in'] != 'Y') {

it should be:

if ($_SESSION['logged in'] != 'y') {

You're checking if it's an uppercase Y while it holds a lowercase y . So it will never succeed.

Also $_SESSION is a superglobal which means:

Superglobals — Superglobals are built-in variables that are always available in all scopes

and variables are case sensitive.